diff --git a/doc/lua_api.txt b/doc/lua_api.txt index 03f2dad32..82a0acbee 100644 --- a/doc/lua_api.txt +++ b/doc/lua_api.txt @@ -1951,12 +1951,21 @@ Call these functions only at load time! * `minetest.notify_authentication_modified(name)` * Should be called by the authentication handler if privileges changes. * To report everybody, set `name=nil`. +* `minetest.check_password_entry(name, entry, password)` + * Returns true if the "db entry" for a player with name matches given + * password, false otherwise. + * The "db entry" is the usually player-individual value that is derived + * from the player's chosen password and stored on the server in order to allow + * authentication whenever the player desires to log in. + * Only use this function for making it possible to log in via the password from + * via protocols like IRC, other uses for inside the game are frowned upon. * `minetest.get_password_hash(name, raw_password)` * Convert a name-password pair to a password hash that Minetest can use. * The returned value alone is not a good basis for password checks based * on comparing the password hash in the database with the password hash * from the function, with an externally provided password, as the hash * in the db might use the new SRP verifier format. + * For this purpose, use minetest.check_password_entry instead. * `minetest.string_to_privs(str)`: returns `{priv1=true,...}` * `minetest.privs_to_string(privs)`: returns `"priv1,priv2,..."` * Convert between two privilege representations diff --git a/src/script/lua_api/l_util.cpp b/src/script/lua_api/l_util.cpp index e90b7fbcf..d090fc91c 100644 --- a/src/script/lua_api/l_util.cpp +++ b/src/script/lua_api/l_util.cpp @@ -246,6 +246,35 @@ int ModApiUtil::l_get_hit_params(lua_State *L) return 1; } +// check_password_entry(name, entry, password) +int ModApiUtil::l_check_password_entry(lua_State *L) +{ + NO_MAP_LOCK_REQUIRED; + std::string name = luaL_checkstring(L, 1); + std::string entry = luaL_checkstring(L, 2); + std::string password = luaL_checkstring(L, 3); + + if (base64_is_valid(entry)) { + std::string hash = translate_password(name, password); + lua_pushboolean(L, hash == entry); + return 1; + } + + std::string salt; + std::string verifier; + + if (!decode_srp_verifier_and_salt(entry, &verifier, &salt)) { + // invalid format + warningstream << "Invalid password format for " << name << std::endl; + lua_pushboolean(L, false); + return 1; + } + std::string gen_verifier = generate_srp_verifier(name, password, salt); + + lua_pushboolean(L, gen_verifier == verifier); + return 1; +} + // get_password_hash(name, raw_password) int ModApiUtil::l_get_password_hash(lua_State *L) { @@ -449,6 +478,7 @@ void ModApiUtil::Initialize(lua_State *L, int top) API_FCT(get_dig_params); API_FCT(get_hit_params); + API_FCT(check_password_entry); API_FCT(get_password_hash); API_FCT(is_yes); diff --git a/src/script/lua_api/l_util.h b/src/script/lua_api/l_util.h index 779dbe281..3012d55aa 100644 --- a/src/script/lua_api/l_util.h +++ b/src/script/lua_api/l_util.h @@ -71,6 +71,9 @@ private: // get_hit_params(groups, tool_capabilities[, time_from_last_punch]) static int l_get_hit_params(lua_State *L); + // check_password_entry(name, entry, password) + static int l_check_password_entry(lua_State *L); + // get_password_hash(name, raw_password) static int l_get_password_hash(lua_State *L); diff --git a/src/util/auth.h b/src/util/auth.h index 1fd6ab453..7cdc7d74d 100644 --- a/src/util/auth.h +++ b/src/util/auth.h @@ -45,6 +45,6 @@ std::string encode_srp_verifier(const std::string &verifier, /// Reads the DB-formatted SRP verifier and gets the verifier /// and salt components. bool decode_srp_verifier_and_salt(const std::string &encoded, - std::string *salt, std::string *bytes_v); + std::string *verifier, std::string *salt); #endif