/[LeafOK_CVS]/lbbs/src/login.c
ViewVC logotype

Contents of /lbbs/src/login.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.72 - (show annotations)
Sat Nov 29 01:55:00 2025 UTC (3 months, 2 weeks ago) by sysadm
Branch: MAIN
Changes since 1.71: +0 -3 lines
Content type: text/x-csrc 
Remove duplicate log
1 /* SPDX-License-Identifier: GPL-3.0-or-later */
2 /*
3 * login
4 * - user authentication and online status manager
5 *
6 * Copyright (C) 2004-2025 Leaflet <leaflet@leafok.com>
7 */
8
9 #ifdef HAVE_CONFIG_H
10 #include "config.h"
11 #endif
12
13 #include "bbs.h"
14 #include "common.h"
15 #include "database.h"
16 #include "io.h"
17 #include "ip_mask.h"
18 #include "log.h"
19 #include "login.h"
20 #include "screen.h"
21 #include "user_priv.h"
22 #include <ctype.h>
23 #include <errno.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <regex.h>
27 #include <unistd.h>
28 #include <mysql.h>
29 #include <sys/param.h>
30
31 static const int BBS_username_min_len = 3; // common len = 5, special len = 3
32 static const int BBS_password_min_len = 5; // legacy len = 5, current len = 6
33
34 static const int BBS_allowed_login_failures_within_interval = 10;
35 static const int BBS_login_failures_count_interval = 10; // minutes
36 static const int BBS_allowed_login_failures_per_account = 3;
37
38 const int BBS_login_retry_times = 3;
39
40 int bbs_login(void)
41 {
42 char username[BBS_username_max_len + 1];
43 char password[BBS_password_max_len + 1];
44 int i = 0;
45 int ok = 0;
46
47 for (; !SYS_server_exit && !ok && i < BBS_login_retry_times; i++)
48 {
49 prints("\033[1;33m请输入帐号\033[m(试用请输入`\033[1;36mguest\033[m', "
50 "注册请输入`\033[1;31mnew\033[m'): ");
51 iflush();
52
53 if (str_input(username, sizeof(username), DOECHO) < 0)
54 {
55 continue;
56 }
57
58 if (strcmp(username, "guest") == 0)
59 {
60 load_guest_info();
61
62 return 0;
63 }
64
65 if (strcmp(username, "new") == 0)
66 {
67 display_file(DATA_REGISTER, 1);
68
69 return -1;
70 }
71
72 if (username[0] != '\0')
73 {
74 prints("\033[1;37m请输入密码\033[m: ");
75 iflush();
76
77 if (str_input(password, sizeof(password), NOECHO) < 0)
78 {
79 continue;
80 }
81
82 ok = (check_user(username, password) == 0);
83 iflush();
84 }
85 }
86
87 if (!ok)
88 {
89 display_file(DATA_LOGIN_ERROR, 1);
90 return -1;
91 }
92
93 return 0;
94 }
95
96 int check_user(const char *username, const char *password)
97 {
98 MYSQL *db = NULL;
99 MYSQL_RES *rs = NULL;
100 MYSQL_ROW row;
101 char sql[SQL_BUFFER_LEN];
102 int ret = 0;
103 int BBS_uid = 0;
104 char client_addr[IP_ADDR_LEN];
105 int i;
106 int ok = 1;
107 char user_tz_env[BBS_user_tz_max_len + 2];
108
109 db = db_open();
110 if (db == NULL)
111 {
112 ret = -1;
113 goto cleanup;
114 }
115
116 // Verify format
117 for (i = 0; ok && username[i] != '\0'; i++)
118 {
119 if (!(isalpha((int)username[i]) || (i > 0 && (isdigit((int)username[i]) || username[i] == '_'))))
120 {
121 ok = 0;
122 }
