widelands-dev team mailing list archive

Thread
Date

Re: [Merge] lp:~widelands-dev/widelands/bug-1827786-metaserver-login-box-clean-start into lp:widelands

To: mp+367320@xxxxxxxxxxxxxxxxxx
From: GunChleoc <fios@xxxxxxxxxxxxxxxxxxx>
Date: Sun, 12 May 2019 12:23:11 -0000
In-reply-to: <155765960471.29165.7676113100053809645.launchpad@ackee.canonical.com>
Reply-to: mp+367320@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

I have pushed a small tweak and added some more comments.

Diff comments:

> === modified file 'src/ui_fsmenu/multiplayer.cc'
> --- src/ui_fsmenu/multiplayer.cc	2019-05-11 18:50:30 +0000
> +++ src/ui_fsmenu/multiplayer.cc	2019-05-12 11:12:04 +0000
> @@ -58,21 +58,46 @@
>  	vbox_.add_inf_space();
>  	vbox_.add(&back, UI::Box::Resizing::kFullSize);
>  
> -	Section& s = g_options.pull_section("global");
> -	auto_log_ = s.get_bool("auto_log", false);
> -	if (auto_log_) {
> -		showloginbox =
> +	showloginbox =
>  		   new UI::Button(this, "login_dialog", 0, 0, 0, 0, UI::ButtonStyle::kFsMenuSecondary,
>  		                  g_gr->images().get("images/ui_basic/continue.png"), _("Show login dialog"));
> -		showloginbox->sigclicked.connect(
> +	showloginbox->sigclicked.connect(
>  		   boost::bind(&FullscreenMenuMultiPlayer::show_internet_login, boost::ref(*this)));
> -	}
>  	layout();
>  }
>  
>  /// called if the showloginbox button was pressed
>  void FullscreenMenuMultiPlayer::show_internet_login() {
> -	auto_log_ = false;
> +	Section& s = g_options.pull_section("global");
> +	LoginBox lb(*this);
> +	if (lb.run<UI::Panel::Returncodes>() == UI::Panel::Returncodes::kOk) {
> +		nickname_ = lb.get_nickname();
> +		s.set_string("nickname", nickname_);
> +		/// NOTE: The password is only stored (in memory and on disk) and transmitted (over the
> +		/// network
> +		/// to the metaserver) as cryptographic hash. This does NOT mean that the password is
> +		/// stored
> +		/// securely on the local disk. While the password should be secure while transmitted to
> +		/// the
> +		/// metaserver (no-one can use the transmitted data to log in as the user) this is not the
> +		/// case
> +		/// for local storage. The stored hash of the password makes it hard to look at the
> +		/// configuration
> +		/// file and figure out the plaintext password to, e.g., log in on the forum. However, the
> +		/// stored hash can be copied to another system and used to log in as the user on the
> +		/// metaserver.
> +		// Further note: SHA-1 is considered broken and shouldn't be used anymore. But since the
> +		// passwords on the server are protected by SHA-1 we have to use it here, too
> +		if (lb.get_password() != "*****") {

Better make this empty when it's not set and make the ** a function of displaying it only.

> +			password_ = crypto::sha1(lb.get_password());
> +			s.set_string("password_sha1", password_);
> +		}
> +
> +		register_ = lb.registered();
> +		s.set_bool("registered", lb.registered());
> +	} else {
> +		return;
> +	}
>  	internet_login();
>  }
>  
> 
> === modified file 'src/wui/login_box.cc'
> --- src/wui/login_box.cc	2019-05-11 18:50:30 +0000
> +++ src/wui/login_box.cc	2019-05-12 11:12:04 +0000
> @@ -113,3 +114,44 @@
>  	}
>  	return UI::Panel::handle_key(down, code);
>  }
> +
> +void LoginBox::clicked_register() {
> +	if (cb_register->get_state()) {
> +		ta_password->set_color(UI_FONT_CLR_DISABLED);
> +		eb_password->set_can_focus(false);
> +		eb_password->set_text("");

When the user starts typing, the password is displayed as clear text, not as ***. This needs to be fixed in the UI::Editbox class' draw() function.

> +	} else {
> +		ta_password->set_color(UI_FONT_CLR_FG);
> +		eb_password->set_can_focus(true);
> +		eb_password->focus();
> +	}
> +}
> +
> +void LoginBox::verify_input() {
> +	// Check if all needed input fields are valid
> +	loginbtn->set_enabled(true);
> +	eb_nickname->set_tooltip("");
> +	eb_password->set_tooltip("");
> +	eb_nickname->set_warning(false);
> +
> +	if (eb_nickname->text().empty()) {
> +		eb_nickname->set_warning(true);
> +		eb_nickname->set_tooltip(_("Please enter a nickname!"));
> +		loginbtn->set_enabled(false);
> +	} else if (eb_nickname->text().find_first_not_of("abcdefghijklmnopqrstuvwxyz"

We have this same complicated comparison above pull out a bool function to ensure consistency.

> +		"ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890@.+-_") <= eb_nickname->text().size()) {
> +			eb_nickname->set_warning(true);
> +			eb_nickname->set_tooltip(_("Enter a valid nickname. This value may contain only "
> +													  "English letters, numbers, and @ . + - _ characters."));
> +			loginbtn->set_enabled(false);
> +	}
> +
> +	if (eb_password->text().empty() && cb_register->get_state()) {
> +		eb_password->set_tooltip(_("Please enter your password!"));
> +		loginbtn->set_enabled(false);
> +	}
> +
> +	if (eb_password->has_focus() && eb_password->text() == "*****") {
> +		eb_password->set_text("");
> +	}
> +}


-- 
https://code.launchpad.net/~widelands-dev/widelands/bug-1827786-metaserver-login-box-clean-start/+merge/367320
Your team Widelands Developers is subscribed to branch lp:~widelands-dev/widelands/bug-1825932-open-games-clean-start.

References

[Merge] lp:~widelands-dev/widelands/bug-1827786-metaserver-login-box-clean-start into lp:widelands
From: Toni Förster, 2019-05-12