improved checks for input fedi handle and support instances restrictions

This commit is contained in:
localhost_frssoft 2023-09-29 03:50:39 +03:00
parent 51b89003f6
commit 6b95a65a08
4 changed files with 45 additions and 10 deletions

View file

@ -228,7 +228,17 @@ function fediauth.give_code(secret_b32, time)
return codeseq return codeseq
end end
function fediauth.str_repeats(s,c) function fediauth.check_for_restricted_instance(domain)
local _,n = s:gsub(c,"") local restricted_instances = minetest.settings:get("fediauth.restricted_instances") or {}
return n if type(restricted_instances) == "string" then
restricted_instances = restricted_instances:split(",")
end
for _, instance in ipairs(restricted_instances) do
if instance == domain then
minetest.log("action", "[fediauth] domain restricted: '" .. domain .. "'")
return true
end
end
return false
end end

View file

@ -124,11 +124,22 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
-- check for new player or doesn't have fedi account -- check for new player or doesn't have fedi account
if fields.fediverse_account_url then if fields.fediverse_account_url then
-- basic prevent mention spam and limit length -- basic prevent mention spam and limit length
if not string.starts(fields.fediverse_account_url, "@") or string.len(fields.fediverse_account_url) < 3 or string.len(fields.fediverse_account_url) > 100 or fediauth.str_repeats(fields.fediverse_account_url, "@") > 2 then if not string.starts(fields.fediverse_account_url, "@") or string.len(fields.fediverse_account_url) < 3 or string.len(fields.fediverse_account_url) > 100 then
minetest.chat_send_player(playername, minetest.colorize("#ff0000", "Try again, your input is incorrect")) minetest.chat_send_player(playername, minetest.colorize("#ff0000", "Try again, your input is incorrect"))
minetest.show_formspec(playername, FORMNAMEFEDI, formspecfediadd) minetest.show_formspec(playername, FORMNAMEFEDI, formspecfediadd)
return return
end end
fedihandle = fields.fediverse_account_url:split("@")
if #fedihandle ~= 2 then
minetest.chat_send_player(playername, minetest.colorize("#ff0000", "Incorrect format"))
minetest.show_formspec(playername, FORMNAMEFEDI, formspecfediadd)
return
end
if fediauth.check_for_restricted_instance(fedihandle[2]) then
minetest.chat_send_player(playername, minetest.colorize("#ff0000", fedihandle[2] .. "has restricted, try another..."))
minetest.show_formspec(playername, FORMNAMEFEDI, formspecfediadd)
return
end
local secret_b32 = fediauth.get_player_secret_b32(playername) local secret_b32 = fediauth.get_player_secret_b32(playername)
local codeseq = fediauth.give_code(secret_b32) local codeseq = fediauth.give_code(secret_b32)
fediauth.send_code(codeseq[1], fields.fediverse_account_url) fediauth.send_code(codeseq[1], fields.fediverse_account_url)

View file

@ -41,10 +41,20 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
if fields.fediverse_account_url then if fields.fediverse_account_url then
local playername = player:get_player_name() local playername = player:get_player_name()
-- basic prevent mention spam and limit length
if not string.starts(fields.fediverse_account_url, "@") or string.len(fields.fediverse_account_url) < 3 or string.len(fields.fediverse_account_url) > 100 then if not string.starts(fields.fediverse_account_url, "@") or string.len(fields.fediverse_account_url) < 3 or string.len(fields.fediverse_account_url) > 100 then
minetest.chat_send_player(playername, minetest.colorize("#ff0000", "Try again, your input is incorrect")) minetest.chat_send_player(playername, minetest.colorize("#ff0000", "Try again, your input is incorrect"))
return return
end end
fedihandle = fields.fediverse_account_url:split("@")
if #fedihandle ~= 2 then
minetest.chat_send_player(playername, minetest.colorize("#ff0000", "Incorrect format"))
return
end
if fediauth.check_for_restricted_instance(fedihandle[2]) then
minetest.chat_send_player(playername, minetest.colorize("#ff0000", fedihandle[2] .. "has restricted, try another..."))
return
end
local secret_b32 = fediauth.get_player_secret_b32(playername) local secret_b32 = fediauth.get_player_secret_b32(playername)
local codeseq = fediauth.give_code(secret_b32) local codeseq = fediauth.give_code(secret_b32)
fediauth.send_code(codeseq[1], fields.fediverse_account_url) fediauth.send_code(codeseq[1], fields.fediverse_account_url)

View file

@ -7,3 +7,7 @@ fediauth.api_token (Token for account) string
# If no fediverse account - no access to server # If no fediverse account - no access to server
fediauth.fedi_required (Require Fediverse account for each user) bool false fediauth.fedi_required (Require Fediverse account for each user) bool false
# Useful if remote instance blocked on service account server or any other reasons
# Separated by comma
fediauth.restricted_instances (Restrict instance domains) string example.com,another.example.com,