From d782d62b3468d27a6e3b0dbfd6a71236a7952e69 Mon Sep 17 00:00:00 2001 From: Chocobo1 Date: Tue, 29 May 2018 16:46:38 +0800 Subject: [PATCH 1/2] Add logging messages in WebUI login action --- src/webui/api/authcontroller.cpp | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/src/webui/api/authcontroller.cpp b/src/webui/api/authcontroller.cpp index e2422c6f8..ff80c25e3 100644 --- a/src/webui/api/authcontroller.cpp +++ b/src/webui/api/authcontroller.cpp @@ -30,6 +30,7 @@ #include +#include "base/logger.h" #include "base/preferences.h" #include "base/utils/string.h" #include "apierror.h" @@ -45,29 +46,39 @@ void AuthController::loginAction() return; } - if (isBanned()) + const QString clientAddr {sessionManager()->clientId()}; + const QString usernameFromWeb {params()["username"]}; + const QString passwordFromWeb {params()["password"]}; + + if (isBanned()) { + LogMsg(tr("WebAPI login failure. Reason: IP has been banned, IP: %1, username: %2") + .arg(clientAddr, usernameFromWeb) + , Log::WARNING); throw APIError(APIErrorType::AccessDenied , tr("Your IP address has been banned after too many failed authentication attempts.")); - - QCryptographicHash md5(QCryptographicHash::Md5); - md5.addData(params()["password"].toLocal8Bit()); - QString pass = md5.result().toHex(); + } const QString username {Preferences::instance()->getWebUiUsername()}; const QString password {Preferences::instance()->getWebUiPassword()}; - const bool equalUser = Utils::String::slowEquals(params()["username"].toUtf8(), username.toUtf8()); - const bool equalPass = Utils::String::slowEquals(pass.toUtf8(), password.toUtf8()); + QCryptographicHash md5(QCryptographicHash::Md5); + md5.addData(passwordFromWeb.toLocal8Bit()); + const QString passwordFromWebHashed = md5.result().toHex(); + + const bool equalUser = Utils::String::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8()); + const bool equalPass = Utils::String::slowEquals(passwordFromWebHashed.toUtf8(), password.toUtf8()); if (equalUser && equalPass) { sessionManager()->sessionStart(); setResult(QLatin1String("Ok.")); + LogMsg(tr("WebAPI login success. IP: %1").arg(clientAddr)); } else { - QString addr = sessionManager()->clientId(); increaseFailedAttempts(); - qDebug("client IP: %s (%d failed attempts)", qUtf8Printable(addr), failedAttemptsCount()); setResult(QLatin1String("Fails.")); + LogMsg(tr("WebAPI login failure. Reason: invalid credentials, attempt count: %1, IP: %2, username: %3") + .arg(QString::number(failedAttemptsCount()), clientAddr, usernameFromWeb) + , Log::WARNING); } } From 5c72a52ea2ef9448b694922086a18809b23f1b56 Mon Sep 17 00:00:00 2001 From: Chocobo1 Date: Tue, 29 May 2018 16:52:22 +0800 Subject: [PATCH 2/2] Reset WebUI ban counter on login success --- src/webui/api/authcontroller.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/webui/api/authcontroller.cpp b/src/webui/api/authcontroller.cpp index ff80c25e3..1291f98a5 100644 --- a/src/webui/api/authcontroller.cpp +++ b/src/webui/api/authcontroller.cpp @@ -69,6 +69,8 @@ void AuthController::loginAction() const bool equalPass = Utils::String::slowEquals(passwordFromWebHashed.toUtf8(), password.toUtf8()); if (equalUser && equalPass) { + m_clientFailedLogins.remove(clientAddr); + sessionManager()->sessionStart(); setResult(QLatin1String("Ok.")); LogMsg(tr("WebAPI login success. IP: %1").arg(clientAddr));