diff --git a/TShockAPI/Rest/SecureRest.cs b/TShockAPI/Rest/SecureRest.cs index 17aa43ca..deadc0a1 100644 --- a/TShockAPI/Rest/SecureRest.cs +++ b/TShockAPI/Rest/SecureRest.cs @@ -25,6 +25,7 @@ using TShockAPI; using TShockAPI.DB; using Microsoft.Xna.Framework; using Terraria; +using System.Security.Cryptography; namespace Rests { @@ -41,6 +42,8 @@ namespace Rests public Dictionary Tokens { get; protected set; } public Dictionary AppTokens { get; protected set; } + private RNGCryptoServiceProvider _rng = new RNGCryptoServiceProvider(); + public SecureRest(IPAddress ip, int port) : base(ip, port) { @@ -112,7 +115,7 @@ namespace Rests int tokens = 0; if (tokenBucket.TryGetValue(context.RemoteEndPoint.Address.ToString(), out tokens)) { - if (tokens >= Math.Max(TShock.Config.RESTMaximumRequestsPerInterval, 5)) + if (tokens >= TShock.Config.RESTMaximumRequestsPerInterval) { TShock.Log.ConsoleError("A REST login from {0} was blocked as it currently has {1} tokens", context.RemoteEndPoint.Address.ToString(), tokens); tokenBucket[context.RemoteEndPoint.Address.ToString()] += 1; // Tokens over limit, increment by one and reject request @@ -121,8 +124,7 @@ namespace Rests Error = "Username or password may be incorrect or this account may not have sufficient privileges." }; } - if (!TShock.Config.RESTLimitOnlyFailedLoginRequests) - tokenBucket[context.RemoteEndPoint.Address.ToString()] += 1; // Tokens under limit, increment by one and process request + tokenBucket[context.RemoteEndPoint.Address.ToString()] += 1; // Tokens under limit, increment by one and process request } else { @@ -150,13 +152,12 @@ namespace Rests return new RestObject("403") { Error = "Username or password may be incorrect or this account may not have sufficient privileges." }; } - + string tokenHash; - var rand = new Random(); var randbytes = new byte[32]; do { - rand.NextBytes(randbytes); + _rng.GetBytes(randbytes); tokenHash = randbytes.Aggregate("", (s, b) => s + b.ToString("X2")); } while (Tokens.ContainsKey(tokenHash));