Shorter confirmation URLs. 'confirm=' becomes 'c=' and the

confirmation secret is reduced to 80 bits (which amounts to 20
characters under base64).

http:// and /cgi-bin/disorder?c=XXXXXXXXXXXXXXXXXXXX amount to 47
characters, leaving over 30 characters for a hostname and still
fitting into an 80 column display.

diff --git a/server/dcgi.c b/server/dcgi.c
index e36719c558596ea1b33a038fd4188b69027b8bb2..d54160e559e6d791f33470079ffbe31573c69bcc 100644 (file)
--- a/server/dcgi.c
+++ b/server/dcgi.c
@@ -537,7 +537,7 @@ static void act_register(cgi_sink *output,
   byte_xasprintf((char **)&text,
                 "Welcome to DisOrder.  To active your login, please visit this URL:\n"
                 "\n"
-                "  %s?confirm=%s\n", config->url, urlencodestring(confirm));
+                "%s?c=%s\n", config->url, urlencodestring(confirm));
   if(!(text = mime_encode_text(text, &charset, &encoding)))
     fatal(0, "cannot encode email");
   byte_xasprintf(&content_type, "text/plain;charset=%s",
@@ -553,7 +553,7 @@ static void act_confirm(cgi_sink *output,
                        dcgi_state *ds) {
   const char *confirmation;
 
-  if(!(confirmation = cgi_get("confirm"))) {
+  if(!(confirmation = cgi_get("c"))) {
     cgi_set_option("error", "noconfirm");
     expand_template(ds, output, "login");
   }
@@ -1707,7 +1707,7 @@ void disorder_cgi(cgi_sink *output, dcgi_state *ds) {
   if(!action) {
     /* We allow URLs which are just confirm=... in order to keep confirmation
      * URLs, which are user-facing, as short as possible. */
-    if(cgi_get("confirm"))
+    if(cgi_get("c"))
       action = "confirm";
     else
       action = "playing";

diff --git a/server/server.c b/server/server.c
index f0dfeb40d492ecbda12ce02573b893d825f3e90c..a09025ed475f526133f51407a99715e50934b7bd 100644 (file)
--- a/server/server.c
+++ b/server/server.c
@@ -72,6 +72,10 @@
 # define NONCE_SIZE 16
 #endif
 
+#ifndef CONFIRM_SIZE
+# define CONFIRM_SIZE 10
+#endif
+
 int volume_left, volume_right;         /* last known volume */
 
 /** @brief Accept all well-formed login attempts
@@ -1158,11 +1162,11 @@ static int c_register(struct conn *c,
   int offset;
 
   /* The confirmation string is base64(username;nonce) */
-  bufsize = strlen(vec[0]) + NONCE_SIZE + 2;
+  bufsize = strlen(vec[0]) + CONFIRM_SIZE + 2;
   buf = xmalloc_noptr(bufsize);
   offset = byte_snprintf(buf, bufsize, "%s;", vec[0]);
-  gcry_randomize(buf + offset, NONCE_SIZE, GCRY_STRONG_RANDOM);
-  cs = mime_to_base64((uint8_t *)buf, offset + NONCE_SIZE);
+  gcry_randomize(buf + offset, CONFIRM_SIZE, GCRY_STRONG_RANDOM);
+  cs = mime_to_base64((uint8_t *)buf, offset + CONFIRM_SIZE);
   if(trackdb_adduser(vec[0], vec[1], config->default_rights, vec[2], cs))
     sink_writes(ev_writer_sink(c->w), "550 Cannot create user\n");
   else