crystal-gauntlet/src/lib/accounts.cr

require "uri"
require "crypto/bcrypt/password"

include CrystalGauntlet

module CrystalGauntlet::Accounts
  extend self

  # DOESN'T VERIFY PASSWORD
  def get_account_id_from_params(params : URI::Params) : Int32 | Nil
    if params["accountID"]? && params["accountID"]? != "0"
      params["accountID"].to_i32
    else
      nil
    end
  end

  # DOESN'T VERIFY PASSWORD
  def get_ext_id_from_params(params : URI::Params) : Int32 | Nil
    if params.has_key?("udid") && !params["udid"].blank?
      params["udid"].to_i32?
    else
      get_account_id_from_params(params)
    end
  end

  # todo: clean this periodically
  AUTH_CACHE = Hash(Tuple(String | Nil, String | Nil, String | Nil), Tuple(Int32, Int32) | Tuple(Nil, Nil)).new
  SESSIONS = Hash(Tuple(String | Nil, String | Nil), Tuple(Int32, Int32, Int64)).new

  # returns userid, accountid
  def auth(params : URI::Params) : (Tuple(Int32, Int32) | Tuple(Nil, Nil))
    gjp = params["gjp"]?
    udid = params["udid"]?
    account_id = params["accountID"]?

    if AUTH_CACHE[{gjp, udid, account_id}]?
      LOG.debug {"#{account_id || udid || "???"}: gjp cache hit"}
      return AUTH_CACHE[{gjp, udid, account_id}]
    end
    LOG.debug {"#{account_id || udid || "???"}: gjp cache miss"}

    ext_id = Accounts.get_account_id_from_params(params)
    if !ext_id || !Accounts.verify_gjp(ext_id.to_i, gjp || "")
      return nil, nil
    end
    user_id = Accounts.get_user_id(ext_id)
    if !user_id
      return nil, nil
    end

    AUTH_CACHE[{gjp, udid, account_id}] = {user_id, ext_id.to_i}
    return user_id, ext_id.to_i
  end

  def auth_old(req : HTTP::Request, params : URI::Params) : (Tuple(Int32, Int32) | Tuple(Nil, Nil))
    account_id = params["accountID"]
    ip = IPs.get_real_ip(req)

    if SESSIONS.has_key?({account_id, ip})
      LOG.debug {"#{account_id || "???"}: session exists"}
      user_id, ext_id, expiry_time = SESSIONS[{account_id, ip}]
      if Time.utc.to_unix > expiry_time
        LOG.debug {"#{account_id || "???"}: session expired"}
        SESSIONS.delete({account_id, ip})
        return nil, nil
      else
        LOG.debug {"#{account_id || "???"}: session valid"}
        return user_id, ext_id
      end
    end
    
    LOG.debug {"#{account_id || "???"}: session does not exist"}
    return nil, nil
  end

  def new_session(req : HTTP::Request, username : String, password : String) : Bool
    if !config_get("sessions.allow").as(Bool | Nil)
      return false
    end

    ip = IPs.get_real_ip(req)
    result = DATABASE.query_all("select id, password from accounts where username = ?", username, as: {Int32, String})
    if result.size > 0
      account_id, hash = result[0]
      bcrypt = Crypto::Bcrypt::Password.new(hash)

      if bcrypt.verify(password)
        user_id = Accounts.get_user_id(account_id)
        expiry_time = Time.utc.to_unix + (config_get("sessions.expiry_time").as(Int64 | Nil) || 604800)
        SESSIONS[{account_id.to_s, ip}] = { user_id, account_id, expiry_time }
        return true
      else
        return false
      end
    else
      return false
    end
  end

  def get_user_id(ext_id : Int32) : Int32
    DATABASE.query("select id from users where udid = ? or account_id = ?", ext_id, ext_id) do |rs|
      if rs.move_next
        return rs.read(Int32)
      else
        raise "no user associated with account?!"
      end
    end
  end

  def verify_gjp(account_id : Int32, gjp : String) : Bool
    if gjp.blank?
      return false
    end
    hash = DATABASE.scalar("select password from accounts where id = ?", account_id).as(String)
    bcrypt = Crypto::Bcrypt::Password.new(hash)
    bcrypt.verify(GJP.decrypt(gjp))
  end

