Make some Trick for In-Band Registration

[Vladimir7i]

I'm trying to use ejabberd for FriendList in game.

It's possible to add in ejabberd some additional check/plugin on In-Band registration?

for example:
Registration(PlayerID, PlayerPass) - where PlayerPass = encrypted(PlayerID) by using AES;

trick is:
Add Check on ejabber Server: if decrypted(PlayerID) != PlayerID => then Ignore this registration.

can someone give me some advice - what I should edit in ejabberd source for add that trick?

or what the best way to make Good Registration with anti-Spam / anti-DDos registration?

[badlop]

what the best way to make Good Registration with anti-Spam / anti-DDos registration?

There's a CAPTCHA option that you can configure to require a captcha in mod_register. ejabberd includes two example scripts to generate that captcha, but you can tweak to your liking.

what I should edit in ejabberd source for add that trick?

Just for fun I wrote a patch for ejabberd 22.10 that implements that trick. Notice that it's important that the account is protected by a password that only the user can know, so it must include not only the sha1/whatever, but also some random characters that only the user know. In this patch, the password must start with sha1(PlayerID), and should include more characters.

From 483b782a82339bbbe3cfaa1334f72adb1fab7d81 Mon Sep 17 00:00:00 2001
From: Badlop <[email protected]>
Date: Wed, 30 Nov 2022 13:03:20 +0100
Subject: [PATCH] Password must start with the sha1 of username

For example, to register an account with name abc
the password must start with a9993e364706816aba3e25717850c26c9cd0d89d
and may contain more characters after that.

Obtained with:
echo -n abc | sha1sum
a9993e364706816aba3e25717850c26c9cd0d89d  -
---
 src/mod_admin_extra.erl |  1 +
 src/mod_register.erl    | 12 ++++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/mod_admin_extra.erl b/src/mod_admin_extra.erl
index 12e775cfb..d1806091d 100644
--- a/src/mod_admin_extra.erl
+++ b/src/mod_admin_extra.erl
@@ -49,6 +49,7 @@
 
 	 % Accounts
 	 set_password/3, check_password_hash/4, delete_old_users/1,
+         get_hash/2,
 	 delete_old_users_vhost/2, ban_account/3, check_password/3,
 
 	 % vCard
diff --git a/src/mod_register.erl b/src/mod_register.erl
index 5f3d7de56..37fac4037 100644
--- a/src/mod_register.erl
+++ b/src/mod_register.erl
@@ -300,7 +300,7 @@ try_register_or_set_password(User, Server, Password,
     end.
 
 try_set_password(User, Server, Password) ->
-    case is_strong_password(Server, Password) of
+    case is_strong_password(User, Server, Password) of
 	true ->
 	    ejabberd_auth:set_password(User, Server, Password);
 	error_preparing_password ->
@@ -349,7 +349,7 @@ try_register(User, Server, Password, SourceRaw) ->
 		    Source = may_remove_resource(SourceRaw),
 		    case check_timeout(Source) of
 			true ->
-			    case is_strong_password(Server, Password) of
+			    case is_strong_password(User, Server, Password) of
 				true ->
 				    case ejabberd_auth:try_register(
 					   User, Server, Password) of
@@ -551,6 +551,14 @@ process_xdata_submit(X) ->
 	_ -> error
     end.
 
+is_strong_password(User, Server, Password) ->
+    case binary:split(Password, [str:sha(User)]) of
+        [<<>>, PasswordRemaining] ->
+            is_strong_password(Server, PasswordRemaining);
+        _ ->
+            error_preparing_password
+    end.
+
 is_strong_password(Server, Password) ->
     case jid:resourceprep(Password) of
 	PP when is_binary(PP) ->
-- 
2.35.1