/* -*- java -*- * * (C) 2007 Fergus Henderson, Alan Donovan. * * Author: Fergus Henderson * Alan Donovan * * auth.js -- JavaScript code for the authentication system. * * Assumes sha1.js is already included. */ // Hash the password using sha1, to avoid sending // the user's password in the clear. We also // salt using a site- and user-dependent salt, // to make dictionary attacks more difficult. function hashPassword(username, password) { var site_constant = "Count down your carbon "; var salt = site_constant + username; return sha1Hash(salt + password); } // Called by onclick of login_form's submit button. // Hashes the password in the login_form. function onClickSubmitLoginForm(form) { var username = form.login_email; if (!emailAddressSeemsOK(username.value)) { alert("You must specify a valid e-mail address."); return; } var password = form.login_password; if (!password.value) { alert("You must enter a password."); return } var hashed_password = form.login_hashed_password; hashed_password.value = hashPassword(username.value, password.value); password.value = "hashed"; form.submit(); } // Called by onclick of new_user_form's submit button. // Hashes the passwords in the new_user_form. function onClickSubmitNewUserForm(form) { var username = form.new_user_email; if (!emailAddressSeemsOK(username.value)) { alert("You must specify a valid e-mail address."); return; } var country = form.new_user_country_code; if (!country.value) { alert("You must select a country."); return; } var password = form.new_user_password; var password2 = form.new_user_password2; if (password.value != password2.value) { alert("The two passwords do not match."); return; } if (!password.value) { alert("You must enter a password."); return } var hashed_password = form.new_user_hashed_password; var hashed_password2 = form.new_user_hashed_password2; hashed_password.value = hashPassword(username.value, password.value); hashed_password2.value = hashPassword(username.value, password2.value); password.value = "hashed"; password2.value = "hashed"; form.submit(); } // Called by onclick of reset_password_form's submit button. function onClickSubmitResetPasswordForm(form) { var username = form.reset_password_email; if (!emailAddressSeemsOK(username.value)) { alert("You must specify a valid e-mail address."); return; } form.submit(); } // Called by onclick of change_password_form's submit button. // Hashes the passwords in the change_password_form. function onClickSubmitChangePasswordForm(form) { var username = form.change_password_email; if (!emailAddressSeemsOK(username.value)) { // This email address is supposed to be passed as a CGI parameter. alert("Invalid URL - please check the URL and try again."); return; } var password = form.change_password_new_password; var password2 = form.change_password_new_password2; if (password.value != password2.value) { alert("The two new passwords do not match."); return; } if (!password.value) { alert("You must enter a new password."); return } var hashed_password = form.change_password_hashed_new_password; var hashed_password2 = form.change_password_hashed_new_password2; hashed_password.value = hashPassword(username.value, password.value); hashed_password2.value = hashPassword(username.value, password2.value); password.value = "hashed"; password2.value = "hashed"; form.submit(); } // Returns true iff address is apparently valid. function emailAddressSeemsOK(address) { if (!address) { return false; // null address } var atIndex = address.indexOf("@"); if (atIndex < 1) { return false; // no "@", or "@" at start } if (address.indexOf("@", atIndex + 1) != -1) { return false; // more than one "@" } var dotIndex = address.indexOf(".", atIndex + 1); if (dotIndex == -1 || dotIndex == address.length - 1 || dotIndex == atIndex + 1) { return false; // no ".", trailing ".", or "." follows "@" } return true; }