# HG changeset patch # User Dan # Date 1191806916 14400 # Node ID 36b287f1d85cae005fa08208f71f09cf0820e7a1 # Parent 4c19952406db0dec093ce789686d41751fc5cd2c [F] Added support for account lockouts. User is locked out or required to complete a CAPTCHA after specified threshold for specified period. diff -r 4c19952406db -r 36b287f1d85c includes/clientside/static/ajax.js --- a/includes/clientside/static/ajax.js Sun Oct 07 17:28:47 2007 -0400 +++ b/includes/clientside/static/ajax.js Sun Oct 07 21:28:36 2007 -0400 @@ -1184,3 +1184,33 @@ new messagebox(MB_OK|MB_ICONINFORMATION, 'About the keep-alive feature', 'Keep-alive is a new Enano feature that keeps your administrative session from timing out while you are using the administration panel. This feature can be useful if you are editing a large page or doing something in the administration interface that will take longer than 15 minutes.

For security reasons, Enano mandates that high-privilege logins last only 15 minutes, with the time being reset each time a page is loaded (or, more specifically, each time the session API is started). The consequence of this is that if you are performing an action in the administration panel that takes more than 15 minutes, your session may be terminated. The keep-alive feature attempts to relieve this by sending a "ping" to the server every 10 minutes.

Please note that keep-alive state is determined by a cookie. Thus, if you log out and then back in as a different administrator, keep-alive will use the same setting that was used when you were logged in as the first administrative user. In the same way, if you log into the administration panel under your account from another computer, keep-alive will be set to "off".

For more information:
Overview of Enano'+"'"+'s security model'); } +function ajaxShowCaptcha(code) +{ + var mydiv = document.createElement('div'); + mydiv.style.backgroundColor = '#FFFFFF'; + mydiv.style.padding = '10px'; + mydiv.style.position = 'absolute'; + mydiv.style.top = '0px'; + mydiv.id = 'autoCaptcha'; + var img = document.createElement('img'); + img.onload = function() + { + if ( this.loaded ) + return true; + var mydiv = document.getElementById('autoCaptcha'); + var width = getWidth(); + var divw = $(mydiv).Width(); + var left = ( width / 2 ) - ( divw / 2 ); + mydiv.style.left = left + 'px'; + fly_in_top(mydiv, false, true); + this.loaded = true; + }; + img.src = makeUrlNS('Special', 'Captcha/' + code); + img.onclick = function() { this.src = this.src + '/a'; }; + img.style.cursor = 'pointer'; + mydiv.appendChild(img); + domObjChangeOpac(0, mydiv); + var body = document.getElementsByTagName('body')[0]; + body.appendChild(mydiv); +} + diff -r 4c19952406db -r 36b287f1d85c includes/clientside/static/misc.js --- a/includes/clientside/static/misc.js Sun Oct 07 17:28:47 2007 -0400 +++ b/includes/clientside/static/misc.js Sun Oct 07 21:28:36 2007 -0400 @@ -302,6 +302,52 @@ var ajax_auth_mb_cache = false; var ajax_auth_level_cache = false; var ajax_auth_error_string = false; +var ajax_auth_show_captcha = false; + +function ajaxAuthErrorToString($data) +{ + var $errstring = $data.error; + // this was literally copied straight from the PHP code. + switch($data.error) + { + case 'key_not_found': + $errstring = 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.'; + break; + case 'key_wrong_length': + $errstring = 'The encryption key was the wrong length.'; + break; + case 'too_big_for_britches': + $errstring = 'You are trying to authenticate at a level that your user account does