Fix the same username being able to have multiple sessionsHEADmain

Previously, a client failing this check would be disconnected,
incorrectly resulting in the username being removed from the playerlist
and enabling another client to log in. The only limit to this was the
number of internal servers accessible to the account. This commit fixes
the bypass by preventing the username from being removed from the list
in error cases.

1 files changed, 24 insertions, 19 deletions

diff --git a/process.go b/process.go
index 01e27b1..0515054 100644
--- a/process.go
+++ b/process.go
@@ -79,6 +79,30 @@ func (cc *ClientConn) process(pkt mt.Pkt) {
 		cc.name = cmd.PlayerName
 		cc.logger.SetPrefix(fmt.Sprintf("[%s %s] ", cc.RemoteAddr(), cc.Name()))
 
+		playersMu.Lock()
+		_, ok := players[cc.Name()]
+		if ok {
+			cc.Log("<-", "already connected")
+			ack, _ := cc.SendCmd(&mt.ToCltKick{Reason: mt.AlreadyConnected})
+
+			select {
+			case <-cc.Closed():
+			case <-ack:
+				cc.Close()
+			}
+
+			// Needed so that the username doesn't get removed from
+			// the player list which would allow other clients to
+			// bypass this check.
+			cc.name = ""
+
+			playersMu.Unlock()
+			return
+		}
+
+		players[cc.Name()] = struct{}{}
+		playersMu.Unlock()
+
 		if !playerNameChars.MatchString(cmd.PlayerName) {
 			cc.Log("<-", "invalid player name")
 			ack, _ := cc.SendCmd(&mt.ToCltKick{Reason: mt.BadNameChars})
@@ -126,25 +150,6 @@ func (cc *ClientConn) process(pkt mt.Pkt) {
 			return
 		}
 
-		playersMu.Lock()
-		_, ok := players[cc.Name()]
-		if ok {
-			cc.Log("<-", "already connected")
-			ack, _ := cc.SendCmd(&mt.ToCltKick{Reason: mt.AlreadyConnected})
-
-			select {
-			case <-cc.Closed():
-			case <-ack:
-				cc.Close()
-			}
-
-			playersMu.Unlock()
-			return
-		}
-
-		players[cc.Name()] = struct{}{}
-		playersMu.Unlock()
-
 		// reply
 		if DefaultAuth().Exists(cc.Name()) {
 			cc.auth.method = mt.SRP