/[LeafOK_CVS]/lbbs/src/login.c
ViewVC logotype

Contents of /lbbs/src/login.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.78 - (show annotations)
Fri Dec 26 11:26:01 2025 UTC (2 months, 2 weeks ago) by sysadm
Branch: MAIN
Changes since 1.77: +0 -2 lines
Content type: text/x-csrc 
Remove duplicate log
1 /* SPDX-License-Identifier: GPL-3.0-or-later */
2 /*
3 * login
4 * - user authentication and online status manager
5 *
6 * Copyright (C) 2004-2025 Leaflet <leaflet@leafok.com>
7 */
8
9 #ifdef HAVE_CONFIG_H
10 #include "config.h"
11 #endif
12
13 #include "bbs.h"
14 #include "common.h"
15 #include "database.h"
16 #include "io.h"
17 #include "ip_mask.h"
18 #include "log.h"
19 #include "login.h"
20 #include "screen.h"
21 #include "user_priv.h"
22 #include <ctype.h>
23 #include <errno.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <regex.h>
27 #include <unistd.h>
28 #include <mysql.h>
29 #include <sys/param.h>
30
31 static const int BBS_username_min_len = 3; // common len = 5, special len = 3
32 static const int BBS_password_min_len = 5; // legacy len = 5, current len = 6
33
34 static const int BBS_allowed_login_failures_within_interval = 10;
35 static const int BBS_login_failures_count_interval = 10; // minutes
36 static const int BBS_allowed_login_failures_per_account = 3;
37
38 const int BBS_login_retry_times = 3;
39
40 int bbs_login(void)
41 {
42 char username[BBS_username_max_len + 1];
43 char password[BBS_password_max_len + 1];
44 int i;
45 int ret;
46
47 for (i = 0; !SYS_server_exit && i < BBS_login_retry_times; i++)
48 {
49 prints("\033[1;33m请输入帐号\033[m(试用请输入`\033[1;36mguest\033[m', "
50 "注册请输入`\033[1;31mnew\033[m'): ");
51 iflush();
52
53 if (str_input(username, sizeof(username), DOECHO) < 0)
54 {
55 continue;
56 }
57
58 if (strcmp(username, "guest") == 0)
59 {
60 load_guest_info();
61 log_common("User [%s] authenticated successfully", username);
62 return 0;
63 }
64
65 if (strcmp(username, "new") == 0)
66 {
67 display_file(DATA_REGISTER, 1);
68 return -1;
69 }
70
71 if (username[0] != '\0')
72 {
73 prints("\033[1;37m请输入密码\033[m: ");
74 iflush();
75
76 if (str_input(password, sizeof(password), NOECHO) < 0)
77 {
78 continue;
79 }
80
81 ret = check_user(username, password);
82 if (ret == 2) // Enforce update user agreement
83 {
84 BBS_update_eula = 1;
85 ret = 0;
86 }
87
88 if (ret == 0)
89 {
90 log_common("User [%s] authenticated successfully", username);
91 return 0;
92 }
93
94 log_common("User [%s] authentication failed (%d/%d)", username,
95 i + 1, BBS_login_retry_times);
96 iflush();
97 }
98 }
99
100 display_file(DATA_LOGIN_ERROR, 1);
101 return -1;
102 }
103
104 int check_user(const char *username, const char *password)
105 {
106 MYSQL *db = NULL;
107 MYSQL_RES *rs = NULL;
108 MYSQL_ROW row;
109 char sql[SQL_BUFFER_LEN];
110 int ret = 0;
111 int BBS_uid = 0;
112 char client_addr[IP_ADDR_LEN];
113 int i;
114 int ok = 1;
115 char user_tz_env[BBS_user_tz_max_len + 2];
116
117 db = db_open();
118 if (db == NULL)
119 {
120 ret = -1;
121 goto cleanup;
122 }
123
124 // Verify format
125 for (i = 0; ok && username[i] != '\0'; i++)
126 {
127 if (!(isalpha((int)username[i]) || (i > 0 && (isdigit((int)username[i]) || username[i] == '_'))))
128 {
129 ok = 0;
130 }
131 }
132 if (ok && (i < BBS_username_min_len || i > BBS_username_max_len))