not permit.'; + break; + case 'invalid_credentials': + $errstring = 'You have entered an invalid username or password. Please enter your login details again.'; + if ( $data.lockout_policy == 'lockout' ) + { + $errstring += ' You have used up '+$data['lockout_fails']+' out of '+$data['lockout_threshold']+' login attempts. After you have used up all '+$data['lockout_threshold']+' login attempts, you will be locked out from logging in for '+$data['lockout_duration']+' minutes.'; + } + else if ( $data.lockout_policy == 'captcha' ) + { + $errstring += ' You have used up '+$data['lockout_fails']+' out of '+$data['lockout_threshold']+' login attempts. After you have used up all '+$data['lockout_threshold']+' login attempts, you will have to enter a visual confirmation code before logging in, effective for '+$data['lockout_duration']+' minutes.'; + } + break; + case 'backend_fail': + $errstring = 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.'; + break; + case 'locked_out': + $attempts = parseInt($data['lockout_fails']); + if ( $attempts > $data['lockout_threshold']) + $attempts = $data['lockout_threshold']; + window.console.debug('server time ', $data.server_time, ', last time ', $data['lockout_last_time'], ', duration ', $data['lockout_duration']); + $time_rem = $data.lockout_duration - Math.round( ( $data.server_time - $data.lockout_last_time ) / 60 ); + $s = ( $time_rem == 1 ) ? '' : 's'; + $errstring = "You have used up all "+$data['lockout_threshold']+" allowed login attempts. Please wait "+$time_rem+" minute"+$s+" before attempting to log in again"; + if ( $data['lockout_policy'] == 'captcha' ) + $errstring += ', or enter the visual confirmation code shown above in the appropriate box'; + $errstring += '.'; + break; + } + return $errstring; +} function ajaxPromptAdminAuth(call_on_ok, level) { @@ -320,6 +366,17 @@ var title = ( level > USER_LEVEL_MEMBER ) ? 'You are requesting a sensitive operation.' : 'Please enter your username and password to continue.'; ajax_auth_mb_cache = new messagebox(MB_OKCANCEL|MB_ICONLOCK, title, loading_win); ajax_auth_mb_cache.onbeforeclick['OK'] = ajaxValidateLogin; + ajax_auth_mb_cache.onbeforeclick['Cancel'] = function() + { + if ( document.getElementById('autoCaptcha') ) + { + var to = fly_out_top(document.getElementById('autoCaptcha'), false, true); + setTimeout(function() { + var d = document.getElementById('autoCaptcha'); + d.parentNode.removeChild(d); + }, to); + } + } ajaxAuthLoginInnerSetup(); } @@ -335,6 +392,20 @@ return false; } response = parseJSON(response); + var disable_controls = false; + if ( response.locked_out && !ajax_auth_error_string ) + { + response.error = 'locked_out'; + ajax_auth_error_string = ajaxAuthErrorToString(response); + if ( response.lockout_policy == 'captcha' ) + { + ajax_auth_show_captcha = response.captcha; + } + else + { + disable_controls = true; + } + } var level = ajax_auth_level_cache; var form_html = ''; var shown_error = false; @@ -348,14 +419,28 @@ { form_html += 'Please re-enter your login details, to verify your identity.

'; } + if ( ajax_auth_show_captcha ) + { + var captcha_html = ' \ + \ + Code in image: \ + \ + '; + } + else + { + var captcha_html = ''; + } + var disableme = ( disable_controls ) ? 'disabled="disabled" ' : ''; form_html += ' \ \ \ - \ \ - \ + ' + captcha_html + ' \ \ + + + + + + + + + + + + + + + + + + + + + + + @@ -2685,7 +2732,7 @@ } else { - echo '
Please wait while the administration panel loads. You need to be using a recent browser with AJAX support in order to use Runt.
