From 59c14e9c0001bc7a01763ecc7d3042dcde978a1a Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 25 Feb 2021 15:39:46 +0300
Subject: api: remove base64 encoded passwords (wtf), log all authentication
 failures in userhelper

---
 classes/api.php            | 9 ++-------
 classes/handler/public.php | 2 --
 classes/logger.php         | 2 +-
 classes/userhelper.php     | 3 +++
 4 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/classes/api.php b/classes/api.php
index 3c6795327..a0ee773c1 100755
--- a/classes/api.php
+++ b/classes/api.php
@@ -68,20 +68,15 @@ class API extends Handler {
 
 		$login = clean($_REQUEST["user"]);
 		$password = clean($_REQUEST["password"]);
-		$password_base64 = base64_decode(clean($_REQUEST["password"]));
 
 		if (Config::get(Config::SINGLE_USER_MODE)) $login = "admin";
 
 		if ($uid = UserHelper::find_user_by_login($login)) {
 			if (get_pref(Prefs::ENABLE_API_ACCESS, $uid)) {
-				if (UserHelper::authenticate($login, $password, false,  Auth_Base::AUTH_SERVICE_API)) {               // try login with normal password
+				if (UserHelper::authenticate($login, $password, false,  Auth_Base::AUTH_SERVICE_API)) {
 					$this->_wrap(self::STATUS_OK, array("session_id" => session_id(),
 						"api_level" => self::API_LEVEL));
-				} else if (UserHelper::authenticate($login, $password_base64, false, Auth_Base::AUTH_SERVICE_API)) { // else try with base64_decoded password
-					$this->_wrap(self::STATUS_OK,	array("session_id" => session_id(),
-						"api_level" => self::API_LEVEL));
-				} else {                                                         // else we are not logged in
-					user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
+				} else {
 					$this->_wrap(self::STATUS_ERR, array("error" => self::E_LOGIN_ERROR));
 				}
 			} else {
diff --git a/classes/handler/public.php b/classes/handler/public.php
index bf0160db6..6ab9d7285 100755
--- a/classes/handler/public.php
+++ b/classes/handler/public.php
@@ -395,8 +395,6 @@ class Handler_Public extends Handler {
 
 				if (!isset($_SESSION["login_error_msg"]))
 					$_SESSION["login_error_msg"] = __("Incorrect username or password");
-
-				user_error("Failed login attempt for $login from " . UserHelper::get_user_ip(), E_USER_WARNING);
 			}
 
 			$return = clean($_REQUEST['return']);
diff --git a/classes/logger.php b/classes/logger.php
index 6cc33314d..c917182c1 100755
--- a/classes/logger.php
+++ b/classes/logger.php
@@ -57,7 +57,7 @@ class Logger {
 		}
 	}
 
-	public static function get() {
+	public static function get() : Logger {
 		if (self::$instance == null)
 			self::$instance = new self();
 
diff --git a/classes/userhelper.php b/classes/userhelper.php
index 8d9d483a8..0698f6beb 100644
--- a/classes/userhelper.php
+++ b/classes/userhelper.php
@@ -46,6 +46,9 @@ class UserHelper {
 				return true;
 			}
 
+			if (!$user_id)
+				Logger::get()->log(E_USER_WARNING, "Failed login attempt for $login (service: $service) from " . UserHelper::get_user_ip());
+
 			return false;
 
 		} else {
-- 
cgit v1.2.3