Merge pull request #9009 from Chocobo1/login

Add logging messages in WebUI login action
2025-01-11 15:27:54 +00:00 · 2018-06-03 19:47:05 +08:00 · 2018-06-03 19:47:05 +08:00 · c4e4e7432d
commit c4e4e7432d
parent 658702dcbb 5c72a52ea2
1 changed files with 22 additions and 9 deletions
--- a/src/webui/api/authcontroller.cpp
+++ b/src/webui/api/authcontroller.cpp
@ -30,6 +30,7 @@
 #include <QCryptographicHash>
 #include "base/logger.h"
 #include "base/preferences.h"
 #include "base/utils/string.h"
 #include "apierror.h"
@ -45,29 +46,41 @@ void AuthController::loginAction()
        return;
    }
-    if (isBanned())
+    const QString clientAddr {sessionManager()->clientId()};
    const QString usernameFromWeb {params()["username"]};
    const QString passwordFromWeb {params()["password"]};
    if (isBanned()) {
        LogMsg(tr("WebAPI login failure. Reason: IP has been banned, IP: %1, username: %2")
                .arg(clientAddr, usernameFromWeb)
            , Log::WARNING);
        throw APIError(APIErrorType::AccessDenied
                       , tr("Your IP address has been banned after too many failed authentication attempts."));
-
+    }
    QCryptographicHash md5(QCryptographicHash::Md5);
    md5.addData(params()["password"].toLocal8Bit());
    QString pass = md5.result().toHex();
    const QString username {Preferences::instance()->getWebUiUsername()};
    const QString password {Preferences::instance()->getWebUiPassword()};
-    const bool equalUser = Utils::String::slowEquals(params()["username"].toUtf8(), username.toUtf8());
+    QCryptographicHash md5(QCryptographicHash::Md5);
-    const bool equalPass = Utils::String::slowEquals(pass.toUtf8(), password.toUtf8());
+    md5.addData(passwordFromWeb.toLocal8Bit());
    const QString passwordFromWebHashed = md5.result().toHex();
    const bool equalUser = Utils::String::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8());
    const bool equalPass = Utils::String::slowEquals(passwordFromWebHashed.toUtf8(), password.toUtf8());
    if (equalUser && equalPass) {
        m_clientFailedLogins.remove(clientAddr);
        sessionManager()->sessionStart();
        setResult(QLatin1String("Ok."));
        LogMsg(tr("WebAPI login success. IP: %1").arg(clientAddr));
    }
    else {
        QString addr = sessionManager()->clientId();
        increaseFailedAttempts();
        qDebug("client IP: %s (%d failed attempts)", qUtf8Printable(addr), failedAttemptsCount());
        setResult(QLatin1String("Fails."));
        LogMsg(tr("WebAPI login failure. Reason: invalid credentials, attempt count: %1, IP: %2, username: %3")
                .arg(QString::number(failedAttemptsCount()), clientAddr, usernameFromWeb)
            , Log::WARNING);
    }
 }