'; + echo ''; } ?> diff -r 4c19952406db -r 36b287f1d85c plugins/SpecialUserFuncs.php --- a/plugins/SpecialUserFuncs.php Sun Oct 07 17:28:47 2007 -0400 +++ b/plugins/SpecialUserFuncs.php Sun Oct 07 21:28:36 2007 -0400 @@ -104,14 +104,60 @@ $pubkey = $session->rijndael_genkey(); $challenge = $session->dss_rand(); + $locked_out = false; + // are we locked out? + $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; + $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; + // convert to minutes + $duration = $duration * 60; + $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; + if ( $policy != 'disable' ) + { + $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); + $timestamp_cutoff = time() - $duration; + $q = $session->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); + $fails = $db->numrows(); + if ( $fails >= $threshold ) + { + $row = $db->fetchrow(); + $locked_out = true; + $lockdata = array( + 'locked_out' => true, + 'lockout_threshold' => $threshold, + 'lockout_duration' => ( $duration / 60 ), + 'lockout_fails' => $fails, + 'lockout_policy' => $policy, + 'lockout_last_time' => $row['timestamp'], + 'server_time' => time(), + 'captcha' => '' + ); + if ( $policy == 'captcha' ) + { + $lockdata['captcha'] = $session->make_captcha(); + } + } + $db->free_result(); + } + if ( isset($_GET['act']) && $_GET['act'] == 'getkey' ) { $username = ( $session->user_logged_in ) ? $session->username : false; $response = Array( 'username' => $username, 'key' => $pubkey, - 'challenge' => $challenge + 'challenge' => $challenge, + 'locked_out' => false ); + + if ( $locked_out ) + { + foreach ( $lockdata as $x => $y ) + { + $response[$x] = $y; + } + unset($x, $y); + } + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); $response = $json->encode($response); echo $response; @@ -138,7 +184,46 @@ $header = ( $level > USER_LEVEL_MEMBER ) ? 'Please re-enter your login details' : 'Please enter your username and password to log in.'; if ( isset($_POST['login']) ) { - echo '

'.$__login_status.'

'; + $errstring = $__login_status['error']; + switch($__login_status['error']) + { + case 'key_not_found': + $errstring = 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.'; + break; + case 'key_wrong_length': + $errstring = 'The encryption key was the wrong length.'; + break; + case 'too_big_for_britches': + $errstring = 'You are trying to authenticate at a level that your user account does not permit.'; + break; + case 'invalid_credentials': + $errstring = 'You have entered an invalid username or password. Please enter your login details again.'; + if ( $__login_status['lockout_policy'] == 'lockout' ) + { + $errstring .= ' You have used up '.$__login_status['lockout_fails'].' out of '.$__login_status['lockout_threshold'].' login attempts. After you have used up all '.$data['lockout_threshold'].' login attempts, you will be locked out from logging in for '.$__login_status['lockout_duration'].' minutes.'; + } + else if ( $__login_status['lockout_policy'] == 'captcha' ) + { + $errstring .= ' You have used up '.$__login_status['lockout_fails'].' out of '.$__login_status['lockout_threshold'].' login attempts. After you have used up all '.$data['lockout_threshold'].' login attempts, you will have to enter a visual confirmation code before logging in, effective for '.$__login_status['lockout_duration'].' minutes.'; + } + break; + case 'backend_fail': + $errstring = 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.'; + break; + case 'locked_out': + $attempts = intval($__login_status['lockout_fails']); + if ( $attempts > $__login_status['lockout_threshold']) + $attempts = $__login_status['lockout_threshold']; + $time_rem = ( $__login_status['lockout_last_time'] % ( $__login_status['lockout_duration'] * 60 ) ); + $time_rem = $__login_status['lockout_duration'] - round($time_rem / 60); + $s = ( $time_rem == 1 ) ? '' : 's'; + $errstring = "You have used up all {$__login_status['lockout_threshold']} allowed login attempts. Please wait {$time_rem} minute$s before attempting to log in again"; + if ( $__login_status['lockout_policy'] == 'captcha' ) + $errstring .= ', or enter the visual confirmation code shown above in the appropriate box'; + $errstring .= '.'; + break; + } + echo '
'.$errstring.'
'; } if ( $p = $paths->getAllParams() ) { @@ -189,7 +274,7 @@ ?> /> - @@ -198,6 +283,21 @@ + + + + + + + +
Username: \ + Username: \
Password: \ + Password: \
\
Trouble logging in? Try the full login form.
