Prevent login spamming from also spamming mojang auth attempts

ClassiCube · Apr 29, 2023 · 99a4e70 · 99a4e70
1 parent 5685e75
commit 99a4e70
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 12 deletions.
diff --git a/MCGalaxy/Config/JSON.cs b/MCGalaxy/Config/JSON.cs
@@ -296,6 +296,13 @@ public class JsonConfigWriter : JsonWriter {
     }
 
     public static class Json {
+
+        [Obsolete("Use JsonWriter instead", true)]
+        public static void Serialise(TextWriter dst, ConfigElement[] elems, object instance) {
+            JsonConfigWriter w = new JsonConfigWriter(dst, elems);
+            w.WriteObject(instance);
+        }
+
         /// <summary> Shorthand for serialising an object to a JSON object </summary>
         public static string SerialiseObject(object obj) {
             StringWriter dst  = new StringWriter();

diff --git a/MCGalaxy/Server/Authentication/LoginAuthenticator.cs b/MCGalaxy/Server/Authentication/LoginAuthenticator.cs
@@ -21,6 +21,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using MCGalaxy.Network;
+using MCGalaxy.Util;
 
 namespace MCGalaxy.Authentication
 {
@@ -69,17 +70,23 @@ public class MppassAuthenticator : LoginAuthenticator
     /// <summary> Authenticates a player using the Mojang session verification API </summary>
     public class MojangAuthenticator : LoginAuthenticator 
     {
+        static ThreadSafeCache ip_cache = new ThreadSafeCache();
         public override bool Verify(Player p, string mppass) {
             foreach (AuthService auth in AuthService.Services)
             {
-                if (Authenticate(auth, p, mppass)) return true;
+                if (!auth.Config.MojangAuth) continue;
+                if (Authenticate(auth, p)) return true;
             }
             return false;
         }
 
-        static bool Authenticate(AuthService auth, Player p, string mppass) {
-            if (!auth.Config.MojangAuth) return false;
-            if (!HasJoined(p.truename))  return false;
+        static bool Authenticate(AuthService auth, Player p) {
+            object locker = ip_cache.GetLocker(p.ip);
+            // if a player from an IP is spamming login attempts,
+            //  prevent that from spamming Mojang's authentication servers too
+            lock (locker) {
+                if (!HasJoined(p.truename)) return false;
+            }
 
             auth.AcceptPlayer(p);
             return true;
@@ -111,9 +118,7 @@ public class MojangAuthenticator : LoginAuthenticator
             UpdateExternalIP();
             byte[] data = Encoding.UTF8.GetBytes(externalIP + ":" + Server.Config.Port);
             byte[] hash = new SHA1Managed().ComputeHash(data);
-
-            // TODO this is bad, redo it
-            return hash.Join(b => b.ToString("x2"), "");
+            return Utils.ToHexString(hash);
         }
 
         static string externalIP;

diff --git a/MCGalaxy/Server/Authentication/PassAuthenticator.cs b/MCGalaxy/Server/Authentication/PassAuthenticator.cs
@@ -19,7 +19,6 @@
 using System.IO;
 using System.Security.Cryptography;
 using System.Text;
-using MCGalaxy.Network;
 
 namespace MCGalaxy.Authentication
 {

diff --git a/MCGalaxy/Server/Server.cs b/MCGalaxy/Server/Server.cs
@@ -366,7 +366,7 @@ public sealed partial class Server
         public static string CalcMppass(string name, string salt) {
             byte[] hash = null;
             lock (md5Lock) hash = md5.ComputeHash(enc.GetBytes(salt + name));
-            return BitConverter.ToString(hash).Replace("-", "");
+            return Utils.ToHexString(hash);
         }
 
         /// <summary> Converts a formatted username into its original username </summary>

diff --git a/MCGalaxy/util/Threading/ThreadSafeCache.cs b/MCGalaxy/util/Threading/ThreadSafeCache.cs
@@ -19,12 +19,14 @@
 using System.Collections.Generic;
 using MCGalaxy.Tasks;
 
-namespace MCGalaxy.Util {
-    public sealed class ThreadSafeCache {
+namespace MCGalaxy.Util 
+{
+    public sealed class ThreadSafeCache 
+    {
         public static ThreadSafeCache DBCache = new ThreadSafeCache();
 
         readonly object locker = new object();
-        readonly Dictionary<string, object> items = new Dictionary<string, object>();
+        readonly Dictionary<string, object> items    = new Dictionary<string, object>();
         readonly Dictionary<string, DateTime> access = new Dictionary<string, DateTime>();
 
         public object GetLocker(string key) {

diff --git a/MCGalaxy/util/Utils.cs b/MCGalaxy/util/Utils.cs
@@ -103,5 +103,22 @@ public static class Utils {
             }
             return lines;
         }
+
+
+        public static string ToHexString(byte[] data) {            
+            char[] hex = new char[data.Length * 2];
+
+            for (int i = 0; i < data.Length; i++)
+            {
+                int value = data[i];
+                hex[i * 2 + 0] = HexEncode(value >> 4);
+                hex[i * 2 + 1] = HexEncode(value & 0x0F);
+            }
+            return new string(hex);
+        }
+
+        static char HexEncode(int i) {
+            return i < 10 ? (char)(i + '0') : (char)((i - 10) + 'a');
+        }
     }
 }