133 {
134 ok = 0;
135 }
136 for (i = 0; ok && password[i] != '\0'; i++)
137 {
138 if (!isalnum((int)password[i]))
139 {
140 ok = 0;
141 }
142 }
143 if (ok && (i < BBS_password_min_len || i > BBS_password_max_len))
144 {
145 ok = 0;
146 }
147
148 if (!ok)
149 {
150 prints("\033[1;31m用户名或密码格式错误...\033[m\r\n");
151 ret = 1;
152 goto cleanup;
153 }
154
155 // Begin transaction
156 if (mysql_query(db, "SET autocommit=0") != 0)
157 {
158 log_error("SET autocommit=0 error: %s", mysql_error(db));
159 ret = -1;
160 goto cleanup;
161 }
162
163 if (mysql_query(db, "BEGIN") != 0)
164 {
165 log_error("Begin transaction error: %s", mysql_error(db));
166 ret = -1;
167 goto cleanup;
168 }
169
170 // Failed login attempts from the same source (subnet /24) during certain time period
171 strncpy(client_addr, hostaddr_client, sizeof(client_addr) - 1);
172 client_addr[sizeof(client_addr) - 1] = '\0';
173
174 snprintf(sql, sizeof(sql),
175 "SELECT COUNT(*) AS err_count FROM user_err_login_log "
176 "WHERE login_dt >= SUBDATE(NOW(), INTERVAL %d MINUTE) "
177 "AND login_ip LIKE '%s'",
178 BBS_login_failures_count_interval,
179 ip_mask(client_addr, 1, '%'));
180 if (mysql_query(db, sql) != 0)
181 {
182 log_error("Query user_list error: %s", mysql_error(db));
183 ret = -1;
184 goto cleanup;
185 }
186 if ((rs = mysql_store_result(db)) == NULL)
187 {
188 log_error("Get user_list data failed");
189 ret = -1;
190 goto cleanup;
191 }
192 if ((row = mysql_fetch_row(rs)))
193 {
194 if (atoi(row[0]) >= BBS_allowed_login_failures_within_interval)
195 {
196 prints("\033[1;31m来源存在多次失败登陆尝试,请稍后再试,或使用Web方式访问\033[m\r\n");
197 ret = 1;
198 goto cleanup;
199 }
200 }
201 mysql_free_result(rs);
202 rs = NULL;
203
204 // Failed login attempts against the current username since last successful login
205 snprintf(sql, sizeof(sql),
206 "SELECT COUNT(*) AS err_count FROM user_err_login_log "
207 "LEFT JOIN user_list ON user_err_login_log.username = user_list.username "
208 "LEFT JOIN user_pubinfo ON user_list.UID = user_pubinfo.UID "
209 "WHERE user_err_login_log.username = '%s' "
210 "AND (user_err_login_log.login_dt >= user_pubinfo.last_login_dt "
211 "OR user_pubinfo.last_login_dt IS NULL)",
212 username);
213 if (mysql_query(db, sql) != 0)
214 {
215 log_error("Query user_list error: %s", mysql_error(db));
216 ret = -1;
217 goto cleanup;
218 }
219 if ((rs = mysql_store_result(db)) == NULL)
220 {
221 log_error("Get user_list data failed");
222 ret = -1;
223 goto cleanup;
224 }
225 if ((row = mysql_fetch_row(rs)))
226 {
227 if (atoi(row[0]) >= BBS_allowed_login_failures_per_account)
228 {
229 prints("\033[1;31m账户存在多次失败登陆尝试,请使用Web方式登录解锁\033[m\r\n");
230 ret = 1;
231 goto cleanup;
232 }
233 }
234 mysql_free_result(rs);
235 rs = NULL;
236
237 snprintf(sql, sizeof(sql),
238 "SELECT UID, username, p_login FROM user_list "
239 "WHERE username = '%s' AND password = SHA2('%s', 256) AND enable",
240 username, password);
241 if (mysql_query(db, sql) != 0)
242 {
243 log_error("Query user_list error: %s", mysql_error(db));
244 ret = -1;
245 goto cleanup;
246 }
247 if ((rs = mysql_store_result(db)) == NULL)
248 {
249 log_error("Get user_list data failed");
250 ret = -1;
251 goto cleanup;
252 }
253 if ((row = mysql_fetch_row(rs)))
254 {
255 BBS_uid = atoi(row[0]);
