From f1cef81d76b9d0b73a16c70ec7ae9e39e1f1a419 Mon Sep 17 00:00:00 2001
From: Kukks <evilkukka@gmail.com>
Date: Thu, 14 Nov 2019 19:01:26 +0100
Subject: [PATCH] Do not allow login or register over an insecure connection

---
 BTCPayServer/Controllers/AccountController.cs | 56 +++++++++++-
 BTCPayServer/Views/Account/Login.cshtml       | 53 ++++++-----
 BTCPayServer/Views/Account/Register.cshtml    | 90 +++++++++++--------
 3 files changed, 139 insertions(+), 60 deletions(-)

diff --git a/BTCPayServer/Controllers/AccountController.cs b/BTCPayServer/Controllers/AccountController.cs
index 247491352..89ade5e4b 100644
--- a/BTCPayServer/Controllers/AccountController.cs
+++ b/BTCPayServer/Controllers/AccountController.cs
@@ -74,21 +74,29 @@ namespace BTCPayServer.Controllers
         [AllowAnonymous]
         public async Task<IActionResult> Login(string returnUrl = null)
         {
+            
             if (User.Identity.IsAuthenticated && string.IsNullOrEmpty(returnUrl))
                 return RedirectToLocal();
             // Clear the existing external cookie to ensure a clean login process
             await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
 
+            CanLoginOrRegister();
+            
             ViewData["ReturnUrl"] = returnUrl;
             return View();
         }
 
+
         [HttpPost]
         [AllowAnonymous]
         [ValidateAntiForgeryToken]
         [RateLimitsFilter(ZoneLimits.Login, Scope = RateLimitsScope.RemoteAddress)]
         public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
         {
+            if (!CanLoginOrRegister())
+            {
+                return View(model);
+            }
             ViewData["ReturnUrl"] = returnUrl;
             if (ModelState.IsValid)
             {
@@ -199,6 +207,11 @@ namespace BTCPayServer.Controllers
         [ValidateAntiForgeryToken]
         public async Task<IActionResult> LoginWithU2F(LoginWithU2FViewModel viewModel, string returnUrl = null)
         {
+            if (!CanLoginOrRegister())
+            {
+                return RedirectToAction("Login");
+            }
+            
             ViewData["ReturnUrl"] = returnUrl;
             var user = await _userManager.FindByIdAsync(viewModel.UserId);
 
@@ -242,6 +255,11 @@ namespace BTCPayServer.Controllers
         [AllowAnonymous]
         public async Task<IActionResult> LoginWith2fa(bool rememberMe, string returnUrl = null)
         {
+            if (!CanLoginOrRegister())
+            {
+                return RedirectToAction("Login");
+            }
+
             // Ensure the user has gone through the username & password screen first
             var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
 
@@ -264,6 +282,11 @@ namespace BTCPayServer.Controllers
         [ValidateAntiForgeryToken]
         public async Task<IActionResult> LoginWith2fa(LoginWith2faViewModel model, bool rememberMe, string returnUrl = null)
         {
+            if (!CanLoginOrRegister())
+            {
+                return RedirectToAction("Login");
+            }
+
             if (!ModelState.IsValid)
             {
                 return View(model);
@@ -305,6 +328,11 @@ namespace BTCPayServer.Controllers
         [AllowAnonymous]
         public async Task<IActionResult> LoginWithRecoveryCode(string returnUrl = null)
         {
+            if (!CanLoginOrRegister())
+            {
+                return RedirectToAction("Login");
+            }
+
             // Ensure the user has gone through the username & password screen first
             var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
             if (user == null)
@@ -322,6 +350,11 @@ namespace BTCPayServer.Controllers
         [ValidateAntiForgeryToken]
         public async Task<IActionResult> LoginWithRecoveryCode(LoginWithRecoveryCodeViewModel model, string returnUrl = null)
         {
+            if (!CanLoginOrRegister())
+            {
+                return RedirectToAction("Login");
+            }
+
             if (!ModelState.IsValid)
             {
                 return View(model);
@@ -366,7 +399,8 @@ namespace BTCPayServer.Controllers
         [AllowAnonymous]
         public async Task<IActionResult> Register(string returnUrl = null, bool logon = true, bool useBasicLayout = false)
         {
-            var policies = await _SettingsRepository.GetSettingAsync<PoliciesSettings>() ?? new PoliciesSettings();
+            CanLoginOrRegister();
+                var policies = await _SettingsRepository.GetSettingAsync<PoliciesSettings>() ?? new PoliciesSettings();
             if (policies.LockSubscription && !User.IsInRole(Roles.ServerAdmin))
                 return RedirectToAction(nameof(HomeController.Index), "Home");
             ViewData["ReturnUrl"] = returnUrl;
@@ -381,6 +415,11 @@ namespace BTCPayServer.Controllers
         [ValidateAntiForgeryToken]
         public async Task<IActionResult> Register(RegisterViewModel model, string returnUrl = null, bool logon = true)
         {
+            if (!CanLoginOrRegister())
+            {
+                return RedirectToAction("Register");
+            }
+
             ViewData["ReturnUrl"] = returnUrl;
             ViewData["Logon"] = logon.ToString(CultureInfo.InvariantCulture).ToLowerInvariant();
             ViewData["AllowIsAdmin"] = _Options.AllowAdminRegistration;
@@ -580,6 +619,21 @@ namespace BTCPayServer.Controllers
                 return RedirectToAction(nameof(HomeController.Index), "Home");
             }
         }
+        
+        
+        private bool CanLoginOrRegister()
+        {
+            if (_btcPayServerEnvironment.IsDevelopping || _btcPayServerEnvironment.IsSecure) return true;
+            TempData.SetStatusMessageModel(new StatusMessageModel()
+            {
+                Severity = StatusMessageModel.StatusSeverity.Error,
+                Message = "You cannot login over an insecure connection. Please use HTTPS or Tor."
+            });
+            
+            ViewData["disabled"] = true;
+            return false;
+
+        }
 
