This is a reworked and more secure version of the current username/key authentication system which solves two issues:
Fixes #29 by limiting transactions to one every three seconds for each user
Hashed keys are no longer distributed to clients, preventing attackers from pulling them from the user list and posing as other users
New Auth Process
Authentication is now essentially a username and password based login, using the existing implementation of user ids and hashed keys. Each user is already assigned a unique id, so I moved the authentication system from checking the hashed key (and more recently the username) to checking both the user's id and hashed key.
When a user attempts to connect, they provide their hashed key and optionally a user id. If a user id is provided, the server checks whether that user id exists and whether the key matches. If either of these checks fail, the user is registered with a new id and their key is assigned to it. If a user id is not provided they follow the aforementioned registration process. The remainder of the authentication process remains the same. The user's hashed key is only stored in memory on the server and never propagated to other users.
Summarised Changes
Clients now use their id and hashed key as a username and password respectively
Clients store their id alongside their key in the phikey.txt file
Hashed keys are no longer propagated to other clients, instead they are stored in memory on the server
Clients check if transactions contradict their preferences
User objects record the last time a transaction was made
Transactions are declined by the server if sent less than three seconds apart
Updated realm data version
Please don't hesitate to make comments or suggestions on the auth process or other details that I may have missed
Description
This is a reworked and more secure version of the current username/key authentication system which solves two issues:
Fixes #29 by limiting transactions to one every three seconds for each user
Hashed keys are no longer distributed to clients, preventing attackers from pulling them from the user list and posing as other users
New Auth Process
Authentication is now essentially a username and password based login, using the existing implementation of user ids and hashed keys. Each user is already assigned a unique id, so I moved the authentication system from checking the hashed key (and more recently the username) to checking both the user's id and hashed key.
When a user attempts to connect, they provide their hashed key and optionally a user id. If a user id is provided, the server checks whether that user id exists and whether the key matches. If either of these checks fail, the user is registered with a new id and their key is assigned to it. If a user id is not provided they follow the aforementioned registration process. The remainder of the authentication process remains the same. The user's hashed key is only stored in memory on the server and never propagated to other users.
Summarised Changes
Userobjects record the last time a transaction was madePlease don't hesitate to make comments or suggestions on the auth process or other details that I may have missed