This moves most of the logic of action.php into a separate file
lib/dispatcher.lib.php and separates the actions into ladder-related
actions and non-ladder-related actions. This is intended to make it
possible to have a second action.php that handlers only ladder-related
actions, which can run on the main server computer and allow
that computer to make HTTP requests to `localhost`, which should
help reduce ladder errors.
The `serverlist` action returns a list of registered servers. It accepts
cross-domain requests, which is safe since it merely returns publicly
available information.
The Pokemon Showdown server already enforced a maximum username length
of 18 characters, but the login server allowed registering names up to
63 characters long.
- check timestamp in index.php rather than sim.js to reduce the chance
of false positives caused by the user's internet connection being
slow or the user's clock being slightly wrong
- require timestamp logging to be a POST request
As of this commit, if a registered server does not provide us with
a server token, authentication for `ladderupdate` is based purely on
the IP address of the server. This technically also applies to
the `prepreplay` action, but only the main server can use that at
this time, so that does not actually change anything.
This avoids an attack where a malicious webpage contains
<script id="data" type="application/json"
src="http://play.pokemonshowdown.com/~~showdown/action.php?act=upkeep"/>
The webpage could then read the value of the `data` element using
standard DOM methods in order to steal the user's login assertion
and login as the user on the `showdown` server.
This commit implements the following:
- each server now has a separate session with a 'sid' cookie
scoped to /~~server:port
- 'sid' cookies are now HTTP-only and not accessible in JavaScript
- the showdown_token cookie is removed
Together, these changes fix various XSS attacks.
Currently, server authentication for updating the ladder and for
uploading replays is done by comparing the hash of the token provided
by the server to the hash on record. This commit adds a second layer
of authentication by also verifying that the request actually
originates from the Pokemon Showdown server in question.
For now, I have also maintained the server token check as a form of
two-factor authentication.
