From 7ca4b5ceb35436b24085d2b19b817c898a1f6433 Mon Sep 17 00:00:00 2001 From: olcxja Date: Thu, 30 Apr 2026 14:36:33 +0200 Subject: [PATCH] Auth fixes --- LarpixServer/Account/Requests.cs | 25 ++++++++++++++++--------- LarpixServer/Account/Utils.cs | 8 ++++++-- LarpixServer/Program.cs | 12 ++++++++++++ 3 files changed, 34 insertions(+), 11 deletions(-) diff --git a/LarpixServer/Account/Requests.cs b/LarpixServer/Account/Requests.cs index a68f3de..b707132 100644 --- a/LarpixServer/Account/Requests.cs +++ b/LarpixServer/Account/Requests.cs @@ -30,11 +30,10 @@ public class Requests return; } - string body = await LoadBody(bodyReader); string id = await Utils.IdFromName(username); string password = await Utils.GetPassword(id); - body = await Utils.NonceDecryptBody(username, password, body); - string auth = await Utils.Auth(id, password, body); + secret = await Utils.NonceDecryptBody(username, password, secret); + string auth = await Utils.Auth(id, password, secret); if (auth != Utils.LOGIN_SUCCESS) { await context.Response.WriteAsync(auth); @@ -71,6 +70,7 @@ public class Requests switch (step) { case "init": + { foreach (var kvp in createHolder) // czyszczenie nieaktywnych od 2 minut requestow { if (kvp.Value.date < DateTimeOffset.UtcNow.AddMinutes(-2)) @@ -107,7 +107,9 @@ public class Requests await context.Response.WriteAsync(serializedPayload); return; + } case "register": + { string body = await LoadBody(bodyReader); KeyExchangePayloadClient serializedBody = JsonSerializer.Deserialize( @@ -149,14 +151,16 @@ public class Requests await context.Response.Body.WriteAsync(captchaResult.ImageBytes, 0, captchaResult.ImageBytes.Length); return; + } case "finish": - body = await LoadBody(bodyReader); - + { + string body = await LoadBody(bodyReader); + CaptchaPayloadClient serialized = JsonSerializer.Deserialize( body, AppJsonSerializerContext.Default.CaptchaPayloadClient ); - if (!createHolder.TryGetValue(serialized.idKey, out entry)) + if (!createHolder.TryGetValue(serialized.idKey, out var entry)) { await context.Response.WriteAsync("Account request expired"); return; @@ -262,6 +266,7 @@ public class Requests await context.Response.WriteAsync("Account created"); return; + } } await next(); @@ -368,7 +373,7 @@ public class Requests string id = await Utils.IdFromName(username); string body = await LoadBody(bodyReader); string password = await Utils.GetPassword(id); - string newPass = await Utils.NonceDecryptBody(username, password, body); + string newPass = await Utils.NonceDecryptBody(username, password, body, false); secret = await Utils.NonceDecryptBody(username, password, secret); string auth = await Utils.Auth(id, password, secret); @@ -416,7 +421,9 @@ public class Requests string id = await Utils.IdFromName(username); string body = await LoadBody(bodyReader); string password = await Utils.GetPassword(id); - body = await Utils.NonceDecryptBody(username, password, body); + + + body = await Utils.NonceDecryptBody(username, password, body, false); secret = await Utils.NonceDecryptBody(username, password, secret); string auth = await Utils.Auth(id, secret, password); @@ -518,7 +525,7 @@ public class Requests string id = await Utils.IdFromName(username); string body = await LoadBody(bodyReader); string password = await Utils.GetPassword(id); - body = await Utils.NonceDecryptBody(username, password, body); + body = await Utils.NonceDecryptBody(username, password, body, false); secret = await Utils.NonceDecryptBody(username, password, secret); Universal2String serializedBody = JsonSerializer.Deserialize( diff --git a/LarpixServer/Account/Utils.cs b/LarpixServer/Account/Utils.cs index 7436325..dcdbb6b 100644 --- a/LarpixServer/Account/Utils.cs +++ b/LarpixServer/Account/Utils.cs @@ -136,14 +136,18 @@ public class Utils return LOGIN_SUCCESS; } - public static async Task NonceDecryptBody(string username, string password, string body) + public static async Task NonceDecryptBody(string username, string password, string body, bool delEntry = true) { if (!Requests.nonceHolder.TryGetValue(username, out (string, DateTimeOffset) nonce)) { return "Invalid nonce"; } string decBody = Encryption.Encryption.PacketDecPass(body, password, nonce.Item1); - Requests.nonceHolder.TryRemove(username, out _); + if (delEntry) + { + Requests.nonceHolder.TryRemove(username, out _); + } + return decBody; } diff --git a/LarpixServer/Program.cs b/LarpixServer/Program.cs index 378c54d..7bc9d38 100644 --- a/LarpixServer/Program.cs +++ b/LarpixServer/Program.cs @@ -44,6 +44,18 @@ public class Program IQueryCollection query = context.Request.Query; using StreamReader reader = new StreamReader(context.Request.Body); + + //custom header moment + context.Response.Headers["Access-Control-Allow-Origin"] = "*"; + context.Response.Headers["Access-Control-Allow-Headers"] = "*"; + context.Response.Headers["Access-Control-Allow-Methods"] = "*"; + if (context.Request.Method.ToUpper() == "OPTIONS") + { + context.Response.StatusCode = 200; + await context.Response.CompleteAsync(); + return; + } + switch (path) { case "/_larpix/serverinfo":