some kind of security implemented

2022-12-31 02:34:55 +09:00 · 2022-12-31 02:34:55 +09:00 · 9cfe9520b4
parent 0c1ca2bc0b
commit 9cfe9520b4
4 changed files with 14 additions and 4 deletions
--- a/src/accounts.cr
+++ b/src/accounts.cr
@ -1,4 +1,5 @@
 require "uri"
+require "crypto/bcrypt/password"

 include CrystalGauntlet

@ -19,13 +20,18 @@ module CrystalGauntlet::Accounts
  end

  def get_user_id(username : String, ext_id : String) : Int32
-    return 1
    DATABASE.query("select id from users where udid = ? or account_id = ?", ext_id, ext_id) do |rs|
-      if rs.column_count > 0
+      if rs.move_next
        return rs.read(Int32)
      else
        raise "no user associated with account?!"
      end
    end
  end
+
+  def verify_gjp(account_id : String, gjp : String) : Bool
+    hash = DATABASE.scalar("select password from accounts where id = ?", account_id).as(String)
+    bcrypt = Crypto::Bcrypt::Password.new(hash)
+    bcrypt.verify(GJP.decrypt(gjp))
+  end
 end
--- a/src/endpoints/levels/uploadLevel.cr
+++ b/src/endpoints/levels/uploadLevel.cr
@ -9,7 +9,7 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(body : String): String {
  puts params.inspect

  ext_id = Accounts.get_ext_id_from_params(params)
-  if ext_id == "-1"
+  if ext_id == "-1" || !Accounts.verify_gjp(ext_id, params["gjp"])
    return "-1"
  end
  user_id = Accounts.get_user_id(params["userName"], ext_id)
--- a/src/endpoints/users/updateUser.cr
+++ b/src/endpoints/users/updateUser.cr
@ -9,6 +9,10 @@ CrystalGauntlet.endpoints["/updateGJUserScore22.php"] = ->(body : String): Strin
  puts params.inspect

  account_id = Accounts.get_ext_id_from_params(params)
+  if !Accounts.verify_gjp(account_id, params["gjp"])
+    return "-1"
+  end
+
  user_id = Accounts.get_user_id(params["userName"], account_id)

  DATABASE.exec("update users set username=?, stars=?, demons=?, coins=?, user_coins=?, diamonds=?, icon_type=?, color1=?, color2=?, cube=?, ship=?, ball=?, ufo=?, wave=?, robot=?, spider=?, explosion=?, special=?, glow=?, last_played=? where id=?", params["userName"], params["stars"], params["demons"], params["coins"], params["userCoins"], params["diamonds"], params["iconType"], params["color1"], params["color2"], params["accIcon"], params["accShip"], params["accBall"], params["accBird"], params["accDart"], params["accRobot"], params["accSpider"], params["accExplosion"], params["special"], params["accGlow"], Time.utc.to_s("%Y-%m-%d %H:%M:%S"), user_id)
--- a/src/gjp.cr
+++ b/src/gjp.cr
@ -7,7 +7,7 @@ module CrystalGauntlet::GJP
  XOR_KEY = "37526"

  def decrypt(pass : String)
-    pwd = Base64.decode_string(pass.sub('_', '/').sub('-', '+'))
+    pwd = Base64.decode(pass.sub('_', '/').sub('-', '+'))
    decrypted = ""

    pwd.each.with_index() do |chr, index|