From 6e0a0e1d00e11da9b4eab2163e19314f752b05b5 Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Wed, 15 Oct 2014 14:20:56 +0200
Subject: Use scrypt for new password hashes

I increased the N parameter to approximate about 500ms to generate the
hash. This is quite a paranoid setting for a website, but login attempts
are throttled so there's not much of a DoS factor. (Alright, password
changing feature isn't throttled so the DoS factor still exists. But
really, there's some pages with longer page generation times anyway.)

I did lower the size of the salt a bit (Crypt::ScryptKDF uses 256 bits
by default), because 64 bits of randomness should have low enough chance
of collision with only ~100k users (even with a million users,
seriously).
---
 lib/VNDB/Handler/Users.pm | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

(limited to 'lib/VNDB/Handler/Users.pm')

diff --git a/lib/VNDB/Handler/Users.pm b/lib/VNDB/Handler/Users.pm
index bcf94fb4..804b9467 100644
--- a/lib/VNDB/Handler/Users.pm
+++ b/lib/VNDB/Handler/Users.pm
@@ -210,7 +210,6 @@ sub newpass {
       my $token;
       ($token, $o{passwd}) = $self->authPrepareReset();
       $self->dbUserEdit($u->{id}, %o);
-      #warn "$self->{url}/u$u->{id}/setpass?t=$token";
       $self->mail(mt('_newpass_mail_body', $u->{username}, "$self->{url}/u$u->{id}/setpass?t=$token"),
         To => $frm->{mail},
         From => 'VNDB <noreply@vndb.org>',
@@ -310,7 +309,6 @@ sub register {
     if(!$frm->{_err}) {
       my($token, $pass) = $self->authPrepareReset();
       my $uid = $self->dbUserAdd($frm->{usrname}, $pass, $frm->{mail});
-      warn "$self->{url}/u$uid/setpass?t=$token";
       $self->mail(mt('_register_mail_body', $frm->{usrname}, "$self->{url}/u$uid/setpass?t=$token"),
         To => $frm->{mail},
         From => 'VNDB <noreply@vndb.org>',
@@ -384,8 +382,8 @@ sub edit {
       $frm->{skin} = '' if $frm->{skin} eq $self->{skin_default};
       $self->dbUserPrefSet($uid, $_ => $frm->{$_}) for (qw|skin customcss show_nsfw hide_list |);
       my %o;
-      $o{username} = $frm->{usrname} if $frm->{usrname};
       if($self->authCan('usermod')) {
+        $o{username} = $frm->{usrname} if $frm->{usrname};
         $o{perm} = 0;
         $o{perm} |= $self->{permissions}{$_} for(@{ delete $frm->{perms} });
       }
@@ -393,9 +391,7 @@ sub edit {
       $o{passwd} = $self->authPreparePass($frm->{usrpass}) if $frm->{usrpass};
       $o{ign_votes} = $frm->{ign_votes} ? 1 : 0 if $self->authCan('usermod');
       $self->dbUserEdit($uid, %o);
-      $self->dbSessionDel($uid) if $frm->{usrpass};
-      return $self->resRedirect("/u$uid/edit?d=1", 'post') if $uid != $self->authInfo->{id} || !$frm->{usrpass};
-      return $self->authLogin($frm->{usrname}||$u->{username}, $frm->{usrpass}, "/u$uid/edit?d=1");
+      return $self->resRedirect("/u$uid/edit?d=1", 'post');
     }
   }
 
-- 
cgit v1.2.3