123 }
124 if (ok && (i < BBS_username_min_len || i > BBS_username_max_len))
125 {
126 ok = 0;
127 }
128 for (i = 0; ok && password[i] != '\0'; i++)
129 {
130 if (!isalnum((int)password[i]))
131 {
132 ok = 0;
133 }
134 }
135 if (ok && (i < BBS_password_min_len || i > BBS_password_max_len))
136 {
137 ok = 0;
138 }
139
140 if (!ok)
141 {
142 prints("\033[1;31m用户名或密码格式错误...\033[m\r\n");
143 ret = 1;
144 goto cleanup;
145 }
146
147 // Begin transaction
148 if (mysql_query(db, "SET autocommit=0") != 0)
149 {
150 log_error("SET autocommit=0 error: %s\n", mysql_error(db));
151 ret = -1;
152 goto cleanup;
153 }
154
155 if (mysql_query(db, "BEGIN") != 0)
156 {
157 log_error("Begin transaction error: %s\n", mysql_error(db));
158 ret = -1;
159 goto cleanup;
160 }
161
162 // Failed login attempts from the same source (subnet /24) during certain time period
163 strncpy(client_addr, hostaddr_client, sizeof(client_addr) - 1);
164 client_addr[sizeof(client_addr) - 1] = '\0';
165
166 snprintf(sql, sizeof(sql),
167 "SELECT COUNT(*) AS err_count FROM user_err_login_log "
168 "WHERE login_dt >= SUBDATE(NOW(), INTERVAL %d MINUTE) "
169 "AND login_ip LIKE '%s'",
170 BBS_login_failures_count_interval,
171 ip_mask(client_addr, 1, '%'));
172 if (mysql_query(db, sql) != 0)
173 {
174 log_error("Query user_list error: %s\n", mysql_error(db));
175 ret = -1;
176 goto cleanup;
177 }
178 if ((rs = mysql_store_result(db)) == NULL)
179 {
180 log_error("Get user_list data failed\n");
181 ret = -1;
182 goto cleanup;
183 }
184 if ((row = mysql_fetch_row(rs)))
185 {
186 if (atoi(row[0]) >= BBS_allowed_login_failures_within_interval)
187 {
188 prints("\033[1;31m来源存在多次失败登陆尝试,请稍后再试,或使用Web方式访问\033[m\r\n");
189 ret = 1;
190 goto cleanup;
191 }
192 }
193 mysql_free_result(rs);
194 rs = NULL;
195
196 // Failed login attempts against the current username since last successful login
197 snprintf(sql, sizeof(sql),
198 "SELECT COUNT(*) AS err_count FROM user_err_login_log "
199 "LEFT JOIN user_list ON user_err_login_log.username = user_list.username "
200 "LEFT JOIN user_pubinfo ON user_list.UID = user_pubinfo.UID "
201 "WHERE user_err_login_log.username = '%s' "
202 "AND (user_err_login_log.login_dt >= user_pubinfo.last_login_dt "
203 "OR user_pubinfo.last_login_dt IS NULL)",
204 username);
205 if (mysql_query(db, sql) != 0)
206 {
207 log_error("Query user_list error: %s\n", mysql_error(db));
208 ret = -1;
209 goto cleanup;
210 }
211 if ((rs = mysql_store_result(db)) == NULL)
212 {
213 log_error("Get user_list data failed\n");
214 ret = -1;
215 goto cleanup;
216 }
217 if ((row = mysql_fetch_row(rs)))
218 {
219 if (atoi(row[0]) >= BBS_allowed_login_failures_per_account)
220 {
221 prints("\033[1;31m账户存在多次失败登陆尝试,请使用Web方式登录解锁\033[m\r\n");
222 ret = 1;
223 goto cleanup;
224 }
225 }
226 mysql_free_result(rs);
227 rs = NULL;
228
229 snprintf(sql, sizeof(sql),
230 "SELECT UID, username, p_login FROM user_list "
