Challenge-Response Authentication

2026-04-14 20:40:49 +08:00 · 2025-04-05 15:38:40 +07:00
parent bd9b4d7e1d
commit 97dc956c20
28 changed files with 538 additions and 329 deletions
--- a/public/takelogin.php
+++ b/public/takelogin.php
@@ -1,7 +1,7 @@
 <?php
 require_once("../include/bittorrent.php");
 header("Content-Type: text/html; charset=utf-8");
-if (!mkglobal("username:password"))
+if (!mkglobal("username"))
 	die();
 dbconn();
 require_once(get_langfile_path("", false, get_langfolder_cookie()));
@@ -14,15 +14,30 @@ function bark($text = "")
  $text =  ($text == "" ? $lang_takelogin['std_login_fail_note'] : $text);
  stderr($lang_takelogin['std_login_fail'], $text,false);
 }
-if ($iv == "yes")
-	check_code ($_POST['imagehash'], $_POST['imagestring'],'login.php',true);
-$res = sql_query("SELECT id, passhash, secret, enabled, status, two_step_secret, lang FROM users WHERE username = " . sqlesc($username));
+if ($iv == "yes") {
+    check_code ($_POST['imagehash'], $_POST['imagestring'],'login.php',true);
+}
+//同时支持新旧两种登录方式
+$useChallengeResponse = \App\Models\Setting::getIsUseChallengeResponseAuthentication();
+if ($useChallengeResponse) {
+    if (empty($_POST['response'])) {
+        failedlogins("Require response parameter.");
+    }
+} else {
+    if (empty($_POST['password'])) {
+        failedlogins("Require password parameter.");
+    }
+}
+
+$res = sql_query("SELECT id, passhash, secret, auth_key, enabled, status, two_step_secret, lang FROM users WHERE username = " . sqlesc($username));
 $row = mysql_fetch_array($res);

 if (!$row)
 	failedlogins();
 if ($row['status'] == 'pending')
 	failedlogins($lang_takelogin['std_user_account_unconfirmed']);
+if ($row["enabled"] == "no")
+    bark($lang_takelogin['std_account_disabled']);

 if (!empty($row['two_step_secret'])) {
    if (empty($_POST['two_step_code'])) {
@@ -34,72 +49,64 @@ if (!empty($row['two_step_secret'])) {
    }
 }
 $log = "user: {$row['id']}, ip: $ip";
-if ($row["passhash"] != md5($row["secret"] . $password . $row["secret"])) {
+$update = [];
+if ($useChallengeResponse) {
+    $challenge = \Nexus\Database\NexusDB::cache_get(get_challenge_key($username));
+    if (empty($challenge)) {
+        failedlogins("expired");
+    }
+    $log .= ", useChallengeResponse, client response: " . $_POST['response'];
+} else {
+    $passwordHash = hash('sha256', $row['secret'] . hash('sha256', $_POST['password']));
+    $log .= ", !useChallengeResponse, passwordHash: $passwordHash";
+    if (empty($row['auth_key'])) {
+        //先使用旧的验证方式验证
+        if ($row["passhash"] != md5($row["secret"] . $_POST['password'] . $row["secret"])) {
+            do_log("$log, md5 not equal");
+            login_failedlogins();
+        }
+        $log .= ", no auth_key, upgrade to challenge response";
+        //自动升级为新的验证方式
+        $update['passhash'] = $row['passhash'] = $passwordHash;
+    }
+    //后端自动生成挑战响应
+    $challenge = mksecret();
+    $_POST['response'] = hash_hmac('sha256', $passwordHash, $challenge);
+    $log .= ", server generate response: " . $_POST['response'];
+}
+$expectedResponse = hash_hmac('sha256', $row['passhash'], $challenge);
+$log .= ", expectedResponse: $expectedResponse";
+if (!hash_equals($expectedResponse, $_POST["response"])) {
+    do_log("$log, !hash_equals");
    login_failedlogins();
 }
-
+\Nexus\Database\NexusDB::cache_del(get_challenge_key($username));
+do_log("$log, login successful");
 $userRep = new \App\Repositories\UserRepository();
 $userRep->saveLoginLog($row['id'], $ip, 'Web', true);

-if ($row["enabled"] == "no")
-	bark($lang_takelogin['std_account_disabled']);
-
-if (isset($_POST["securelogin"]) && $_POST["securelogin"] == "yes")
-{
-	$securelogin_indentity_cookie = true;
-    /**
-     * Not IP related
-     * @since 1.8.0
-     */
-//	$passh = md5($row["passhash"].$ip);
-	$passh = md5($row["passhash"]);
-	$log .= ", secure login == yeah, passhash: {$row['passhash']}, ip: $ip, md5: $passh";
-}
-else
-{
-	$securelogin_indentity_cookie = false;
-	$passh = md5($row["passhash"]);
-    $log .= ",  passhash: {$row['passhash']}, md5: $passh";
-}
-
-if ($securelogin=='yes' || (isset($_POST["ssl"]) && $_POST["ssl"] == "yes"))
-{
-	$pprefix = "https://";
-	$ssl = true;
-}
-else
-{
-	$pprefix = "http://";
-	$ssl = false;
-}
-if ($securetracker=='yes' || (isset($_POST["trackerssl"] ) && $_POST["trackerssl"] == "yes"))
-{
-	$trackerssl = true;
-}
-else
-{
-	$trackerssl = false;
-}
-
-do_log($log);
-
 //update user lang
 $language = \App\Models\Language::query()->where("site_lang_folder", get_langfolder_cookie())->first();
+
 if ($language && $language->id != $row["lang"]) {
    do_log(sprintf("update user: %s lang: %s => %s", $row["id"], $row["lang"], $language->id));
-    \App\Models\User::query()->where("id", $row["id"])->update(["lang" => $language->id]);
+    $update["lang"] = $language->id;
+}
+if (empty($row['auth_key'])) {
+    $row['auth_key'] = $update['auth_key'] = hash('sha256', mksecret(32));
+}
+if (!empty($update)) {
+    \App\Models\User::query()->where("id", $row["id"])->update($update);
    clear_user_cache($row["id"]);
 }

 if (isset($_POST["logout"]) && $_POST["logout"] == "yes")
 {
-	logincookie($row["id"], $passh,1,900,$securelogin_indentity_cookie, $ssl, $trackerssl);
-	//sessioncookie($row["id"], $passh,true);
+	logincookie($row["id"], $row['auth_key'],900);
 }
 else
 {
-	logincookie($row["id"], $passh,1,get_setting('system.cookie_valid_days', 365) * 86400,$securelogin_indentity_cookie, $ssl, $trackerssl);
-	//sessioncookie($row["id"], $passh,false);
+    logincookie($row["id"], $row['auth_key']);
 }

 if (!empty($_POST["returnto"]))