         #endregion
     }
diff --git a/BTCPayServer/Views/Account/Login.cshtml b/BTCPayServer/Views/Account/Login.cshtml
index 2272a73e6..2fc0c4d41 100644
--- a/BTCPayServer/Views/Account/Login.cshtml
+++ b/BTCPayServer/Views/Account/Login.cshtml
@@ -4,7 +4,14 @@
     ViewData["Title"] = "Log in";
     Layout = "_WelcomeLayout.cshtml";
 }
-
+@if (TempData.HasStatusMessage())
+{
+    <div class="row">
+        <div class="col-lg-12 text-center">
+            <partial name="_StatusMessage"/>
+        </div>
+    </div>
+}
 <div class="modal-dialog modal-login">
     <div class="modal-content">
         <div class="modal-header">
@@ -12,30 +19,32 @@
         </div>
         <div class="modal-body">
             <form asp-route-returnurl="@ViewData["ReturnUrl"]" method="post">
-                <div asp-validation-summary="ModelOnly" class="text-danger"></div>
-                <div class="form-group">
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <label for="Email" class="input-group-text"><span class="input-group-addon fa fa-user"></span></label>
-                        </div>
+                <fieldset disabled="@(ViewData.ContainsKey("disabled") ? "disabled" : null)" >
+                    <div asp-validation-summary="ModelOnly" class="text-danger"></div>
+                    <div class="form-group">
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <label for="Email" class="input-group-text"><span class="input-group-addon fa fa-user"></span></label>
+                            </div>
 
-                        <input asp-for="Email" class="form-control" placeholder="Email" required="required" />
-                    </div>
-                    <span asp-validation-for="Email" class="text-danger"></span>
-                </div>
-                <div class="form-group">
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <label for="Password" class="input-group-text"><span class="input-group-addon fa fa-lock"></span></label>
+                            <input asp-for="Email" class="form-control" placeholder="Email" required="required" />
                         </div>
-                        <input asp-for="Password" class="form-control" placeholder="Password" required="required" />
+                        <span asp-validation-for="Email" class="text-danger"></span>
                     </div>
-                    <span asp-validation-for="Password" class="text-danger"></span>
-                </div>
-                <div class="form-group">
-                    <button type="submit" class="btn btn-primary btn-block btn-lg" id="LoginButton">Sign in</button>
-                </div>
-                <p class="hint-text"><a asp-action="ForgotPassword">Forgot your password?</a></p>
+                    <div class="form-group">
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <label for="Password" class="input-group-text"><span class="input-group-addon fa fa-lock"></span></label>
+                            </div>
+                            <input asp-for="Password" class="form-control" placeholder="Password" required="required" />
+                        </div>
+                        <span asp-validation-for="Password" class="text-danger"></span>
+                    </div>
+                    <div class="form-group">
+                        <button type="submit" class="btn btn-primary btn-block btn-lg" id="LoginButton">Sign in</button>
+                    </div>
+                    <p class="hint-text"><a asp-action="ForgotPassword">Forgot your password?</a></p>
+                </fieldset>
             </form>
         </div>
         @if (themeManager.ShowRegister)
diff --git a/BTCPayServer/Views/Account/Register.cshtml b/BTCPayServer/Views/Account/Register.cshtml
index a94cfd704..c6aef33a1 100644
--- a/BTCPayServer/Views/Account/Register.cshtml
+++ b/BTCPayServer/Views/Account/Register.cshtml
@@ -4,6 +4,14 @@
     var useBasicLayout = ViewData["UseBasicLayout"] is true;
     Layout = useBasicLayout ? "../Shared/_Layout.cshtml" : "_WelcomeLayout.cshtml";
 }
+@if (TempData.HasStatusMessage())
+{
+    <div class="row">
+        <div class="col-lg-12 text-center">
+            <partial name="_StatusMessage"/>
+        </div>
+    </div>
+}
 