256 strncpy(BBS_username, row[1], sizeof(BBS_username) - 1);
257 BBS_username[sizeof(BBS_username) - 1] = '\0';
258 int p_login = atoi(row[2]);
259
260 mysql_free_result(rs);
261 rs = NULL;
262
263 // Add user login log
264 snprintf(sql, sizeof(sql),
265 "INSERT INTO user_login_log(UID, login_dt, login_ip) "
266 "VALUES(%d, NOW(), '%s')",
267 BBS_uid, hostaddr_client);
268 if (mysql_query(db, sql) != 0)
269 {
270 log_error("Insert into user_login_log error: %s", mysql_error(db));
271 ret = -1;
272 goto cleanup;
273 }
274
275 // Commit transaction
276 if (mysql_query(db, "COMMIT") != 0)
277 {
278 log_error("Commit transaction error: %s", mysql_error(db));
279 ret = -1;
280 goto cleanup;
281 }
282
283 if (p_login == 0)
284 {
285 prints("\033[1;31m您目前无权登陆...\033[m\r\n");
286 ret = 1;
287 goto cleanup;
288 }
289 }
290 else
291 {
292 mysql_free_result(rs);
293 rs = NULL;
294
295 snprintf(sql, sizeof(sql),
296 "INSERT INTO user_err_login_log(username, password, login_dt, login_ip) "
297 "VALUES('%s', '%s', NOW(), '%s')",
298 username, password, hostaddr_client);
299 if (mysql_query(db, sql) != 0)
300 {
301 log_error("Insert into user_err_login_log error: %s", mysql_error(db));
302 ret = -1;
303 goto cleanup;
304 }
305
306 // Commit transaction
307 if (mysql_query(db, "COMMIT") != 0)
308 {
309 log_error("Commit transaction error: %s", mysql_error(db));
310 ret = -1;
311 goto cleanup;
312 }
313
314 prints("\033[1;31m错误的用户名或密码...\033[m\r\n");
315 ret = 1;
316 goto cleanup;
317 }
318
319 // Set AUTOCOMMIT = 1
320 if (mysql_query(db, "SET autocommit=1") != 0)
321 {
322 log_error("SET autocommit=1 error: %s", mysql_error(db));
323 ret = -1;
324 goto cleanup;
325 }
326
327 ret = load_user_info(db, BBS_uid);
328
329 switch (ret)
330 {
331 case 0: // Login successfully
332 if (!SSH_v2 && checklevel2(&BBS_priv, P_MAN_S))
333 {
334 prints("\033[1;31m非普通账户必须使用SSH方式登录\033[m\r\n");
335 ret = 1;
336 goto cleanup;
337 }
338 break;
339 case -1: // Load data error
340 prints("\033[1;31m读取用户数据错误...\033[m\r\n");
341 ret = -1;
342 goto cleanup;
343 case -2: // Enforce update user agreement
344 if (!SSH_v2 && checklevel2(&BBS_priv, P_MAN_S))
345 {
346 prints("\033[1;31m非普通账户必须使用SSH方式登录\033[m\r\n");
347 ret = 1;
348 goto cleanup;
349 }
350 ret = 2;
351 goto cleanup;
352 case -3: // Dead
353 prints("\033[1;31m很遗憾,您已经永远离开了我们的世界!\033[m\r\n");
354 ret = 1;
355 goto cleanup;
356 default:
357 ret = -2;
358 goto cleanup;
359 }
360
361 snprintf(sql, sizeof(sql),
362 "UPDATE user_pubinfo SET visit_count = visit_count + 1, "
363 "last_login_dt = NOW() WHERE UID = %d",
364 BBS_uid);
365 if (mysql_query(db, sql) != 0)
366 {
367 log_error("Update user_pubinfo error: %s", mysql_error(db));
368 ret = -1;
369 goto cleanup;
370 }
371
372 if (user_online_add(db) != 0)
373 {
374 ret = -1;
375 goto cleanup;
376 }
377
378 BBS_last_access_tm = BBS_login_tm = time(NULL);
379
380 // Set user tz to process env
381 if (BBS_user_tz[0] != '\0')
382 {
383 user_tz_env[0] = ':';
384 strncpy(user_tz_env + 1, BBS_user_tz, sizeof(user_tz_env) - 2);
385 user_tz_env[sizeof(user_tz_env) - 1] = '\0';
386
387 if (setenv("TZ", user_tz_env, 1) == -1)
388 {
389 log_error("setenv(TZ = %s) error %d", user_tz_env, errno);
390 return -3;
391 }
392
393 tzset();
394 }
395
396 cleanup:
397 mysql_free_result(rs);
398 mysql_close(db);
399
