Updates
Registration process changes, security model partially upgraded.
I have been doing a bit of improvement work on some aspects of the account management for this game. I have decided to move the initial account registration off of the calculator onto the Web Deck. When this change is complete (it's in progress now), attempting to log in to an account that does not exist will no longer allow you to register from your device, it will prompt you to visit the server's frontend to create your account. This is done to facilitate the follow upgraded security model. Trust me, ya'll don't want to know how bad it was before.
1) Firstly, registration on the Web Deck is now protected by recaptcha. Login does not have it.
2) Secondly, the server generates you a login "key" that will, when used from a calculator, grant it access to your account. This key is generated from your username and hashed password, using PBKDF2 (SHA256 mode), with 1000 iterations and a 16-byte salt (using PHP's built-in hash_pbkdf2() method). That resulting key is then hashed using PHP's password_hash() (bcrypt) which is saved as your "public key", and the private key (output of pbkdf2) is written into a TI application variable, which you can download from the web deck and send to any device you want to allow access to your account.
2b) It so follows that any changes to your account password invalidate any existing key files that you are using.
3) I have...after much experimentation and failure...finally figured out how to prevent Apache from allowing hot links of certain file types. I used this to protect all database files accessed by the website, as well as all .8xv and .bin files from being directly downloaded. As for why I struggled so much with it... let's just say that some of the "this is how to do it" you see on the Internet are so very wrong.
4) I may add some form of obfuscation to exchanging the login key with the server, if I can figure out how to do that.
Edit: For now, the key is exchanged with the Trek server using Blowfish (which I've added to hashlib)
The server generates a secret when you connect and sends it to the client and that is used to create the blowfish key. I may swap that out for something else when I get a bit better at this stuff.
Registration process changes, security model partially upgraded.
I have been doing a bit of improvement work on some aspects of the account management for this game. I have decided to move the initial account registration off of the calculator onto the Web Deck. When this change is complete (it's in progress now), attempting to log in to an account that does not exist will no longer allow you to register from your device, it will prompt you to visit the server's frontend to create your account. This is done to facilitate the follow upgraded security model. Trust me, ya'll don't want to know how bad it was before.
1) Firstly, registration on the Web Deck is now protected by recaptcha. Login does not have it.
2) Secondly, the server generates you a login "key" that will, when used from a calculator, grant it access to your account. This key is generated from your username and hashed password, using PBKDF2 (SHA256 mode), with 1000 iterations and a 16-byte salt (using PHP's built-in hash_pbkdf2() method). That resulting key is then hashed using PHP's password_hash() (bcrypt) which is saved as your "public key", and the private key (output of pbkdf2) is written into a TI application variable, which you can download from the web deck and send to any device you want to allow access to your account.
2b) It so follows that any changes to your account password invalidate any existing key files that you are using.
3) I have...after much experimentation and failure...finally figured out how to prevent Apache from allowing hot links of certain file types. I used this to protect all database files accessed by the website, as well as all .8xv and .bin files from being directly downloaded. As for why I struggled so much with it... let's just say that some of the "this is how to do it" you see on the Internet are so very wrong.
4) I may add some form of obfuscation to exchanging the login key with the server, if I can figure out how to do that.
Edit: For now, the key is exchanged with the Trek server using Blowfish (which I've added to hashlib)
The server generates a secret when you connect and sends it to the client and that is used to create the blowfish key. I may swap that out for something else when I get a bit better at this stuff.