  def is_blocked_by(account_id : Int32, by : Int32)
    DATABASE.scalar("select count(*) from block_links where (from_account_id = ? and to_account_id = ?)", by, account_id).as(Int64) > 0
  end

  def are_friends(account_id_1 : Int32, account_id_2 : Int32)
    DATABASE.scalar("select count(*) from friend_links where (account_id_1 = ? and account_id_2 = ?) or (account_id_2 = ? and account_id_1 = ?)", account_id_1, account_id_2, account_id_1, account_id_2).as(Int64) > 0
  end
end
some minor refactoring 2022-12-30 17:04:27 +01:00			`require "uri"`
some kind of security implemented 2022-12-30 18:34:55 +01:00			`require "crypto/bcrypt/password"`
some minor refactoring 2022-12-30 17:04:27 +01:00
			`include CrystalGauntlet`

			`module CrystalGauntlet::Accounts`
			`extend self`

cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00			`# DOESN'T VERIFY PASSWORD`
lightly fucked level scores 2022-12-31 07:28:06 +01:00			`def get_account_id_from_params(params : URI::Params) : Int32 \| Nil`
			`if params["accountID"]? && params["accountID"]? != "0"`
			`params["accountID"].to_i32`
			`else`
			`nil`
			`end`
			`end`

cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00			`# DOESN'T VERIFY PASSWORD`
slightly tweak account lib stuff 2022-12-31 18:12:22 +01:00			`def get_ext_id_from_params(params : URI::Params) : Int32 \| Nil`
replace == "" with .blank? 2023-01-04 13:05:27 +01:00			`if params.has_key?("udid") && !params["udid"].blank?`
slightly tweak account lib stuff 2022-12-31 18:12:22 +01:00			`params["udid"].to_i32?`
some minor refactoring 2022-12-30 17:04:27 +01:00			`else`
slightly tweak account lib stuff 2022-12-31 18:12:22 +01:00			`get_account_id_from_params(params)`
some minor refactoring 2022-12-30 17:04:27 +01:00			`end`
			`end`

cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00			`# todo: clean this periodically`
			`AUTH_CACHE = Hash(Tuple(String \| Nil, String \| Nil, String \| Nil), Tuple(Int32, Int32) \| Tuple(Nil, Nil)).new`
better 1.9 support 2023-01-08 08:10:27 +01:00			`SESSIONS = Hash(Tuple(String \| Nil, String \| Nil), Tuple(Int32, Int32, Int64)).new`
cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00
implement level deletion 2022-12-31 17:59:43 +01:00			`# returns userid, accountid`
			`def auth(params : URI::Params) : (Tuple(Int32, Int32) \| Tuple(Nil, Nil))`
cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00			`gjp = params["gjp"]?`
			`udid = params["udid"]?`
add level parsing for intensive upload checks, remove GDBase64 2023-01-03 11:38:23 +01:00			`account_id = params["accountID"]?`
cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00
oops i uh . 2023-01-03 18:05:38 +01:00			`if AUTH_CACHE[{gjp, udid, account_id}]?`
cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00			`LOG.debug {"#{account_id \|\| udid \|\| "???"}: gjp cache hit"}`
oops i uh . 2023-01-03 18:05:38 +01:00			`return AUTH_CACHE[{gjp, udid, account_id}]`
cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00			`end`
			`LOG.debug {"#{account_id \|\| udid \|\| "???"}: gjp cache miss"}`

chests 2023-01-05 10:08:36 +01:00			`ext_id = Accounts.get_account_id_from_params(params)`
oops i uh . 2023-01-03 18:05:38 +01:00			`if !ext_id \|\| !Accounts.verify_gjp(ext_id.to_i, gjp \|\| "")`
implement level deletion 2022-12-31 17:59:43 +01:00			`return nil, nil`
			`end`
			`user_id = Accounts.get_user_id(ext_id)`
			`if !user_id`
			`return nil, nil`
			`end`

oops i uh . 2023-01-03 18:05:38 +01:00			`AUTH_CACHE[{gjp, udid, account_id}] = {user_id, ext_id.to_i}`
implement level deletion 2022-12-31 17:59:43 +01:00			`return user_id, ext_id.to_i`
			`end`

better 1.9 support 2023-01-08 08:10:27 +01:00			`def auth_old(req : HTTP::Request, params : URI::Params) : (Tuple(Int32, Int32) \| Tuple(Nil, Nil))`
			`account_id = params["accountID"]`
			`ip = IPs.get_real_ip(req)`

