Issue 3015 - store timestamp when password is reset (#3863)

* Added few unsigned to ints in order to get rid of warnings.
Added column to users table, for when password is changed(issue#3015).
Moved password length check to separate method, to make it cleaner.
* Added migration file and changed schema version to 27 due to servatrice.sql schema modification.
* Make password length configurable.

common/expression.cpp

@@ -62,7 +62,7 @@ double Expression::eval(const peg::Ast &ast)
         return value;
     } else if (ast.name[0] == 'P') {
         double result = eval(*nodes[0]);
-        for (int i = 1; i < nodes.size(); i += 2) {
+        for (unsigned int i = 1; i < nodes.size(); i += 2) {
             double arg = eval(*nodes[i + 1]);
             char operation = nodes[i]->token[0];
             switch (operation) {

servatrice/migrations/servatrice_0026_to_0027.sql

@@ -0,0 +1,5 @@
+-- Servatrice db migration from version 26 to version 27
+
+ALTER TABLE cockatrice_users ADD COLUMN passwordLastChangedDate datetime NOT NULL DEFAULT '0000-00-00 00:00:00';
+
+UPDATE cockatrice_schema_version SET version=27 WHERE version=26;

servatrice/servatrice.ini.example

@@ -135,6 +135,10 @@ disallowedwords="admin"
 ;          http://www.regular-expressions.info/catastrophic.html
 disallowedregexp=""
 
+; Define minimum password length
+; Default 6.
+minpasswordlength = 6
+
 [registration]
 
 ; Servatrice can process registration requests to add new users on the fly.

servatrice/servatrice.sql

@@ -20,7 +20,7 @@ CREATE TABLE IF NOT EXISTS `cockatrice_schema_version` (
   PRIMARY KEY  (`version`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
-INSERT INTO cockatrice_schema_version VALUES(26);
+INSERT INTO cockatrice_schema_version VALUES(27);
 
 -- users and user data tables
 CREATE TABLE IF NOT EXISTS `cockatrice_users` (
@@ -40,6 +40,7 @@ CREATE TABLE IF NOT EXISTS `cockatrice_users` (
   `privlevel` enum("NONE","VIP","DONATOR") NOT NULL,
   `privlevelStartDate` datetime NOT NULL,
   `privlevelEndDate` datetime NOT NULL,
+  `passwordLastChangedDate` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
   PRIMARY KEY  (`id`),
   UNIQUE KEY `name` (`name`),
   KEY `token` (`token`),

servatrice/src/servatrice.cpp

@@ -1065,3 +1065,8 @@ bool Servatrice::getEnableForgotPasswordAudit() const
 {
     return settingsCache->value("audit/enable_forgotpassword_audit", true).toBool();
 }
+
+int Servatrice::getMinPasswordLength() const
+{
+    return settingsCache->value("users/minpasswordlength", 6).toInt();
+}

servatrice/src/servatrice.h

@@ -255,6 +255,7 @@ public:
     bool getEnableAudit() const;
     bool getEnableRegistrationAudit() const;
     bool getEnableForgotPasswordAudit() const;
+    int getMinPasswordLength() const;
     int getIdleClientTimeout() const override;
     int getServerID() const override;
     int getMaxGameInactivityTime() const override;

servatrice/src/servatrice_database_interface.cpp

@@ -953,7 +953,8 @@ bool Servatrice_DatabaseInterface::changeUserPassword(const QString &user,
 
     QString passwordSha512 = PasswordHasher::computeHash(newPassword, PasswordHasher::generateRandomSalt());
 
-    passwordQuery = prepareQuery("update {prefix}_users set password_sha512=:password where name = :name");
+    passwordQuery = prepareQuery("update {prefix}_users set password_sha512=:password, "
+                                 "passwordLastChangedDate = NOW() where name = :name");
     passwordQuery->bindValue(":password", passwordSha512);
     passwordQuery->bindValue(":name", user);
     if (execSqlQuery(passwordQuery))

servatrice/src/servatrice_database_interface.h

@@ -9,7 +9,7 @@
 #include "server.h"
 #include "server_database_interface.h"
 
-#define DATABASE_SCHEMA_VERSION 26
+#define DATABASE_SCHEMA_VERSION 27
 
 class Servatrice;
 

servatrice/src/serversocketinterface.cpp

@@ -1077,8 +1077,7 @@ Response::ResponseCode AbstractServerSocketInterface::cmdRegisterAccount(const C
     QString country = QString::fromStdString(cmd.country());
     QString password = QString::fromStdString(cmd.password());
 
-    // TODO make this configurable?
-    if (password.length() < 6) {
+    if (!isPasswordLongEnough(password.length())) {
         if (servatrice->getEnableRegistrationAudit())
             sqlInterface->addAuditRecord(QString::fromStdString(cmd.user_name()).simplified(), this->getAddress(),
                                          QString::fromStdString(cmd.clientid()).simplified(), "REGISTER_ACCOUNT",
@@ -1223,8 +1222,7 @@ Response::ResponseCode AbstractServerSocketInterface::cmdAccountPassword(const C
     QString oldPassword = QString::fromStdString(cmd.old_password());
     QString newPassword = QString::fromStdString(cmd.new_password());
 
-    // TODO make this configurable?
-    if (newPassword.length() < 6)
+    if (!isPasswordLongEnough(newPassword.length()))
         return Response::RespPasswordTooShort;
 
     QString userName = QString::fromStdString(userInfo->name());
@@ -1794,3 +1792,8 @@ void WebsocketServerSocketInterface::binaryMessageReceived(const QByteArray &mes
 
     processCommandContainer(newCommandContainer);
 }
+
+bool AbstractServerSocketInterface::isPasswordLongEnough(const int passwordLength)
+{
+    return passwordLength < servatrice->getMinPasswordLength();
+}

servatrice/src/serversocketinterface.h

@@ -122,6 +122,8 @@ private:
     bool addAdminFlagToUser(const QString &user, int flag);
     bool removeAdminFlagFromUser(const QString &user, int flag);
 
+    bool isPasswordLongEnough(const int passwordLength);
+
 public:
     AbstractServerSocketInterface(Servatrice *_server,
                                   Servatrice_DatabaseInterface *_databaseInterface,