4 Questions in one topic

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

Basto
Posts: 4
Joined: 11 Oct 2020, 07:18

4 Questions in one topic

Postby Basto » 14 Jun 2021, 04:23

Hello,

Question 1 :
I wanna that the preprocess plugin works before the validation.

Because I wanna make a system that delete accounts with the same username if they aren't activated, something like this :

Code: Select all

suac.getConfig().preProcessPlugin = (user, isfsObject, signUpConfiguration) -> {
    String email = isfsObject.getUtfString("email");
    String username = isfsObject.getUtfString("username");
    try {
        String sql = "DELETE FROM accounts WHERE active='N' AND (username='" + username + "' OR email='" + email + "')";
        getParentZone().getDBManager().executeQuery(sql, new Object[]{});
    } catch (SQLException e) {
        trace(WARN, "SQL Failed: " + e);
    }
};

But this doesn't works, users are not deleted
I just looked into the signup assiatant class and discovered that the validation is made before the preprocess plugin call. Is there a way to change that or must I recompile the program to make it works this way ?

Question 2 : Is there a way to apply the badwords system into the usernames at the signup ? Or must I use some regex jars in the pre process plugin to make it ?

Question 3 : Should I manually remove the activation_code of the accounts that were activated to prevent collision with other activation_codes ? I'm saying that because i'm using a 4 digit activation code to make it user friendly, and in this case collisions are possible.

Question 4 : I'm trying to use the Custom password checking of the login assistant. For this I have to use the PasswordUtil.hash() fonction, but it needs a salt, and I didnt seen any tutorial on how to configure the signup extension to use salts.

Thank you.
User avatar
Lapo
Site Admin
Posts: 22074
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: 4 Questions in one topic

Postby Lapo » 14 Jun 2021, 07:28

Hi,

1)
I just looked into the signup assiatant class and discovered that the validation is made before the preprocess plugin call. Is there a way to change that or must I recompile the program to make it works this way ?


The SignUp component validates the required input parameters first (username, password and email) then it passes the control to your PreProcess class.
Is this a problem? If so can you explain why and what you're trying to do?

2)
Is there a way to apply the badwords system into the usernames at the signup ? Or must I use some regex jars in the pre process plugin to make it ?

There isn't an automated mode for this but you can use the existing BadWordsFilter in your PreProcess plugin.

Code: Select all

if (zone.getWordFilter().isActive())
{
   FilteredMessage fm = targetRoom.getZone().getWordFilter().apply(message, sender);
   String filteredName = fm.getMessage();
}


Where zone is your current Zone.

3)
Should I manually remove the activation_code of the accounts that were activated to prevent collision with other activation_codes ? I'm saying that because i'm using a 4 digit activation code to make it user friendly, and in this case collisions are possible.

Removing the activation code from where?

4)
I'm trying to use the Custom password checking of the login assistant. For this I have to use the PasswordUtil.hash() fonction, but it needs a salt, and I didnt seen any tutorial on how to configure the signup extension to use salts.

The password is checked by the Component, you don't need to do it manually. That is the point of using the Login Component.
As regards the modes in which passwords are stored in the DB you can see the docs here:
http://docs2x.smartfoxserver.com/Extens ... ant-basics
(bottom of page)

Hope it helps
Lapo
--
gotoAndPlay()
...addicted to flash games
Basto
Posts: 4
Joined: 11 Oct 2020, 07:18

Re: 4 Questions in one topic

Postby Basto » 14 Jun 2021, 08:17

Hi Lapo, thank you for the fast response.

1)
The SignUp component validates the required input parameters first (username, password and email) then it passes the control to your PreProcess class.
Is this a problem? If so can you explain why and what you're trying to do?


I want that if someone signup with an username (or an email address) already used, if the account associated to this username isn't validated (with code validation by email) then this account is deleted to make available the username to the new user.

That's what i tried to to in the Preprocess plugin (the code in the first post) but as you said the signup componant validates the input parameters before passing the control to the Preprocess class, so it's impossible to make the system i want to.