			`if SESSIONS.has_key?({account_id, ip})`
			`LOG.debug {"#{account_id \|\| "???"}: session exists"}`
			`user_id, ext_id, expiry_time = SESSIONS[{account_id, ip}]`
			`if Time.utc.to_unix > expiry_time`
			`LOG.debug {"#{account_id \|\| "???"}: session expired"}`
			`SESSIONS.delete({account_id, ip})`
			`return nil, nil`
			`else`
			`LOG.debug {"#{account_id \|\| "???"}: session valid"}`
			`return user_id, ext_id`
			`end`
			`end`

			`LOG.debug {"#{account_id \|\| "???"}: session does not exist"}`
			`return nil, nil`
			`end`

			`def new_session(req : HTTP::Request, username : String, password : String) : Bool`
			`if !config_get("sessions.allow").as(Bool \| Nil)`
			`return false`
			`end`

			`ip = IPs.get_real_ip(req)`
			`result = DATABASE.query_all("select id, password from accounts where username = ?", username, as: {Int32, String})`
			`if result.size > 0`
			`account_id, hash = result[0]`
			`bcrypt = Crypto::Bcrypt::Password.new(hash)`

			`if bcrypt.verify(password)`
			`user_id = Accounts.get_user_id(account_id)`
			`expiry_time = Time.utc.to_unix + (config_get("sessions.expiry_time").as(Int64 \| Nil) \|\| 604800)`
			`SESSIONS[{account_id.to_s, ip}] = { user_id, account_id, expiry_time }`
			`return true`
			`else`
			`return false`
			`end`
			`else`
			`return false`
			`end`
			`end`

slightly tweak account lib stuff 2022-12-31 18:12:22 +01:00			`def get_user_id(ext_id : Int32) : Int32`
some minor refactoring 2022-12-30 17:04:27 +01:00			`DATABASE.query("select id from users where udid = ? or account_id = ?", ext_id, ext_id) do \|rs\|`
some kind of security implemented 2022-12-30 18:34:55 +01:00			`if rs.move_next`
some minor refactoring 2022-12-30 17:04:27 +01:00			`return rs.read(Int32)`
			`else`
			`raise "no user associated with account?!"`
			`end`
			`end`
			`end`
some kind of security implemented 2022-12-30 18:34:55 +01:00
lightly fucked level scores 2022-12-31 07:28:06 +01:00			`def verify_gjp(account_id : Int32, gjp : String) : Bool`
replace == "" with .blank? 2023-01-04 13:05:27 +01:00			`if gjp.blank?`
cache gjp checks for performance; switch everything to Accounts.auth 2023-01-02 17:07:33 +01:00			`return false`
			`end`
some kind of security implemented 2022-12-30 18:34:55 +01:00			`hash = DATABASE.scalar("select password from accounts where id = ?", account_id).as(String)`
			`bcrypt = Crypto::Bcrypt::Password.new(hash)`
			`bcrypt.verify(GJP.decrypt(gjp))`
			`end`
properly implement message/comment disabled 2023-01-06 09:51:11 +01:00
blocks 2023-01-06 15:58:34 +01:00			`def is_blocked_by(account_id : Int32, by : Int32)`
			`DATABASE.scalar("select count(*) from block_links where (from_account_id = ? and to_account_id = ?)", by, account_id).as(Int64) > 0`
			`end`

properly implement message/comment disabled 2023-01-06 09:51:11 +01:00			`def are_friends(account_id_1 : Int32, account_id_2 : Int32)`
			`DATABASE.scalar("select count(*) from friend_links where (account_id_1 = ? and account_id_2 = ?) or (account_id_2 = ? and account_id_1 = ?)", account_id_1, account_id_2, account_id_1, account_id_2).as(Int64) > 0`
			`end`
some minor refactoring 2022-12-30 17:04:27 +01:00			`end`