'; @@ -383,8 +468,21 @@ { $('ajaxlogin_user').object.focus(); } - $('ajaxlogin_pass').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; - $('ajaxlogin_pass').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + if ( ajax_auth_show_captcha ) + { + $('ajaxlogin_captcha_code').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; + $('ajaxlogin_captcha_code').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + } + else + { + $('ajaxlogin_pass').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; + $('ajaxlogin_pass').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + } + if ( disable_controls ) + { + var panel = document.getElementById('messageBoxButtons'); + panel.firstChild.disabled = true; + } /* ## This causes the background image to disappear under Fx 2 if ( shown_error ) @@ -398,6 +496,11 @@ fader.start(); } */ + if ( ajax_auth_show_captcha ) + { + ajaxShowCaptcha(ajax_auth_show_captcha); + ajax_auth_show_captcha = false; + } } }); } @@ -412,6 +515,15 @@ password = document.getElementById('ajaxlogin_pass').value; auth_enabled = false; + if ( document.getElementById('autoCaptcha') ) + { + var to = fly_out_top(document.getElementById('autoCaptcha'), false, true); + setTimeout(function() { + var d = document.getElementById('autoCaptcha'); + d.parentNode.removeChild(d); + }, to); + } + disableJSONExts(); // @@ -467,6 +579,12 @@ 'level' : ajax_auth_level_cache }; + if ( document.getElementById('ajaxlogin_captcha_hash') ) + { + json_data.captcha_hash = document.getElementById('ajaxlogin_captcha_hash').value; + json_data.captcha_code = document.getElementById('ajaxlogin_captcha_code').value; + } + json_data = toJSONString(json_data); json_data = encodeURIComponent(json_data); @@ -509,18 +627,23 @@ } break; case 'error': - if ( response.error == 'The username and/or password is incorrect.' ) + if ( response.data.error == 'invalid_credentials' || response.data.error == 'locked_out' ) { - ajax_auth_error_string = response.error; + ajax_auth_error_string = ajaxAuthErrorToString(response.data); mb_current_obj.updateContent(''); document.getElementById('messageBox').style.backgroundColor = '#C0C0C0'; var mb_parent = document.getElementById('messageBox').parentNode; new Spry.Effect.Shake(mb_parent, {duration: 1500}).start(); setTimeout("document.getElementById('messageBox').style.backgroundColor = '#FFF'; ajaxAuthLoginInnerSetup();", 2500); + + if ( response.data.lockout_policy == 'captcha' && response.data.error == 'locked_out' ) + { + ajax_auth_show_captcha = response.captcha; + } } else { - alert(response.error); + ajax_auth_error_string = ajaxAuthErrorToString(response.data); ajaxAuthLoginInnerSetup(); } break; diff -r 4c19952406db -r 36b287f1d85c includes/sessions.php --- a/includes/sessions.php Sun Oct 07 17:28:47 2007 -0400 +++ b/includes/sessions.php Sun Oct 07 21:28:36 2007 -0400 @@ -547,15 +547,52 @@ * @param string $aes_key The MD5 hash of the encryption key, hex-encoded * @param string $challenge The 256-bit MD5 challenge string - first 128 bits should be the hash, the last 128 should be the challenge salt * @param int $level The privilege level we're authenticating for, defaults to 0 + * @param array $captcha_hash Optional. If we're locked out and the lockout policy is captcha, this should be the identifier for the code. + * @param array $captcha_code Optional. If we're locked out and the lockout policy is captcha, this should be the code the user entered. * @return string 'success' on success, or error string on failure */ - function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER) + function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false) { global $db, $session, $paths, $template, $plugins; // Common objects $privcache = $this->private_key; + // Lockout stuff + $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; + $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; + // convert to minutes + $duration = $duration * 60; + $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; + if ( $policy == 'captcha' && $captcha_hash && $captcha_code ) + { + // policy is captcha -- check if it's correct, and if so, bypass lockout check + $real_code = $this->get_captcha($captcha_hash); + } + if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) ) + { + $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); + $timestamp_cutoff = time() - $duration; + $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); + $fails = $db->numrows(); + if ( $fails > $threshold ) + { + // ooh boy, somebody's in trouble ;-) + $row = $db->fetchrow(); + $db->free_result(); + return array( + 'success' => false, + 'error' => 'locked_out', + 'lockout_threshold' => $threshold, + 'lockout_duration' => ( $duration / 60 ), + 'lockout_fails' => $fails, + 'lockout_policy' => $policy, + 'lockout_last_time' => $row['timestamp'] + ); + } + $db->free_result(); + } + // Instanciate the Rijndael encryption object $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); @@ -563,13 +600,19 @@ $aes_key = $this->fetch_public_key($aes_key); if(!$aes_key) - return 'Couldn\'t look up public key "'.$aes_key.'" for decryption'; + return array( + 'success' => false, + 'error' => 'key_not_found' + ); // Convert the key to a binary string $bin_key = hexdecode($aes_key); if(strlen($bin_key) != AES_BITS / 8) - return 'The decryption key is the wrong length'; + return array( + 'success' => false, + 'error' => 'key_wrong_length' + ); // Decrypt our password $password = $aes->decrypt($aes_data, $bin_key, ENC_HEX); @@ -585,13 +628,33 @@ $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';'); if($db->numrows() < 1) { - return "The username and/or password is incorrect."; // This wasn't logged in <1.0.2, dunno how it slipped through if($level > USER_LEVEL_MEMBER) $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); else $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); - + + if ( $policy != 'disable' ) + { + $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); + // increment fail count + $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); + $fails++; + // ooh boy, somebody's in trouble ;-) + return array( + 'success' => false, + 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials', + 'lockout_threshold' => $threshold, + 'lockout_duration' => ( $duration / 60 ), + 'lockout_fails' => $fails, + 'lockout_policy' => $policy + ); + } + + return array( + 'success' => false, + 'error' => 'invalid_credentials' + ); } $row = $db->fetchrow(); @@ -642,7 +705,10 @@ if($success) { if($level > $row['user_level']) - return 'You are not authorized for this level of access.'; + return array( + 'success' => false, + 'error' => 'too_big_for_britches' + ); $sess = $this->register_session(intval($row['user_id']), $username, $password, $level); if($sess) @@ -662,10 +728,15 @@ { eval($cmd); } - return 'success'; + return array( + 'success' => true + ); } else - return 'Your login credentials were correct, but an internal error occurred while registering the session key in the database.'; + return array( + 'success' => false, + 'error' => 'backend_fail' + ); } else { @@ -674,7 +745,27 @@ else $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); - return 'The username and/or password is incorrect.'; + // Do we also need to increment the lockout countdown? + if ( $policy != 'disable' ) + { + $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); + // increment fail count + $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); + $fails++; + return array( + 'success' => false, + 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials', + 'lockout_threshold' => $threshold, + 'lockout_duration' => ( $duration / 60 ), + 'lockout_fails' => $fails, + 'lockout_policy' => $policy + ); + } + + return array( + 'success' => false, + 'error' => 'invalid_credentials' + ); } } @@ -700,6 +791,41 @@ return $this->login_compat($username, $pass_hashed, $level); } + // Lockout stuff + $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; + $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15; + // convert to minutes + $duration = $duration * 60; + $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout'; + if ( $policy == 'captcha' && $captcha_hash && $captcha_code ) + { + // policy is captcha -- check if it's correct, and if so, bypass lockout check + $real_code = $this->get_captcha($captcha_hash); + } + if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) ) + { + $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); + $timestamp_cutoff = time() - $duration; + $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;'); + $fails = $db->numrows(); + if ( $fails > $threshold ) + { + // ooh boy, somebody's in trouble ;-) + $row = $db->fetchrow(); + $db->free_result(); + return array( + 'success' => false, + 'error' => 'locked_out', + 'lockout_threshold' => $threshold, + 'lockout_duration' => ( $duration / 60 ), + 'lockout_fails' => $fails, + 'lockout_policy' => $policy, + 'lockout_last_time' => $row['timestamp'] + ); + } + $db->free_result(); + } + // Instanciate the Rijndael encryption object $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); @@ -709,7 +835,35 @@ // Retrieve the real password from the database $this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';'); if($db->numrows() < 1) - return 'The username and/or password is incorrect.'; + { + // This wasn't logged in <1.0.2, dunno how it slipped through + if($level > USER_LEVEL_MEMBER) + $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); + else + $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); + + // Do we also need to increment the lockout countdown? + if ( $policy != 'disable' ) + { + $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); + // increment fail count + $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); + $fails++; + return array( + 'success' => false, + 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials', + 'lockout_threshold' => $threshold, + 'lockout_duration' => ( $duration / 60 ), + 'lockout_fails' => $fails, + 'lockout_policy' => $policy + ); + } + + return array( + 'success' => false, + 'error' => 'invalid_credentials' + ); + } $row = $db->fetchrow(); // Check to see if we're logging in using a temporary password @@ -758,7 +912,10 @@ if($success) { if((int)$level > (int)$row['user_level']) - return 'You are not authorized for this level of access.'; + return array( + 'success' => false, + 'error' => 'too_big_for_britches' + ); $sess = $this->register_session(intval($row['user_id']), $username, $real_pass, $level); if($sess) { @@ -773,10 +930,15 @@ eval($cmd); } - return 'success'; + return array( + 'success' => true + ); } else - return 'Your login credentials were correct, but an internal error occured while registering the session key in the database.'; + return array( + 'success' => false, + 'error' => 'backend_fail' + ); } else { @@ -785,7 +947,27 @@ else $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); - return 'The username and/or password is incorrect.'; + // Do we also need to increment the lockout countdown? + if ( $policy != 'disable' ) + { + $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']); + // increment fail count + $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');'); + $fails++; + return array( + 'success' => false, + 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials', + 'lockout_threshold' => $threshold, + 'lockout_duration' => ( $duration / 60 ), + 'lockout_fails' => $fails, + 'lockout_policy' => $policy + ); + } + + return array( + 'success' => false, + 'error' => 'invalid_credentials' + ); } } diff -r 4c19952406db -r 36b287f1d85c plugins/SpecialAdmin.php --- a/plugins/SpecialAdmin.php Sun Oct 07 17:28:47 2007 -0400 +++ b/plugins/SpecialAdmin.php Sun Oct 07 21:28:36 2007 -0400 @@ -203,6 +203,16 @@ setConfig('pw_strength_minimum', $strength); } + // Account lockout policy + if ( preg_match('/^[0-9]+$/', $_POST['lockout_threshold']) ) + setConfig('lockout_threshold', $_POST['lockout_threshold']); + + if ( preg_match('/^[0-9]+$/', $_POST['lockout_duration']) ) + setConfig('lockout_duration', $_POST['lockout_duration']); + + if ( in_array($_POST['lockout_policy'], array('disable', 'captcha', 'lockout')) ) + setConfig('lockout_policy', $_POST['lockout_policy']); + echo '
Your changes to the site configuration have been saved.

'; } @@ -351,6 +361,43 @@
Account lockouts
Configure Enano to prevent or restrict logins for a specified period of time if a user enters an incorrect password a specific number of times.
Lockout threshold:
+ How many times can a user enter wrong credentials before a lockout goes into effect? + 		+ +
Lockout duration:
+ This is how long an account lockout should last, in minutes. + 		+ +
Lockout policy:
+ What should be done when a lockout goes into effect? + 		+
+
+ +
Password strength
+ Forgot your password? No problem.
Maybe you need to create an account.
Password:
Code in image:
+ +