400 return ret;
401 }
402
403 int load_user_info(MYSQL *db, int BBS_uid)
404 {
405 MYSQL_RES *rs = NULL;
406 MYSQL_ROW row;
407 char sql[SQL_BUFFER_LEN];
408 int life;
409 time_t last_login_dt;
410 int ret = 0;
411
412 snprintf(sql, sizeof(sql),
413 "SELECT life, UNIX_TIMESTAMP(last_login_dt), user_timezone, exp, nickname "
414 "FROM user_pubinfo WHERE UID = %d",
415 BBS_uid);
416 if (mysql_query(db, sql) != 0)
417 {
418 log_error("Query user_pubinfo error: %s", mysql_error(db));
419 ret = -1;
420 goto cleanup;
421 }
422 if ((rs = mysql_store_result(db)) == NULL)
423 {
424 log_error("Get user_pubinfo data failed");
425 ret = -1;
426 goto cleanup;
427 }
428 if ((row = mysql_fetch_row(rs)))
429 {
430 life = atoi(row[0]);
431 last_login_dt = (time_t)atol(row[1]);
432
433 strncpy(BBS_user_tz, row[2], sizeof(BBS_user_tz) - 1);
434 BBS_user_tz[sizeof(BBS_user_tz) - 1] = '\0';
435
436 BBS_user_exp = atoi(row[3]);
437
438 strncpy(BBS_nickname, row[4], sizeof(BBS_nickname));
439 BBS_nickname[sizeof(BBS_nickname) - 1] = '\0';
440 }
441 else
442 {
443 ret = -1; // Data not found
444 goto cleanup;
445 }
446 mysql_free_result(rs);
447 rs = NULL;
448
449 if (life != 333 && life != 365 && life != 666 && life != 999 && // Not immortal
450 time(NULL) - last_login_dt > 60 * 60 * 24 * life)
451 {
452 ret = -3; // Dead
453 goto cleanup;
454 }
455
456 if (load_priv(db, &BBS_priv, BBS_uid) != 0)
457 {
458 ret = -1; // Data not found
459 goto cleanup;
460 }
461
462 if (last_login_dt < BBS_eula_tm)
463 {
464 ret = -2; // require update agreement first
465 goto cleanup;
466 }
467
468 cleanup:
469 mysql_free_result(rs);
470
471 return ret;
472 }
473
474 int load_guest_info(void)
475 {
476 MYSQL *db = NULL;
477 int ret = 0;
478
479 db = db_open();
480 if (db == NULL)
481 {
482 ret = -1;
483 goto cleanup;
484 }
485
486 strncpy(BBS_username, "guest", sizeof(BBS_username) - 1);
487 BBS_username[sizeof(BBS_username) - 1] = '\0';
488
489 BBS_user_exp = 0;
490
491 strncpy(BBS_nickname, "Guest", sizeof(BBS_nickname));
492 BBS_nickname[sizeof(BBS_nickname) - 1] = '\0';
493
494 if (load_priv(db, &BBS_priv, 0) != 0)
495 {
496 ret = -1;
497 goto cleanup;
498 }
499
500 if (user_online_add(db) != 0)
501 {
502 ret = -1;
503 goto cleanup;
504 }
505
506 BBS_last_access_tm = BBS_login_tm = time(NULL);
507
508 cleanup:
509 mysql_close(db);
510
511 return ret;
512 }
513
514 int user_online_add(MYSQL *db)
515 {
516 char sql[SQL_BUFFER_LEN];
517
518 snprintf(sql, sizeof(sql),
519 "INSERT INTO visit_log(dt, IP) VALUES(NOW(), '%s')",
520 hostaddr_client);
521 if (mysql_query(db, sql) != 0)
522 {
523 log_error("Add visit log error: %s", mysql_error(db));
524 return -1;
525 }
526
527 if (user_online_del(db) != 0)
528 {
529 return -2;
530 }
531
532 snprintf(sql, sizeof(sql),
533 "INSERT INTO user_online(SID, UID, ip, current_action, login_tm, last_tm) "
534 "VALUES('Telnet_Process_%d', %d, '%s', 'LOGIN', NOW(), NOW())",
535 getpid(), BBS_priv.uid, hostaddr_client);
536 if (mysql_query(db, sql) != 0)
537 {
538 log_error("Add user_online error: %s", mysql_error(db));
539 return -3;
540 }
541
542 return 0;
543 }
544
545 int user_online_del(MYSQL *db)
546 {
547 char sql[SQL_BUFFER_LEN];
548
549 snprintf(sql, sizeof(sql),
550 "DELETE FROM user_online WHERE SID = 'Telnet_Process_%d'",
551 getpid());