231 "WHERE username = '%s' AND password = SHA2('%s', 256) AND enable",
232 username, password);
233 if (mysql_query(db, sql) != 0)
234 {
235 log_error("Query user_list error: %s\n", mysql_error(db));
236 ret = -1;
237 goto cleanup;
238 }
239 if ((rs = mysql_store_result(db)) == NULL)
240 {
241 log_error("Get user_list data failed\n");
242 ret = -1;
243 goto cleanup;
244 }
245 if ((row = mysql_fetch_row(rs)))
246 {
247 BBS_uid = atoi(row[0]);
248 strncpy(BBS_username, row[1], sizeof(BBS_username) - 1);
249 BBS_username[sizeof(BBS_username) - 1] = '\0';
250 int p_login = atoi(row[2]);
251
252 mysql_free_result(rs);
253 rs = NULL;
254
255 // Add user login log
256 snprintf(sql, sizeof(sql),
257 "INSERT INTO user_login_log(UID, login_dt, login_ip) "
258 "VALUES(%d, NOW(), '%s')",
259 BBS_uid, hostaddr_client);
260 if (mysql_query(db, sql) != 0)
261 {
262 log_error("Insert into user_login_log error: %s\n", mysql_error(db));
263 ret = -1;
264 goto cleanup;
265 }
266
267 // Commit transaction
268 if (mysql_query(db, "COMMIT") != 0)
269 {
270 log_error("Commit transaction error: %s\n", mysql_error(db));
271 ret = -1;
272 goto cleanup;
273 }
274
275 if (p_login == 0)
276 {
277 prints("\033[1;31m您目前无权登陆...\033[m\r\n");
278 ret = 1;
279 goto cleanup;
280 }
281 }
282 else
283 {
284 mysql_free_result(rs);
285 rs = NULL;
286
287 snprintf(sql, sizeof(sql),
288 "INSERT INTO user_err_login_log(username, password, login_dt, login_ip) "
289 "VALUES('%s', '%s', NOW(), '%s')",
290 username, password, hostaddr_client);
291 if (mysql_query(db, sql) != 0)
292 {
293 log_error("Insert into user_err_login_log error: %s\n", mysql_error(db));
294 ret = -1;
295 goto cleanup;
296 }
297
298 // Commit transaction
299 if (mysql_query(db, "COMMIT") != 0)
300 {
301 log_error("Commit transaction error: %s\n", mysql_error(db));
302 ret = -1;
303 goto cleanup;
304 }
305
306 prints("\033[1;31m错误的用户名或密码...\033[m\r\n");
307 ret = 1;
308 goto cleanup;
309 }
310
311 // Set AUTOCOMMIT = 1
312 if (mysql_query(db, "SET autocommit=1") != 0)
313 {
314 log_error("SET autocommit=1 error: %s\n", mysql_error(db));
315 ret = -1;
316 goto cleanup;
317 }
318
319 ret = load_user_info(db, BBS_uid);
320
321 switch (ret)
322 {
323 case 0: // Login successfully
324 break;
325 case -1: // Load data error
326 prints("\033[1;31m读取用户数据错误...\033[m\r\n");
327 ret = -1;
328 goto cleanup;
329 case -2: // Unused
330 prints("\033[1;31m请通过Web登录更新用户许可协议...\033[m\r\n");
331 ret = 1;
332 goto cleanup;
333 case -3: // Dead
334 prints("\033[1;31m很遗憾,您已经永远离开了我们的世界!\033[m\r\n");
335 ret = 1;
336 goto cleanup;
337 default:
338 ret = -2;
339 goto cleanup;
340 }
341
342 if (!SSH_v2 && checklevel2(&BBS_priv, P_MAN_S))
343 {
344 prints("\033[1;31m非普通账户必须使用SSH方式登录\033[m\r\n");
345 ret = 1;
346 goto cleanup;
347 }
348
349 snprintf(sql, sizeof(sql),
350 "UPDATE user_pubinfo SET visit_count = visit_count + 1, "
351 "last_login_dt = NOW() WHERE UID = %d",