 <!-- We want to center the dialog box in case we are not using the Welcome layout -->
 <div class="modal-dialog @(useBasicLayout ? "modal-dialog-centered" : "")">
@@ -13,45 +21,53 @@
         </div>
         <div class="modal-body">
             <form asp-route-returnUrl="@ViewData["ReturnUrl"]" asp-route-logon="@ViewData["Logon"]" method="post">
-                <div asp-validation-summary="ModelOnly" class="text-danger"></div>
-                <div class="form-group">
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <label for="Email" class="input-group-text"><span class="input-group-addon fa fa-user"></span></label>
-                        </div>
-                        <input asp-for="Email" class="form-control" placeholder="Email" required="required" />
-                    </div>
-                    <span asp-validation-for="Email" class="text-danger"></span>
-                </div>
-                <div class="form-group">
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <label for="Password" class="input-group-text"><span class="input-group-addon fa fa-lock"></span></label>
-                        </div>
-                        <input asp-for="Password" class="form-control" placeholder="Password" required="required" />
-                    </div>
-                    <span asp-validation-for="Password" class="text-danger"></span>
-                </div>
-                <div class="form-group">
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <label for="ConfirmPassword" class="input-group-text"><span class="input-group-addon fa fa-lock"></span></label>
-                        </div>
-                        <input asp-for="ConfirmPassword" class="form-control" placeholder="Repeat password" required="required" />
-                    </div>
-                    <span asp-validation-for="ConfirmPassword" class="text-danger"></span>
-                </div>
-                @if (ViewData["AllowIsAdmin"] is true)
-                {
+                <fieldset disabled="@(ViewData.ContainsKey("disabled") ? "disabled" : null)" >
+                    <div asp-validation-summary="ModelOnly" class="text-danger"></div>
                     <div class="form-group">
-                        <label asp-for="IsAdmin"></label>
-                        <input asp-for="IsAdmin" type="checkbox" class="form-check-inline" />
-                        <span asp-validation-for="IsAdmin" class="text-danger"></span>
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <label for="Email" class="input-group-text">
+                                    <span class="input-group-addon fa fa-user"></span>
+                                </label>
+                            </div>
+                            <input asp-for="Email" class="form-control" placeholder="Email" required="required"/>
+                        </div>
+                        <span asp-validation-for="Email" class="text-danger"></span>
                     </div>
-                }
-                <div class="form-group">
-                    <button type="submit" class="btn btn-primary btn-block btn-lg" id="RegisterButton">Create account</button>
-                </div>
+                    <div class="form-group">
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <label for="Password" class="input-group-text">
+                                    <span class="input-group-addon fa fa-lock"></span>
+                                </label>
+                            </div>
+                            <input asp-for="Password" class="form-control" placeholder="Password" required="required"/>
+                        </div>
+                        <span asp-validation-for="Password" class="text-danger"></span>
+                    </div>
+                    <div class="form-group">
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <label for="ConfirmPassword" class="input-group-text">
+                                    <span class="input-group-addon fa fa-lock"></span>
+                                </label>
+                            </div>
+                            <input asp-for="ConfirmPassword" class="form-control" placeholder="Repeat password" required="required"/>
+                        </div>
+                        <span asp-validation-for="ConfirmPassword" class="text-danger"></span>
+                    </div>
+                    @if (ViewData["AllowIsAdmin"] is true)
+                    {
+                        <div class="form-group">
+                            <label asp-for="IsAdmin"></label>
+                            <input asp-for="IsAdmin" type="checkbox" class="form-check-inline"/>
+                            <span asp-validation-for="IsAdmin" class="text-danger"></span>
+                        </div>
+                    }
+                    <div class="form-group">
+                        <button type="submit" class="btn btn-primary btn-block btn-lg" id="RegisterButton">Create account</button>
+                    </div>
+                </fieldset>
             </form>
         </div>
     </div>