552 if (mysql_query(db, sql) != 0)
553 {
554 log_error("Delete user_online error: %s", mysql_error(db));
555 return -1;
556 }
557
558 return 0;
559 }
560
561 int user_online_exp(MYSQL *db)
562 {
563 char sql[SQL_BUFFER_LEN];
564
565 // +1 exp for every 5 minutes online since last logout
566 // but at most 24 hours worth of exp can be gained in Telnet session
567 snprintf(sql, sizeof(sql),
568 "UPDATE user_pubinfo SET exp = exp + FLOOR(LEAST(TIMESTAMPDIFF("
569 "SECOND, GREATEST(last_login_dt, IF(last_logout_dt IS NULL, last_login_dt, last_logout_dt)), NOW()"
570 ") / 60 / 5, 12 * 24)), last_logout_dt = NOW() "
571 "WHERE UID = %d",
572 BBS_priv.uid);
573 if (mysql_query(db, sql) != 0)
574 {
575 log_error("Update user_pubinfo error: %s", mysql_error(db));
576 return -1;
577 }
578
579 return 0;
580 }
581
582 int user_online_update(const char *action)
583 {
584 MYSQL *db = NULL;
585 char sql[SQL_BUFFER_LEN];
586
587 if ((action == NULL || strcmp(BBS_current_action, action) == 0) &&
588 time(NULL) - BBS_current_action_tm < BBS_current_action_refresh_interval) // No change
589 {
590 return 0;
591 }
592
593 if (action != NULL)
594 {
595 strncpy(BBS_current_action, action, sizeof(BBS_current_action) - 1);
596 BBS_current_action[sizeof(BBS_current_action) - 1] = '\0';
597 }
598
599 BBS_current_action_tm = time(NULL);
600
601 db = db_open();
602 if (db == NULL)
603 {
604 log_error("db_open() error: %s", mysql_error(db));
605 return -1;
606 }
607
608 snprintf(sql, sizeof(sql),
609 "UPDATE user_online SET current_action = '%s', last_tm = NOW() "
610 "WHERE SID = 'Telnet_Process_%d'",
611 BBS_current_action, getpid());
612 if (mysql_query(db, sql) != 0)
613 {
614 log_error("Update user_online error: %s", mysql_error(db));
615 return -2;
616 }
617
618 mysql_close(db);
619
620 return 1;
621 }
622
623 int user_update_agreement(void)
624 {
625 MYSQL *db = NULL;
626 char sql[SQL_BUFFER_LEN];
627 int ch;
628 int ret = 0;
629
630 clearscr();
631 moveto(2, 1);
632 prints("尊敬的用户:");
633 moveto(3, 1);
634 prints(" 本站的《用户许可协议》已更新,您必须在仔细阅读并接受后,才能继续使用本站提供的服务。");
635 press_any_key();
636
637 clearscr();
638 display_file(DATA_EULA, 1);
639
640 while (!SYS_server_exit)
641 {
642 clearscr();
643 moveto(2, 1);
644
645 ch = press_any_key_ex("您是否接受本站的《用户许可协议》? (A)接受, (D)拒绝, (R)再看看协议 [D]", 60);
646 switch (toupper(ch))
647 {
648 case KEY_NULL:
649 return -1;
650 case KEY_TIMEOUT:
651 case CR:
652 case 'D':
653 moveto(3, 1);
654 prints("您已拒绝《用户许可协议》,再见!");
655 press_any_key();
656 return 0;
657 case 'R':
658 clearscr();
659 display_file(DATA_EULA, 1);
660 continue;
661 case 'A':
662 db = db_open();
663 if (db == NULL)
664 {
665 ret = -1;
666 goto cleanup;
667 }
668
669 snprintf(sql, sizeof(sql),
670 "UPDATE user_pubinfo SET visit_count = visit_count + 1, "
671 "last_login_dt = NOW() WHERE UID = %d",
672 BBS_priv.uid);
673 if (mysql_query(db, sql) != 0)
674 {
675 log_error("Update user_pubinfo error: %s", mysql_error(db));
676 ret = -1;
677 goto cleanup;
678 }
679
680 mysql_close(db);
681 db = NULL;
682
683 moveto(3, 1);
684 prints("您已接受《用户许可协议》,请重新登陆。");
685 press_any_key();
686 return 1;
687 default:
688 continue;
689 }
690
691 break;
692 }
693
694 cleanup:
695 mysql_close(db);
696
697 return ret;
698 }
webmaster@leafok.com
 ViewVC Help
Powered by ViewVC 1.3.0-beta1