2) Problem solved thank you.

3)
Removing the activation code from where?

From the users table in database.
For example :
User A signup and receive an activation code 'ABCD' on his email adress, and validates his account.
User B signup and receive the same activation code (my activations codes have 4 digits to be user-friendly, so collisions like theses are possible), when he tries to activate his account what will the signup assistant do ? Does he only search activation codes in accounts that arent validated ?
And if that's the case, an account not validated can still make a collision with a new user.

4)
The password is checked by the Component, you don't need to do it manually. That is the point of using the Login Component.
As regards the modes in which passwords are stored in the DB you can see the docs here:
http://docs2x.smartfoxserver.com/Extens ... ant-basics
(bottom of page)


I know that the password is checked by the component, but i'm doing this section "Custom password checking and encryption" in the tutorial http://docs2x.smartfoxserver.com/Extens ... -assistant .

And my problem is there :

Code: Select all

class LoginPreProcess implements ILoginAssistantPlugin
{
    @Override
    public void execute(LoginData ld)
    {
        String clientPass = ld.clientIncomingData.getUtfString("passwd");
         
        // Let's see if the password from the DB matches that of the user
        if (!ld.password.equals(clientpass))
            throw new PasswordCheckException();
             
        // Success!
    }
}


In my case clientPass is the password hashed and ld.password is the password sent by the user during conneciton, so it's not hashed.
So I can't compare them.

I think to compare then I must hash the password sent by the user during connection, to hash it I think i must use PasswordUtil.hash().
This function needs a salt, but i don't event choose a salt because i didnt hash the password it was the signup component that did it because the password mode is set to MD5.

If i choose passwordmode normal instead of MD5 now I can compare them but he isn't hashed in database...

So do I need to do my own signup system to hash the password with a salt ?


Sorry for my bad english.
User avatar
Lapo
Site Admin
Posts: 22074
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: 4 Questions in one topic

Postby Lapo » 14 Jun 2021, 14:31

1)
Basto wrote:I want that if someone signup with an username (or an email address) already used, if the account associated to this username isn't validated (with code validation by email) then this account is deleted to make available the username to the new user.


This is not possibile and generally speaking there are other issues connected with implementing this approach.
Imagine someone has registered an account with username "Frodo", but has not activated the account yet. When another user wants to register with the same name what happens?
At the very least you must have a timestamp that tells you how long ago the original account was created, so that you can decide wether or not it must be deleted.

3)
From the users table in database.
For example :
User A signup and receive an activation code 'ABCD' on his email adress, and validates his account.
User B signup and receive the same activation code (my activations codes have 4 digits to be user-friendly, so collisions like theses are possible), when he tries to activate his account what will the signup assistant do ? Does he only search activation codes in accounts that arent validated ?

Yes, the system is done so that activation codes are unique.
Have you considered using the long code we have implemented and simply adding a note to copy the code via the clipboard?
I understand that this may feel as less user friendly but all it takes is a double tap to highlight the code and then copy/paste it.

4)
In my case clientPass is the password hashed and ld.password is the password sent by the user during conneciton, so it's not hashed.
So I can't compare them.

The article describes two modes of sending the password:
1) With a non-encrypted connection: the user must send the password normally and it will be hashed behind the scenes and recognized by the server. For this to work the password must be stored in plain text on the database. (but it is transmitted securely over a non secure connection).

2) With an encrypted connection: the password can be sent normally (no behind-the-scenes hashing) to the server because it's protected by encryption. On the server side you can handle the plain-text password and process is, for example adding a salt and checking it against the salted version stored in the DB.

The details are found in the article you have mentioned:
http://docs2x.smartfoxserver.com/Extens ... -assistant

cheers
Lapo

--

gotoAndPlay()

...addicted to flash games

Return to “SFS2X Questions”

Who is online

Users browsing this forum: Bing [Bot] and 22 guests