From 987bc5a7032b268b5d79a9b88b46cddb3270b644 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Tue, 17 Oct 2023 16:26:40 -0700 Subject: [PATCH] Improve text related to weak auth (account key) - in the page showing the weak auth, say that it depends on password and email addr (and make this page nicer looking) - in the pages for changing password and email addr, say that doing so will change your weak auth. --- db/boinc_db_types.h | 1 + html/inc/user.inc | 10 ++++++++++ html/user/edit_email_form.php | 2 ++ html/user/edit_passwd_form.php | 2 ++ html/user/weak_auth.php | 17 +++++++++-------- 5 files changed, 24 insertions(+), 8 deletions(-) diff --git a/db/boinc_db_types.h b/db/boinc_db_types.h index 8d9cfd88ea1..c352446fe71 100644 --- a/db/boinc_db_types.h +++ b/db/boinc_db_types.h @@ -210,6 +210,7 @@ struct USER { // the "external CPID" that gets exported to stats sites // is MD5(cpid, email) char passwd_hash[256]; + // MD5(password, email_addr) bool email_validated; // deprecated int donated; char login_token[32]; diff --git a/html/inc/user.inc b/html/inc/user.inc index ed6f969e7ce..cb0bc7e4bf9 100644 --- a/html/inc/user.inc +++ b/html/inc/user.inc @@ -204,6 +204,16 @@ function notify_description($notify) { return null; } +// a string that can be used to authenticate some operations, +// but can't be used to log in to the account +// (e.g. can't be used to change email addr or passwd) +// +// this is a function of +// - authenticator (never changes) +// - user ID (never changes) +// - password +// - email addr +// function weak_auth($user) { $x = md5($user->authenticator.$user->passwd_hash); return "{$user->id}_$x"; diff --git a/html/user/edit_email_form.php b/html/user/edit_email_form.php index ffb326b3850..8b8e746bd35 100644 --- a/html/user/edit_email_form.php +++ b/html/user/edit_email_form.php @@ -24,6 +24,8 @@ $user = get_logged_in_user(); page_head(tra("Change email address")); +echo tra("Note: if you change your email address, your %1weak account key%2 will change.", "", ""); +echo "

"; $email_text = ""; if (is_valid_email_addr($user->email_addr)) { diff --git a/html/user/edit_passwd_form.php b/html/user/edit_passwd_form.php index 478ec110c89..110c273112a 100644 --- a/html/user/edit_passwd_form.php +++ b/html/user/edit_passwd_form.php @@ -24,6 +24,8 @@ $user = get_logged_in_user(); page_head(tra("Change password")); +echo tra("Note: if you change your password, your %1weak account key%2 will change.", "", ""); +echo "

"; form_start(secure_url_base()."edit_passwd_action.php", "post"); form_input_text(tra("New password"), "passwd", "", "password",'id="passwd"',passwd_visible_checkbox("passwd")); diff --git a/html/user/weak_auth.php b/html/user/weak_auth.php index 75266224a15..dd00218d6b1 100644 --- a/html/user/weak_auth.php +++ b/html/user/weak_auth.php @@ -20,7 +20,6 @@ require_once("../inc/user.inc"); $user = get_logged_in_user(); -page_head(tra("Account keys")); $weak_auth = weak_auth($user); @@ -48,21 +47,23 @@ // $account_file = "account_" . rtrim($url, '_') . ".xml"; +page_head(tra("Account keys")); +text_start(); echo "
", tra("You can access your account either by using your email address and password, or by using an assigned 'account key'. Your account key is:"), - "
$user->authenticator
+ "

$user->authenticator

", tra("This key can be used to:"), "

  • ",tra("log in to your account on the web"),";
  • ", - tra("to attach a computer to your account without using the BOINC Manager. + tra("attach a computer to your account without using the BOINC Manager. To do so, install BOINC, create a file named %1 in the BOINC data directory, and set its contents to:","$account_file")," -
    ",
    +    

    ",
         htmlspecialchars(
     "
         ".$master_url."
    @@ -76,11 +77,11 @@
         If you want to attach untrusted or insecure computers to your account,
         do so using your weak account key.
         Your weak account key is:"),"
    -    
    $weak_auth
    -

    ", - tra("If you change your password, your weak account key changes, and your previous weak account key becomes invalid.")," +

    $weak_auth

    + ", + tra("The key depends on your account's email address and password. If you change either of these, the weak account key will change."),"

" ; - +text_end(); page_tail(); ?>