implement token verification

2025-12-13 07:25:03 +01:00 · 2022-08-04 10:51:31 +10:00
parent bf851b5c67
commit ed11b5ced9
3 changed files with 14 additions and 13 deletions
--- a/config.json
+++ b/config.json
@@ -17,6 +17,7 @@
    "TournamentEvent": 0,
    "MezFesEvent": true,
    "DisableMailItems": true,
+    "DisableTokenCheck": false,
    "SaveDumps": {
      "Enabled": true,
      "OutputDir": "savedata"
--- a/config/config.go
+++ b/config/config.go
@@ -36,6 +36,7 @@ type DevModeOptions struct {
 	FestaEvent          int    // Hunter's Festa event status
 	TournamentEvent     int    // VS Tournament event status
 	MezFesEvent         bool   // MezFes status
+	DisableTokenCheck   bool   // Disables checking login token exists in the DB (security risk!)
 	DisableMailItems    bool   // Hack to prevent english versions of MHF from crashing
 	SaveDumps           SaveDumpOptions
 }
--- a/server/channelserver/handlers.go
+++ b/server/channelserver/handlers.go
@@ -135,19 +135,18 @@ func handleMsgSysTerminalLog(s *Session, p mhfpacket.MHFPacket) {
 func handleMsgSysLogin(s *Session, p mhfpacket.MHFPacket) {
 	pkt := p.(*mhfpacket.MsgSysLogin)

-	rights := uint32(0x0E)
-	// 0e with normal sub 4e when having premium
-	// 01 = Character can take quests at allows
-	// 02 = Hunter Life, normal quests core sub
-	// 03 = Extra Course, extra quests, town boxes, QOL course, core sub
-	// 06 = Premium Course, standard 'premium' which makes ranking etc. faster
-	// 06 0A 0B = Boost Course, just actually 3 subs combined
-	// 08 09 1E = N Course, gives you the benefits of being in a netcafe (extra quests, N Points, daily freebies etc.) minimal and pointless
-	// 0C = N Boost course, ultra luxury course that ruins the game if in use
-	err := s.server.db.QueryRow("SELECT rights FROM users u INNER JOIN characters c ON u.id = c.user_id WHERE c.id = $1", pkt.CharID0).Scan(&rights)
+	if s.server.erupeConfig.DevMode && !s.server.erupeConfig.DevModeOptions.DisableTokenCheck {
+		var token string
+		err := s.server.db.QueryRow("SELECT token FROM sign_sessions WHERE token=$1", pkt.LoginTokenString).Scan(&token)
 		if err != nil {
-		panic(err)
+			s.rawConn.Close()
+			s.logger.Warn(fmt.Sprintf("Invalid login token, offending CID: (%d)", pkt.CharID0))
+			return
 		}
+	}
+
+	rights := uint32(0x0E)
+	s.server.db.QueryRow("SELECT rights FROM users u INNER JOIN characters c ON u.id = c.user_id WHERE c.id = $1", pkt.CharID0).Scan(&rights)

 	s.Lock()
 	s.charID = pkt.CharID0
@@ -157,7 +156,7 @@ func handleMsgSysLogin(s *Session, p mhfpacket.MHFPacket) {
 	bf := byteframe.NewByteFrame()
 	bf.WriteUint32(uint32(Time_Current_Adjusted().Unix())) // Unix timestamp

-	_, err = s.server.db.Exec("UPDATE servers SET current_players=$1 WHERE server_id=$2", len(s.server.sessions), s.server.ID)
+	_, err := s.server.db.Exec("UPDATE servers SET current_players=$1 WHERE server_id=$2", len(s.server.sessions), s.server.ID)
 	if err != nil {
 		panic(err)
 	}