Auth fixes

2026-04-30 14:36:33 +02:00 · 2026-04-30 14:36:33 +02:00 · 7ca4b5ceb3
commit 7ca4b5ceb3
parent c58d3dbcdf
3 changed files with 34 additions and 11 deletions
--- a/LarpixServer/Account/Requests.cs
+++ b/LarpixServer/Account/Requests.cs
@ -30,11 +30,10 @@ public class Requests
            return;
        }

-        string body = await LoadBody(bodyReader);
        string id = await Utils.IdFromName(username);
        string password = await Utils.GetPassword(id);
-        body = await Utils.NonceDecryptBody(username, password, body);
-        string auth = await Utils.Auth(id, password, body);
+        secret = await Utils.NonceDecryptBody(username, password, secret);
+        string auth = await Utils.Auth(id, password, secret);
        if (auth != Utils.LOGIN_SUCCESS)
        {
            await context.Response.WriteAsync(auth);
@ -71,6 +70,7 @@ public class Requests
            switch (step)
            {
                case "init":
+                {
                    foreach (var kvp in createHolder) // czyszczenie nieaktywnych od 2 minut requestow
                    {
                        if (kvp.Value.date < DateTimeOffset.UtcNow.AddMinutes(-2))
@ -107,7 +107,9 @@ public class Requests

                    await context.Response.WriteAsync(serializedPayload);
                    return;
+                }
                case "register":
+                {
                    string body = await LoadBody(bodyReader);

                    KeyExchangePayloadClient serializedBody = JsonSerializer.Deserialize(
@ -149,14 +151,16 @@ public class Requests
                    await context.Response.Body.WriteAsync(captchaResult.ImageBytes, 0,
                        captchaResult.ImageBytes.Length);
                    return;
+                }
                case "finish":
-                    body = await LoadBody(bodyReader);
+                {
+                    string body = await LoadBody(bodyReader);
  
                    CaptchaPayloadClient serialized = JsonSerializer.Deserialize(
                        body,
                        AppJsonSerializerContext.Default.CaptchaPayloadClient
                    );
-                    if (!createHolder.TryGetValue(serialized.idKey, out entry))
+                    if (!createHolder.TryGetValue(serialized.idKey, out var entry))
                    {
                        await context.Response.WriteAsync("Account request expired");
                        return;
@ -262,6 +266,7 @@ public class Requests

                    await context.Response.WriteAsync("Account created");
                    return;
+                }
            }

            await next();
@ -368,7 +373,7 @@ public class Requests
        string id = await Utils.IdFromName(username);
        string body = await LoadBody(bodyReader);
        string password = await Utils.GetPassword(id);
-        string newPass = await Utils.NonceDecryptBody(username, password, body);
+        string newPass = await Utils.NonceDecryptBody(username, password, body, false);
        secret = await Utils.NonceDecryptBody(username, password, secret);

        string auth = await Utils.Auth(id, password, secret);
@ -416,7 +421,9 @@ public class Requests
        string id = await Utils.IdFromName(username);
        string body = await LoadBody(bodyReader);
        string password = await Utils.GetPassword(id);
-        body = await Utils.NonceDecryptBody(username, password, body);
+        
+        
+        body = await Utils.NonceDecryptBody(username, password, body, false);
        secret = await Utils.NonceDecryptBody(username, password, secret);

        string auth = await Utils.Auth(id, secret, password);
@ -518,7 +525,7 @@ public class Requests
        string id = await Utils.IdFromName(username);
        string body = await LoadBody(bodyReader);
        string password = await Utils.GetPassword(id);
-        body = await Utils.NonceDecryptBody(username, password, body);
+        body = await Utils.NonceDecryptBody(username, password, body, false);
        secret = await Utils.NonceDecryptBody(username, password, secret);

        Universal2String serializedBody = JsonSerializer.Deserialize(
--- a/LarpixServer/Account/Utils.cs
+++ b/LarpixServer/Account/Utils.cs
@ -136,14 +136,18 @@ public class Utils
        return LOGIN_SUCCESS;
    }
    
-    public static async Task<string> NonceDecryptBody(string username, string password, string body)
+    public static async Task<string> NonceDecryptBody(string username, string password, string body, bool delEntry = true)
    {
        if (!Requests.nonceHolder.TryGetValue(username, out (string, DateTimeOffset) nonce))
        {
            return "Invalid nonce";
        }
        string decBody = Encryption.Encryption.PacketDecPass(body, password, nonce.Item1);
-        Requests.nonceHolder.TryRemove(username, out _);
+        if (delEntry)
+        {
+            Requests.nonceHolder.TryRemove(username, out _);
+        }
+
        return decBody;
    }
    
--- a/LarpixServer/Program.cs
+++ b/LarpixServer/Program.cs
@ -44,6 +44,18 @@ public class Program
                IQueryCollection query = context.Request.Query;
                using StreamReader reader = new StreamReader(context.Request.Body);

+
+                //custom header moment
+                context.Response.Headers["Access-Control-Allow-Origin"] = "*";
+                context.Response.Headers["Access-Control-Allow-Headers"] = "*";
+                context.Response.Headers["Access-Control-Allow-Methods"] = "*";
+                if (context.Request.Method.ToUpper() == "OPTIONS")
+                {
+                    context.Response.StatusCode = 200;
+                    await context.Response.CompleteAsync();
+                    return;
+                }
+
                switch (path)
                {
                    case "/_larpix/serverinfo":