public void OnValidateUser(Client client, string username, string password, string fingerprint) { if (debug) { Output.Write(new Message() { Text = string.Format("Client [{0}] requested login validation with the following credentials:", client.Id), AddBreak = true }); Output.Write(new Message() { Text = string.Format("Username: {0}\nPassword: {1}\nFingerprint: {2}", username, password, fingerprint), AddBreak = true }); } // Check if username / password exist using (SqlConnection sqlCon = Database.Connection) { SqlCommand sqlCmd = new SqlCommand(); sqlCmd.Connection = sqlCon; sqlCmd.CommandText = string.Format("SELECT account_id FROM dbo.{0} WHERE login_name = @name AND password = @password", OPT.GetString("db.auth.table.alias")); sqlCmd.Parameters.Add("@name", SqlDbType.NVarChar).Value = username; sqlCmd.Parameters.Add("@password", SqlDbType.NVarChar).Value = PasswordCipher.CreateHash(OPT.GetString("md5.key"), password); if (debug) { Output.Write(new Message() { Text = "\t-Checking for Account..." }); } object result = Database.ExecuteStatement(sqlCmd, 1); if (debug) { Output.Write(new Message() { Text = ((int)result > 0) ? "[FOUND]" : "[NOT FOUND]", AddBreak = true }); } if ((int)result > 0) // Account exists { int account_id = (int)result; if (debug) { Output.Write(new Message() { Text = "\t-Checking Account ban status..." }); } // Check if account is banned sqlCmd.CommandText = string.Format("SELECT ban FROM dbo.{0} WHERE login_name = @name AND password = @password", OPT.GetString("db.auth.table.alias")); result = Database.ExecuteStatement(sqlCmd, 1); if (debug) { Output.Write(new Message() { Text = ((int)result == 0) ? "[NOT BANNED]" : "[BANNED]", AddBreak = true }); } if ((int)result == 0) // Account is not banned { if (debug) { Output.Write(new Message() { Text = "\t-Checking for FingerPrint..." }); } // Check for fingerprint sqlCmd.CommandText = "SELECT COUNT(account_id) FROM dbo.FingerPrint WHERE account_id = @account_id"; sqlCmd.Parameters.Clear(); sqlCmd.Parameters.Add("@account_id", SqlDbType.Int).Value = account_id; result = Database.ExecuteStatement(sqlCmd, 1); if (debug) { Output.Write(new Message() { Text = ((int)result == 1) ? "[FOUND]" : "[NOT FOUND]", AddBreak = true }); } if ((int)result == 1) // FingerPrint exists { if (debug) { Output.Write(new Message() { Text = "\t-Checking FingerPrint ban status..." }); } // Check if FingerPrint is banned sqlCmd.CommandText = "SELECT ban FROM dbo.FingerPrint WHERE account_id = @account_id"; result = Database.ExecuteStatement(sqlCmd, 1); if (debug) { Output.Write(new Message() { Text = ((int)result == 0) ? "[NOT BANNED]" : "[BANNED]", AddBreak = true }); } if ((int)result == 0) // FingerPrint is not banned { UserList.Add(new User() { Client_ID = client.Id, Account_ID = account_id, Login_Name = username }); Statistics.UpdateAuthenticatedCount(true); setOTP(ref client, ref sqlCmd, account_id); } else // FingerPrint is banned { Statistics.UpdateBannedCount(true); if (debug) { Output.Write(new Message() { Text = "\t-Checking if FingerPrint ban is expired..." }); } // Get OTP Expiration Date sqlCmd.CommandText = "SELECT expiration_date FROM dbo.FingerPrint WHERE account_id = @account_id"; sqlCmd.Parameters.Clear(); sqlCmd.Parameters.Add("@account_id", SqlDbType.Int).Value = account_id; result = Database.ExecuteStatement(sqlCmd, 1); if ((DateTime)result < DateTime.Now) // Ban is up { if (debug) { Output.Write(new Message() { Text = "[EXPIRED]\n\t-Updating FingerPrint ban...", AddBreak = true }); } sqlCmd.CommandText = "UPDATE dbo.FingerPrint SET ban = 0 WHERE account_id = @account_id"; result = Database.ExecuteStatement(sqlCmd, 0); if (debug) { Output.Write(new Message() { Text = ((int)result == 1) ? "[SUCCESS]" : "[FAIL]", AddBreak = true }); } Statistics.UpdateAuthenticatedCount(true); Statistics.UpdateBannedCount(false); setOTP(ref client, ref sqlCmd, account_id); } else { ClientPackets.Instance.SC_SendBanStatus(client, 1); } } } else { if (debug) { Output.Write(new Message() { Text = string.Format("\t-Inserting FingerPrint: {0}...", fingerprint) }); } sqlCmd.CommandText = "INSERT INTO dbo.FingerPrint (account_id, finger_print, ban, expiration_date) VALUES (@account_id, @finger_print, @ban, @expiration_date)"; sqlCmd.Parameters.Clear(); sqlCmd.Parameters.Add("@account_id", SqlDbType.Int).Value = account_id; sqlCmd.Parameters.Add("@finger_print", SqlDbType.NVarChar).Value = fingerprint; sqlCmd.Parameters.Add("@ban", SqlDbType.Int).Value = 0; sqlCmd.Parameters.Add("@expiration_date", SqlDbType.DateTime).Value = new DateTime(1999, 1, 1, 12, 0, 0, 0); result = Database.ExecuteStatement(sqlCmd, 0); if (debug) { Output.Write(new Message() { Text = ((int)result == 1) ? "[SUCCESS]" : "[FAIL]", AddBreak = true }); } Statistics.UpdateAuthenticatedCount(true); setOTP(ref client, ref sqlCmd, account_id); } } else // Account is banned { Statistics.UpdateBannedCount(true); ClientPackets.Instance.SC_SendBanStatus(client, 0); } } else // Account doesn't exist { Statistics.UpdateRejectCount(true); ClientPackets.Instance.SC_SendAccountNull(client); } } }
protected void setOTP(ref Client client, ref SqlCommand sqlCmd, int account_id) { // Formulate an OTP string otpHash = OTP.GenerateRandomPassword(26); if (debug) { Output.Write(new Message() { Text = string.Format("\t-Generated OTP: {0}", otpHash) }); } // Check if OTP account_id already exists sqlCmd.CommandText = "SELECT COUNT(account_id) FROM dbo.OTP WHERE account_id = @account_id"; object result = Database.ExecuteStatement(sqlCmd, 1); if ((int)result == 1) // OTP account_id exists, update OTP { if (debug) { Output.Write(new Message() { Text = "\t-Updating OTP..." }); } sqlCmd.CommandText = "UPDATE dbo.OTP SET otp = @OTP, expiration = @expiration WHERE account_id = @account_id"; sqlCmd.Parameters.Add("@OTP", SqlDbType.NVarChar).Value = otpHash; sqlCmd.Parameters.Add("@expiration", SqlDbType.DateTime).Value = DateTime.Now.AddMinutes(5); result = Database.ExecuteStatement(sqlCmd, 0); if (debug) { Output.Write(new Message() { Text = ((int)result == 1) ? "[SUCCESS]" : "[FAIL]", AddBreak = true }); } } else // OTP account_id doesn't exist, write new OTP { if (debug) { Output.Write(new Message() { Text = "\t-Inserting OTP..." }); } sqlCmd.CommandText = "INSERT INTO dbo.OTP (account_id, otp, expiration) VALUES (@account_id, @OTP, @expiration)"; sqlCmd.Parameters.Clear(); sqlCmd.Parameters.Add("@account_id", SqlDbType.Int).Value = account_id; sqlCmd.Parameters.Add("@OTP", SqlDbType.NVarChar).Value = otpHash; sqlCmd.Parameters.Add("@expiration", SqlDbType.DateTime).Value = DateTime.Now.AddMinutes(5); result = Database.ExecuteStatement(sqlCmd, 0); if (debug) { Output.Write(new Message() { Text = ((int)result == 1) ? "[SUCCESS]" : "[FAIL]", AddBreak = true }); } } ClientPackets.Instance.SC_SendOTP(client, otpHash); }