Fixed unregistering on the server-side.

When registering or logging, The client is hashing the password
for sending it safely. And the server is hashing it also
to store it the same way. Hence, the password ends hashed twice,
which is correct because the server can't trust the client anyway.

At unregister attempt, the server wasn't hashing the password
before comparing it.

Also while on it, I made the corresponding SQL query use the try catch
method and only delete the account in memory when it's also done
on the Db.

Reviewed-by: thorbjorn, Freeyorp.

1 files changed, 4 insertions, 3 deletions

diff --git a/src/account-server/accounthandler.cpp b/src/account-server/accounthandler.cpp
index 8fa0576c..d76a6b1b 100644
--- a/src/account-server/accounthandler.cpp
+++ b/src/account-server/accounthandler.cpp
@@ -535,8 +535,6 @@ void AccountHandler::handleUnregisterMessage(AccountClient &client,
                                              MessageIn &msg)
 {
     LOG_DEBUG("AccountHandler::handleUnregisterMessage");
-    std::string username = msg.readString();
-    std::string password = msg.readString();
 
     MessageOut reply(APMSG_UNREGISTER_RESPONSE);
 
@@ -547,6 +545,9 @@ void AccountHandler::handleUnregisterMessage(AccountClient &client,
         return;
     }
 
+    std::string username = msg.readString();
+    std::string password = msg.readString();
+
     if (stringFilter->findDoubleQuotes(username))
     {
         reply.writeInt8(ERRMSG_INVALID_ARGUMENT);
@@ -557,7 +558,7 @@ void AccountHandler::handleUnregisterMessage(AccountClient &client,
     // See whether the account exists
     Account *acc = storage->getAccount(username);
 
-    if (!acc || acc->getPassword() != password)
+    if (!acc || acc->getPassword() != sha256(password))
     {
         reply.writeInt8(ERRMSG_INVALID_ARGUMENT);
         client.send(reply);