Merge pull request #322 from Groruk/master

Session based logins

Author: Groruk

CHANGELOG.md

@@ -9,6 +9,21 @@ Legend:
 ! = Fixed bug
 ? = Other stuff
 ```
+(04/07/17): Version 1.6.2
+-----------------------
+```
+01. ! Fixed issue with group Banning
+02. ! Fixed AmxBans import issue
+03. ! Fixed possible XSS Injection
+04. + Adjusted regex for CSGO
+05. + Added option to disable 'comms' tab
+06. ! Fixed bugs with SteamID format
+07. ! Fixed version checks
+08. ? Git version is now only shown in dev builds
+09. ! Fixed issue with email links
+10. * Added session based logins
+```
+
 (07/05/17): Version 1.6.1
 -----------------------
 ```

game/addons/sourcemod/scripting/sbpp_admcfg.sp

@@ -37,8 +37,8 @@ public Plugin myinfo =
 	name = "SourceBans++: Admin Config Loader",
 	author = "AlliedModders LLC, SourceBans++ Dev Team",
 	description = "Reads Admin Files",
-	version = "1.6.1",
-	url = "https://sbpp.sarabveer.me/"
+	version = "1.6.2",
+	url = "https://sbpp.github.io"
 };
 
 

game/addons/sourcemod/scripting/sbpp_checker.sp

@@ -26,7 +26,7 @@
 
 #include <sourcemod>
 
-#define VERSION "1.6.1"
+#define VERSION "1.6.2"
 #define LISTBANS_USAGE "sm_listsbbans <#userid|name> - Lists a user's prior bans from Sourcebans"
 #define INVALID_TARGET -1
 
@@ -42,7 +42,7 @@ public Plugin:myinfo =
 	author = "psychonic, Ca$h Munny, SourceBans++ Dev Team",
 	description = "Notifies admins of prior bans from Sourcebans upon player connect.",
 	version = VERSION,
-	url = "https://sbpp.sarabveer.me/"
+	url = "https://sbpp.github.io"
 };
 
 public OnPluginStart()

game/addons/sourcemod/scripting/sbpp_comms.sp

@@ -42,7 +42,7 @@
 // Do not edit below this line //
 //-----------------------------//
 
-#define PLUGIN_VERSION "1.6.1"
+#define PLUGIN_VERSION "1.6.2"
 #define PREFIX "\x04[SourceComms++]\x01 "
 
 #define MAX_TIME_MULTI 30 // maximum mass-target punishment length
@@ -161,7 +161,7 @@ public Plugin:myinfo =
 	author = "Alex, SourceBans++ Dev Team",
 	description = "Advanced punishments management for the Source engine in SourceBans style",
 	version = PLUGIN_VERSION,
-	url = "https://sbpp.sarabveer.me/"
+	url = "https://sbpp.github.io"
 };
 
 public APLRes:AskPluginLoad2(Handle:myself, bool:late, String:error[], err_max)

game/addons/sourcemod/scripting/sbpp_main.sp

@@ -32,8 +32,8 @@
 #include <adminmenu>
 #tryinclude <updater>
 
-#define SB_VERSION "1.6.1++"
-#define SBR_VERSION "1.6.1"
+#define SB_VERSION "1.6.2++"
+#define SBR_VERSION "1.6.2"
 
 #if defined _updater_included
 #define UPDATE_URL "https://sbpp.github.io/updater/updatefile.txt"
@@ -137,7 +137,7 @@ public Plugin:myinfo =
 	author = "SourceBans Development Team, SourceBans++ Dev Team",
 	description = "Advanced ban management for the Source engine",
 	version = SBR_VERSION,
-	url = "https://sbpp.sarabveer.me/"
+	url = "https://sbpp.github.io"
 };
 
 #if SOURCEMOD_V_MAJOR >= 1 && SOURCEMOD_V_MINOR >= 3

game/addons/sourcemod/scripting/sbpp_sleuth.sp

@@ -29,7 +29,7 @@
 #undef REQUIRE_PLUGIN
 #include <sourcebans>
 
-#define PLUGIN_VERSION "1.6.1"
+#define PLUGIN_VERSION "1.6.2"
 
 #define LENGTH_ORIGINAL 1
 #define LENGTH_CUSTOM 2
@@ -57,7 +57,7 @@ public Plugin:myinfo =
 	author = "ecca, SourceBans++ Dev Team",
 	description = "Useful for TF2 servers. Plugin will check for banned ips and ban the player.",
 	version = PLUGIN_VERSION,
-	url = "https://sbpp.sarabveer.me/"
+	url = "https://sbpp.github.io"
 };
 
 public OnPluginStart()

web/includes/CUserManager.php

@@ -38,14 +38,12 @@ class CUserManager
      * @param $password the current user's password
      * @return noreturn.
      */
-    public function __construct($aid, $password)
+    public function __construct($aid)
     {
         $this->dbh = new Database(DB_HOST, DB_PORT, DB_NAME, DB_USER, DB_PASS, DB_PREFIX);
 
