From d1f831718034233b98f4a4082c55959e5825f121 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Tue, 12 Jan 2021 08:40:13 -0500
Subject: [PATCH] fix #1479

Give Tor clients who authenticate via SASL a unique cloak, so chanops
can ban *!*@tor-network.onion and still allow authenticated Tor users
---
 irc/getters.go  |  7 +++++++
 irc/handlers.go | 14 ++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/irc/getters.go b/irc/getters.go
index 570e5a42..85f98220 100644
--- a/irc/getters.go
+++ b/irc/getters.go
@@ -307,6 +307,13 @@ func (client *Client) setAccountName(name string) {
 	client.accountName = name
 }
 
+func (client *Client) setCloakedHostname(cloak string) {
+	client.stateMutex.Lock()
+	defer client.stateMutex.Unlock()
+	client.cloakedHostname = cloak
+	client.updateNickMaskNoMutex()
+}
+
 func (client *Client) historyCutoff() (cutoff time.Time) {
 	client.stateMutex.Lock()
 	if client.account != "" {
diff --git a/irc/handlers.go b/irc/handlers.go
index f461d26f..3aec6edc 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -116,6 +116,20 @@ func sendSuccessfulAccountAuth(service *ircService, client *Client, rb *Response
 		client.server.sendLoginSnomask(details.nickMask, details.accountName)
 	}
 
+	// #1479: for Tor clients, replace the hostname with the always-on cloak here
+	// (for normal clients, this would discard the IP-based cloak, but with Tor
+	// there's no such concern)
+	if rb.session.isTor {
+		config := client.server.Config()
+		if config.Server.Cloaks.EnabledForAlwaysOn {
+			cloakedHostname := config.Server.Cloaks.ComputeAccountCloak(details.accountName)
+			client.setCloakedHostname(cloakedHostname)
+			if client.registered {
+				client.sendChghost(details.nickMask, client.Hostname())
+			}
+		}
+	}
+
 	client.server.logger.Info("accounts", "client", details.nick, "logged into account", details.accountName)
 }