@@ -242,12 +342,12 @@ $plugins->attachHook('login_password_reset', 'SpecialLogin_SendResponse_PasswordReset($row[\'user_id\'], $row[\'temp_password\']);'); $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); $data = $json->decode($_POST['params']); + $captcha_hash = ( isset($data['captcha_hash']) ) ? $data['captcha_hash'] : false; + $captcha_code = ( isset($data['captcha_code']) ) ? $data['captcha_code'] : false; $level = ( isset($data['level']) ) ? intval($data['level']) : USER_LEVEL_MEMBER; - $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $data['crypt_key'], $data['challenge'], $level); + $result = $session->login_with_crypto($data['username'], $data['crypt_data'], $data['crypt_key'], $data['challenge'], $level, $captcha_hash, $captcha_code); $session->start(); - //echo "$result\n$session->sid_super"; - //exit; - if ( $result == 'success' ) + if ( $result['success'] ) { $response = Array( 'result' => 'success', @@ -256,9 +356,16 @@ } else { + $captcha = ''; + if ( $result['error'] == 'locked_out' && $result['lockout_policy'] == 'captcha' ) + { + $session->kill_captcha(); + $captcha = $session->make_captcha(); + } $response = Array( 'result' => 'error', - 'error' => $result + 'data' => $result, + 'captcha' => $captcha ); } $response = $json->encode($response); @@ -267,17 +374,19 @@ exit; } if(isset($_POST['login'])) { + $captcha_hash = ( isset($_POST['captcha_hash']) ) ? $_POST['captcha_hash'] : false; + $captcha_code = ( isset($_POST['captcha_code']) ) ? $_POST['captcha_code'] : false; if($_POST['use_crypt'] == 'yes') { - $result = $session->login_with_crypto($_POST['username'], $_POST['crypt_data'], $_POST['crypt_key'], $_POST['challenge_data'], intval($_POST['auth_level'])); + $result = $session->login_with_crypto($_POST['username'], $_POST['crypt_data'], $_POST['crypt_key'], $_POST['challenge_data'], intval($_POST['auth_level']), $captcha_hash, $captcha_code); } else { - $result = $session->login_without_crypto($_POST['username'], $_POST['pass'], false, intval($_POST['auth_level'])); + $result = $session->login_without_crypto($_POST['username'], $_POST['pass'], false, intval($_POST['auth_level']), $captcha_hash, $captcha_code); } $session->start(); $paths->init(); - if($result == 'success') + if($result['success']) { $template->load_theme($session->theme, $session->style); if(isset($_POST['return_to'])) diff -r 4c19952406db -r 36b287f1d85c schema.sql --- a/schema.sql Sun Oct 07 17:28:47 2007 -0400 +++ b/schema.sql Sun Oct 07 21:28:36 2007 -0400 @@ -254,6 +254,16 @@ PRIMARY KEY ( tag_id ) ) CHARACTER SET `utf8`; +-- Added in 1.1.1 + +CREATE TABLE {{TABLE_PREFIX}}lockout( + id int(12) NOT NULL auto_increment, + ipaddr varchar(40) NOT NULL, + action ENUM('credential', 'level') NOT NULL DEFAULT 'credential', + timestamp int(12) NOT NULL DEFAULT 0, + PRIMARY KEY ( id ) +) CHARACTER SET `utf8`; + INSERT INTO {{TABLE_PREFIX}}config(config_name, config_value) VALUES ('site_name', '{{SITE_NAME}}'), ('main_page', 'Main_Page'), diff -r 4c19952406db -r 36b287f1d85c upgrade.sql --- a/upgrade.sql Sun Oct 07 17:28:47 2007 -0400 +++ b/upgrade.sql Sun Oct 07 21:28:36 2007 -0400 @@ -5,9 +5,10 @@ DELETE FROM {{TABLE_PREFIX}}config WHERE config_name='enano_version' OR config_name='enano_beta_version' OR config_name='enano_alpha_version' OR config_name='enano_rc_version'; INSERT INTO {{TABLE_PREFIX}}config (config_name, config_value) VALUES( 'enano_version', '1.1.1' ); ---BEGIN Stable1.0ToUnstable1.1--- -UPDATE {{TABLE_PREFIX}}groups SET group_id=9998 WHERE group_id=4; -UPDATE {{TABLE_PREFIX}}group_members SET group_id=9998 WHERE group_id=4; -INSERT INTO {{TABLE_PREFIX}}groups(group_id,group_name,group_type,system_group) VALUES(4, 'Regular members', 3, 1); +-- UPDATE {{TABLE_PREFIX}}groups SET group_id=9998 WHERE group_id=4; +-- UPDATE {{TABLE_PREFIX}}group_members SET group_id=9998 WHERE group_id=4; +-- INSERT INTO {{TABLE_PREFIX}}groups(group_id,group_name,group_type,system_group) VALUES(4, 'Regular members', 3, 1); +CREATE TABLE {{TABLE_PREFIX}}lockout( id int(12) NOT NULL auto_increment, ipaddr varchar(40) NOT NULL, action ENUM('credential', 'level') NOT NULL DEFAULT 'credential', timestamp int(12) NOT NULL DEFAULT 0, PRIMARY KEY ( id ) ) CHARACTER SET `utf8`; ---END Stable1.0ToUnstable1.1--- ---BEGIN 1.0.2--- ---END 1.0.2---