-        if ($this->CheckLogin($password, $aid)) {
-            $this->aid = $aid;
-            $this->GetUserArray($aid);
-        }
+        $this->aid = $aid;
+        $this->GetUserArray($aid);
     }
 
 
@@ -63,7 +61,7 @@ public function GetUserArray($aid = null)
         }
         // Invalid aid
         if ($aid < 0 || empty($aid)) {
-            return 0;
+            return false;
         }
 
         // We already got the data from the DB, and its saved in the manager
@@ -82,7 +80,7 @@ public function GetUserArray($aid = null)
         $res = $this->dbh->single();
 
         if (!$res) {
-            return 0;  // ohnoes some type of db error
+            return false;  // ohnoes some type of db error
         }
 
         $user = array();
@@ -212,30 +210,24 @@ public function CheckLogin($password, $aid)
 
     public function login($aid, $password, $save = true)
     {
-        if ($this->CheckLogin($this->encrypt_password($password), $aid)) {
+        if ($this->CheckLogin($this->encrypt_password($password), $aid) || $this->CheckLogin($this->hash($password), $aid)) {
             //Old password hash detected update it.
             $this->dbh->query('UPDATE `:prefix_admins` SET password = :password WHERE aid = :aid');
-            $this->dbh->bind(':password', $this->hash($password));
+            $this->dbh->bind(':password', password_hash($password, PASSWORD_BCRYPT));
             $this->dbh->bind(':aid', $aid);
             $this->dbh->execute();
 
-            setcookie("aid", $aid);
-            setcookie("password", $this->hash($password));
-            setcookie("user", $_SESSION['user']['user']);
+            \SessionManager::sessionStart('login', 604800, 0);
+            $_SESSION['aid'] = $aid;
             return true;
         }
 
-        if ($this->CheckLogin($this->hash($password), $aid)) {
-            if ($save) {
-                //Sets cookies
-                setcookie("aid", $aid, time()+LOGIN_COOKIE_LIFETIME);
-                setcookie("password", $this->hash($password), time()+LOGIN_COOKIE_LIFETIME);
-                setcookie("user", isset($_SESSION['user']['user'])?$_SESSION['user']['user']:null, time()+LOGIN_COOKIE_LIFETIME);
-                return true;
-            }
-            setcookie("aid", $aid);
-            setcookie("password", $this->hash($password));
-            setcookie("user", $_SESSION['user']['user']);
+        $this->dbh->query('SELECT password FROM `:prefix_admins` WHERE aid = :aid');
+        $this->dbh->bind(':aid', $aid);
+        $hash = $this->dbh->single();
+        if (password_verify($password, $hash['password'])) {
+            \SessionManager::sessionStart('login', 604800, 0);
+            $_SESSION['aid'] = $aid;
             return true;
         }
         return false;
@@ -332,19 +324,13 @@ public function AddAdmin($name, $steam, $password, $email, $web_group, $web_flag
             throw new RuntimeException('Password must be at least ' . MIN_PASS_LENGTH . ' characters long.');
         }
         if (empty($password)) {
-            // Silently generate a token for account if there is no password set
-            // the token is required in Steam OAuth routines.
-            // Due to ugly codebase and lack of migrations we store the token as password hash.
-            // Also we use a prefix here to prevent any possible collisions with `encrypt_password` implementation.
-            $password_hash = '$token$' . $this->random_string();
-        } else {
-            $password_hash = $this->hash($password);
+            throw new RuntimeException('Password must not be empty!');
         }
         $this->dbh->query('INSERT INTO `:prefix_admins` (user, authid, password, gid, email, extraflags, immunity, srv_group, srv_flags, srv_password)
                            VALUES (:user, :authid, :password, :gid, :email, :extraflags, :immunity, :srv_group, :srv_flags, :srv_password)');
         $this->dbh->bind(':user', $name);
         $this->dbh->bind(':authid', $steam);
-        $this->dbh->bind(':password', $password_hash);
+        $this->dbh->bind(':password', password_hash($password, PASSWORD_BCRYPT));
         $this->dbh->bind(':gid', $web_group);
         $this->dbh->bind(':email', $email);
         $this->dbh->bind(':extraflags', $web_flags);