352 BBS_uid);
353 if (mysql_query(db, sql) != 0)
354 {
355 log_error("Update user_pubinfo error: %s\n", mysql_error(db));
356 ret = -1;
357 goto cleanup;
358 }
359
360 if (user_online_add(db) != 0)
361 {
362 ret = -1;
363 goto cleanup;
364 }
365
366 BBS_last_access_tm = BBS_login_tm = time(NULL);
367
368 // Set user tz to process env
369 if (BBS_user_tz[0] != '\0')
370 {
371 user_tz_env[0] = ':';
372 strncpy(user_tz_env + 1, BBS_user_tz, sizeof(user_tz_env) - 2);
373 user_tz_env[sizeof(user_tz_env) - 1] = '\0';
374
375 if (setenv("TZ", user_tz_env, 1) == -1)
376 {
377 log_error("setenv(TZ = %s) error %d\n", user_tz_env, errno);
378 return -3;
379 }
380
381 tzset();
382 }
383
384 cleanup:
385 mysql_free_result(rs);
386 mysql_close(db);
387
388 return ret;
389 }
390
391 int load_user_info(MYSQL *db, int BBS_uid)
392 {
393 MYSQL_RES *rs = NULL;
394 MYSQL_ROW row;
395 char sql[SQL_BUFFER_LEN];
396 int life;
397 time_t last_login_dt;
398 int ret = 0;
399
400 snprintf(sql, sizeof(sql),
401 "SELECT life, UNIX_TIMESTAMP(last_login_dt), user_timezone, exp, nickname "
402 "FROM user_pubinfo WHERE UID = %d",
403 BBS_uid);
404 if (mysql_query(db, sql) != 0)
405 {
406 log_error("Query user_pubinfo error: %s\n", mysql_error(db));
407 ret = -1;
408 goto cleanup;
409 }
410 if ((rs = mysql_store_result(db)) == NULL)
411 {
412 log_error("Get user_pubinfo data failed\n");
413 ret = -1;
414 goto cleanup;
415 }
416 if ((row = mysql_fetch_row(rs)))
417 {
418 life = atoi(row[0]);
419 last_login_dt = (time_t)atol(row[1]);
420
421 strncpy(BBS_user_tz, row[2], sizeof(BBS_user_tz) - 1);
422 BBS_user_tz[sizeof(BBS_user_tz) - 1] = '\0';
423
424 BBS_user_exp = atoi(row[3]);
425
426 strncpy(BBS_nickname, row[4], sizeof(BBS_nickname));
427 BBS_nickname[sizeof(BBS_nickname) - 1] = '\0';
428 }
429 else
430 {
431 ret = -1; // Data not found
432 goto cleanup;
433 }
434 mysql_free_result(rs);
435 rs = NULL;
436
437 if (life != 333 && life != 365 && life != 666 && life != 999 && // Not immortal
438 time(NULL) - last_login_dt > 60 * 60 * 24 * life)
439 {
440 ret = -3; // Dead
441 goto cleanup;
442 }
443
444 if (load_priv(db, &BBS_priv, BBS_uid) != 0)
445 {
446 ret = -1;
447 goto cleanup;
448 }
449
450 cleanup:
451 mysql_free_result(rs);
452
453 return ret;
454 }
455
456 int load_guest_info(void)
457 {
458 MYSQL *db = NULL;
459 int ret = 0;
460
461 db = db_open();
462 if (db == NULL)
463 {
464 ret = -1;
465 goto cleanup;
466 }
467
468 strncpy(BBS_username, "guest", sizeof(BBS_username) - 1);
469 BBS_username[sizeof(BBS_username) - 1] = '\0';
470
471 BBS_user_exp = 0;
472
473 strncpy(BBS_nickname, "Guest", sizeof(BBS_nickname));
474 BBS_nickname[sizeof(BBS_nickname) - 1] = '\0';
475
476 if (load_priv(db, &BBS_priv, 0) != 0)
477 {
478 ret = -1;
479 goto cleanup;
480 }
481
482 if (user_online_add(db) != 0)
483 {
484 ret = -1;
485 goto cleanup;
486 }
487
488 BBS_last_access_tm = BBS_login_tm = time(NULL);
