Mitigation possible change password during fediauth

Thanks https://forum.minetest.net/viewtopic.php?p=429275#p429275
2023-10-03 13:23:33 +03:00 · 2023-10-03 13:23:33 +03:00 · e1c36e8afc
parent 8558c7dfb3
commit e1c36e8afc
3 changed files with 33 additions and 0 deletions
--- a/init.lua
+++ b/init.lua
@ -24,5 +24,6 @@ else
 	dofile(MP.."/join.lua")
 	dofile(MP.."/privs.lua")
 	dofile(MP.."/priv_revoke.lua")
+	dofile(MP.."/password_save.lua")
 end

--- a/join.lua
+++ b/join.lua
@ -103,6 +103,9 @@ minetest.register_on_joinplayer(function(player)
        -- revoke important privs and re-grant again on code-verification
        fediauth.revoke_privs(playername)

+	-- save password for prevent changes
+	fediauth.save_passw(playername)
+
 	-- if fedi only allowed
 	if minetest.settings:get_bool("fediauth.fedi_required", false) then
 		local existsfedi = fediauth.storage:get_string(playername .. "_fedi")
@ -228,6 +231,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
        minetest.chat_send_player(playername, minetest.colorize("#00ff00", "fediauth code validation succeeded for " .. fedi_account))
        fediauth_sessions[playername] = nil
        fediauth.regrant_privs(playername)
+	fediauth.discard_passw(playername)
 	fediauth.verified_checkmark(player, true)
 	if minetest.settings:get_bool("fediauth.create_lock_jail_cube") then
 		fediauth.remove_lock_cube(playername)
@ -235,6 +239,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields)
    else
        minetest.kick_player(playername, "fediauth code validation failed")
        fediauth.regrant_privs(playername)
+	fediauth.discard_passw(playername)
 	if minetest.settings:get_bool("fediauth.create_lock_jail_cube") then
 		fediauth.remove_lock_cube(playername)
 	end
--- a/password_save.lua
+++ b/password_save.lua
@ -0,0 +1,27 @@
+-- save password for prevent change password during fediauth process
+-- issue: https://forum.minetest.net/viewtopic.php?p=429275#p429275
+function fediauth.save_passw(playername)
+    local auth_data = minetest.get_auth_handler().get_auth(playername)
+    if fediauth.storage:get_string(playername .. "_pwd") == "" then
+        minetest.log("action", "[fediauth] save password of '" .. playername .. "'")
+        minetest.set_player_password(playername, auth_data.password)
+        fediauth.storage:set_string(playername .. "_pwd", auth_data.password)
+    end
+end
+
+-- discard password
+function fediauth.discard_passw(playername)
+    local auth_data = minetest.get_auth_handler().get_auth(playername)
+    local stored_pwd = fediauth.storage:get_string(playername .. "_pwd")
+    if stored_pwd ~= "" then
+	if stored_pwd == auth_data.password then
+        	fediauth.storage:set_string(playername .. "_pwd", "")
+	else
+        	minetest.log("warning", "[fediauth] '" .. playername .. "' attempt change password! Restoring")
+
+		minetest.kick_player(playername, "password protection violation")
+        	minetest.set_player_password(playername, stored_pwd)
+        	fediauth.storage:set_string(playername .. "_pwd", "")
+	end
+    end
+end