X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Fpages%2FLoginPage.java;h=b19de897aa5e7b3f71f9ba122d1fb70a00938696;hp=8129715a99795b6f8f45f6b105008731af56d2ab;hb=17a15662212d973d12ed4cea3f5eaa9c0d1169ed;hpb=ac2d612bc322ee04e31b611a71765e7ae3f1dcf3

diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index 8129715a..b19de897 100644
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -13,19 +13,25 @@ import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.cacert.gigi.GigiApiException;
-import org.cacert.gigi.database.DatabaseConnection;
 import org.cacert.gigi.database.GigiPreparedStatement;
 import org.cacert.gigi.database.GigiResultSet;
+import org.cacert.gigi.dbObjects.CertificateOwner;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.User;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.output.template.TranslateCommand;
+import org.cacert.gigi.pages.main.RegisterPage;
 import org.cacert.gigi.util.AuthorizationContext;
 import org.cacert.gigi.util.PasswordHash;
+import org.cacert.gigi.util.RateLimit;
+import org.cacert.gigi.util.RateLimit.RateLimitException;
 import org.cacert.gigi.util.ServerConstants;
 
 public class LoginPage extends Page {
 
+    public static final RateLimit RATE_LIMIT = new RateLimit(10, 5 * 60 * 1000);
+
     public class LoginForm extends Form {
 
         public LoginForm(HttpServletRequest hsr) {
@@ -33,7 +39,10 @@ public class LoginPage extends Page {
         }
 
         @Override
-        public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
+        public boolean submit(HttpServletRequest req) throws GigiApiException {
+            if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) {
+                throw new RateLimitException();
+            }
             tryAuthWithUnpw(req);
             return false;
         }
@@ -47,8 +56,10 @@ public class LoginPage extends Page {
 
     public static final String LOGIN_RETURNPATH = "login-returnpath";
 
-    public LoginPage(String title) {
-        super(title);
+    private static final String SUBMIT_EXCEPTION = "login-submit-exception";
+
+    public LoginPage() {
+        super("Password Login");
     }
 
     @Override
@@ -60,6 +71,13 @@ public class LoginPage extends Page {
         }
     }
 
+    @Override
+    public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        if (Form.printFormErrors(req, resp.getWriter())) {
+            Form.getForm(req, LoginForm.class).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
+        }
+    }
+
     @Override
     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
@@ -69,9 +87,8 @@ public class LoginPage extends Page {
                 tryAuthWithCertificate(req, cert);
             }
             if (req.getMethod().equals("POST")) {
-                try {
-                    Form.getForm(req, LoginForm.class).submit(resp.getWriter(), req);
-                } catch (GigiApiException e) {
+                if ( !Form.getForm(req, LoginForm.class).submitExceptionProtected(req)) {
+                    return false;
                 }
             }
         }
@@ -96,27 +113,30 @@ public class LoginPage extends Page {
         return false;
     }
 
-    private void tryAuthWithUnpw(HttpServletRequest req) {
+    private void tryAuthWithUnpw(HttpServletRequest req) throws GigiApiException {
         String un = req.getParameter("username");
         String pw = req.getParameter("password");
-        GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'");
-        ps.setString(1, un);
-        GigiResultSet rs = ps.executeQuery();
-        if (rs.next()) {
-            String dbHash = rs.getString(1);
-            String hash = PasswordHash.verifyHash(pw, dbHash);
-            if (hash != null) {
-                if ( !hash.equals(dbHash)) {
-                    GigiPreparedStatement gps = DatabaseConnection.getInstance().prepare("UPDATE `users` SET `password`=? WHERE `email`=?");
-                    gps.setString(1, hash);
-                    gps.setString(2, un);
-                    gps.executeUpdate();
+        try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'")) {
+            ps.setString(1, un);
+            GigiResultSet rs = ps.executeQuery();
+            if (rs.next()) {
+                String dbHash = rs.getString(1);
+                String hash = PasswordHash.verifyHash(pw, dbHash);
+                if (hash != null) {
+                    if ( !hash.equals(dbHash)) {
+                        try (GigiPreparedStatement gps = new GigiPreparedStatement("UPDATE `users` SET `password`=? WHERE `email`=?")) {
+                            gps.setString(1, hash);
+                            gps.setString(2, un);
+                            gps.executeUpdate();
+                        }
+                    }
+                    loginSession(req, User.getById(rs.getInt(2)));
+                    req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Password"));
+                    return;
                 }
-                loginSession(req, User.getById(rs.getInt(2)));
-                req.getSession().setAttribute(LOGIN_METHOD, "Password");
             }
         }
-        rs.close();
+        throw new GigiApiException("Username and password didn't match.");
     }
 
     public static User getUser(HttpServletRequest req) {
@@ -140,7 +160,7 @@ public class LoginPage extends Page {
         loginSession(req, user);
         req.getSession().setAttribute(CERT_SERIAL, serial);
         req.getSession().setAttribute(CERT_ISSUER, x509Certificate.getIssuerDN());
-        req.getSession().setAttribute(LOGIN_METHOD, "Certificate");
+        req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Certificate"));
     }
 
     public static String extractSerialFormCert(X509Certificate x509Certificate) {
@@ -151,17 +171,12 @@ public class LoginPage extends Page {
         if ( !serial.matches("[A-Fa-f0-9]+")) {
             throw new Error("serial malformed.");
         }
-        GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT `memid` FROM `certs` WHERE `serial`=? AND `disablelogin`='0' AND `revoked` is NULL");
-        ps.setString(1, serial.toLowerCase());
-        GigiResultSet rs = ps.executeQuery();
-        User user = null;
-        if (rs.next()) {
-            user = User.getById(rs.getInt(1));
-        } else {
-            System.out.println("User with serial " + serial + " not found.");
+
+        CertificateOwner o = CertificateOwner.getByEnabledSerial(serial);
+        if (o == null || !(o instanceof User)) {
+            return null;
         }
-        rs.close();
-        return user;
+        return (User) o;
     }
 
     public static X509Certificate getCertificateFromRequest(HttpServletRequest req) {
@@ -173,7 +188,7 @@ public class LoginPage extends Page {
         return uc;
     }
 
-    private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
+    private static final Group LOGIN_BLOCKED = Group.BLOCKEDLOGIN;
 
     private void loginSession(HttpServletRequest req, User user) {
         if (user.isInGroup(LOGIN_BLOCKED)) {