489
490 cleanup:
491 mysql_close(db);
492
493 return ret;
494 }
495
496 int user_online_add(MYSQL *db)
497 {
498 char sql[SQL_BUFFER_LEN];
499
500 snprintf(sql, sizeof(sql),
501 "INSERT INTO visit_log(dt, IP) VALUES(NOW(), '%s')",
502 hostaddr_client);
503 if (mysql_query(db, sql) != 0)
504 {
505 log_error("Add visit log error: %s\n", mysql_error(db));
506 return -1;
507 }
508
509 if (user_online_del(db) != 0)
510 {
511 return -2;
512 }
513
514 snprintf(sql, sizeof(sql),
515 "INSERT INTO user_online(SID, UID, ip, current_action, login_tm, last_tm) "
516 "VALUES('Telnet_Process_%d', %d, '%s', 'LOGIN', NOW(), NOW())",
517 getpid(), BBS_priv.uid, hostaddr_client);
518 if (mysql_query(db, sql) != 0)
519 {
520 log_error("Add user_online error: %s\n", mysql_error(db));
521 return -3;
522 }
523
524 return 0;
525 }
526
527 int user_online_del(MYSQL *db)
528 {
529 char sql[SQL_BUFFER_LEN];
530
531 snprintf(sql, sizeof(sql),
532 "DELETE FROM user_online WHERE SID = 'Telnet_Process_%d'",
533 getpid());
534 if (mysql_query(db, sql) != 0)
535 {
536 log_error("Delete user_online error: %s\n", mysql_error(db));
537 return -1;
538 }
539
540 return 0;
541 }
542
543 int user_online_exp(MYSQL *db)
544 {
545 char sql[SQL_BUFFER_LEN];
546
547 // +1 exp for every 5 minutes online since last logout
548 // but at most 24 hours worth of exp can be gained in Telnet session
549 snprintf(sql, sizeof(sql),
550 "UPDATE user_pubinfo SET exp = exp + FLOOR(LEAST(TIMESTAMPDIFF("
551 "SECOND, GREATEST(last_login_dt, IF(last_logout_dt IS NULL, last_login_dt, last_logout_dt)), NOW()"
552 ") / 60 / 5, 12 * 24)), last_logout_dt = NOW() "
553 "WHERE UID = %d",
554 BBS_priv.uid);
555 if (mysql_query(db, sql) != 0)
556 {
557 log_error("Update user_pubinfo error: %s\n", mysql_error(db));
558 return -1;
559 }
560
561 return 0;
562 }
563
564 int user_online_update(const char *action)
565 {
566 MYSQL *db = NULL;
567 char sql[SQL_BUFFER_LEN];
568
569 if ((action == NULL || strcmp(BBS_current_action, action) == 0) &&
570 time(NULL) - BBS_current_action_tm < BBS_current_action_refresh_interval) // No change
571 {
572 return 0;
573 }
574
575 if (action != NULL)
576 {
577 strncpy(BBS_current_action, action, sizeof(BBS_current_action) - 1);
578 BBS_current_action[sizeof(BBS_current_action) - 1] = '\0';
579 }
580
581 BBS_current_action_tm = time(NULL);
582
583 db = db_open();
584 if (db == NULL)
585 {
586 log_error("db_open() error: %s\n", mysql_error(db));
587 return -1;
588 }
589
590 snprintf(sql, sizeof(sql),
591 "UPDATE user_online SET current_action = '%s', last_tm = NOW() "
592 "WHERE SID = 'Telnet_Process_%d'",
593 BBS_current_action, getpid());
594 if (mysql_query(db, sql) != 0)
595 {
596 log_error("Update user_online error: %s\n", mysql_error(db));
597 return -2;
598 }
599
600 mysql_close(db);
601
602 return 1;
603 }
webmaster@leafok.com
 ViewVC Help
Powered by ViewVC 1.3.0-beta1