Prevent login spamming from also spamming mojang auth attempts

2025-09-13 17:25:50 -04:00 · 2023-04-29 21:28:56 +10:00 · 2023-04-29 21:28:56 +10:00 · 99a4e70e27
commit 99a4e70e27
parent 5685e75a35
6 changed files with 42 additions and 12 deletions
--- a/MCGalaxy/Config/JSON.cs
+++ b/MCGalaxy/Config/JSON.cs
@ -296,6 +296,13 @@ namespace MCGalaxy.Config {
    }
    
    public static class Json {
+
+        [Obsolete("Use JsonWriter instead", true)]
+        public static void Serialise(TextWriter dst, ConfigElement[] elems, object instance) {
+            JsonConfigWriter w = new JsonConfigWriter(dst, elems);
+            w.WriteObject(instance);
+        }
+        
        /// <summary> Shorthand for serialising an object to a JSON object </summary>
        public static string SerialiseObject(object obj) {
            StringWriter dst  = new StringWriter();
--- a/MCGalaxy/Server/Authentication/LoginAuthenticator.cs
+++ b/MCGalaxy/Server/Authentication/LoginAuthenticator.cs
@ -21,6 +21,7 @@ using System.Net;
 using System.Security.Cryptography;
 using System.Text;
 using MCGalaxy.Network;
+using MCGalaxy.Util;

 namespace MCGalaxy.Authentication
 {
@ -69,17 +70,23 @@ namespace MCGalaxy.Authentication
    /// <summary> Authenticates a player using the Mojang session verification API </summary>
    public class MojangAuthenticator : LoginAuthenticator 
    {
+        static ThreadSafeCache ip_cache = new ThreadSafeCache();
        public override bool Verify(Player p, string mppass) {
            foreach (AuthService auth in AuthService.Services)
            {
-                if (Authenticate(auth, p, mppass)) return true;
+                if (!auth.Config.MojangAuth) continue;
+                if (Authenticate(auth, p)) return true;
            }
            return false;
        }
        
-        static bool Authenticate(AuthService auth, Player p, string mppass) {
-            if (!auth.Config.MojangAuth) return false;
-            if (!HasJoined(p.truename))  return false;
+        static bool Authenticate(AuthService auth, Player p) {
+            object locker = ip_cache.GetLocker(p.ip);
+            // if a player from an IP is spamming login attempts,
+            //  prevent that from spamming Mojang's authentication servers too
+            lock (locker) {
+                if (!HasJoined(p.truename)) return false;
+            }
                
            auth.AcceptPlayer(p);
            return true;
@ -111,9 +118,7 @@ namespace MCGalaxy.Authentication
            UpdateExternalIP();
            byte[] data = Encoding.UTF8.GetBytes(externalIP + ":" + Server.Config.Port);
            byte[] hash = new SHA1Managed().ComputeHash(data);
-            
-            // TODO this is bad, redo it
-            return hash.Join(b => b.ToString("x2"), "");
+            return Utils.ToHexString(hash);
        }
        
        static string externalIP;
--- a/MCGalaxy/Server/Authentication/PassAuthenticator.cs
+++ b/MCGalaxy/Server/Authentication/PassAuthenticator.cs
@ -19,7 +19,6 @@ using System;
 using System.IO;
 using System.Security.Cryptography;
 using System.Text;
-using MCGalaxy.Network;

 namespace MCGalaxy.Authentication
 {
--- a/MCGalaxy/Server/Server.cs
+++ b/MCGalaxy/Server/Server.cs
@ -366,7 +366,7 @@ namespace MCGalaxy
        public static string CalcMppass(string name, string salt) {
            byte[] hash = null;
            lock (md5Lock) hash = md5.ComputeHash(enc.GetBytes(salt + name));
-            return BitConverter.ToString(hash).Replace("-", "");
+            return Utils.ToHexString(hash);
        }
        
        /// <summary> Converts a formatted username into its original username </summary>
--- a/MCGalaxy/util/Threading/ThreadSafeCache.cs
+++ b/MCGalaxy/util/Threading/ThreadSafeCache.cs
@ -19,12 +19,14 @@ using System;
 using System.Collections.Generic;
 using MCGalaxy.Tasks;

-namespace MCGalaxy.Util {
-    public sealed class ThreadSafeCache {
+namespace MCGalaxy.Util 
+{
+    public sealed class ThreadSafeCache 
+    {
        public static ThreadSafeCache DBCache = new ThreadSafeCache();
            
        readonly object locker = new object();
-        readonly Dictionary<string, object> items = new Dictionary<string, object>();
+        readonly Dictionary<string, object> items    = new Dictionary<string, object>();
        readonly Dictionary<string, DateTime> access = new Dictionary<string, DateTime>();
        
        public object GetLocker(string key) {
--- a/MCGalaxy/util/Utils.cs
+++ b/MCGalaxy/util/Utils.cs
@ -103,5 +103,22 @@ namespace MCGalaxy {
            }
            return lines;
        }
+
+ 
+        public static string ToHexString(byte[] data) {            
+            char[] hex = new char[data.Length * 2];
+
+            for (int i = 0; i < data.Length; i++)
+            {
+                int value = data[i];
+                hex[i * 2 + 0] = HexEncode(value >> 4);
+                hex[i * 2 + 1] = HexEncode(value & 0x0F);
+            }
+            return new string(hex);
+        }
+
+        static char HexEncode(int i) {
+            return i < 10 ? (char)(i + '0') : (char)((i - 10) + 'a');
+        }
    }
 }