From f40c3631706ae3bbe8abec9d9d3707f8ce1bf931 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Wed, 13 Feb 2019 02:17:56 -0500
Subject: [PATCH 1/4] compatibility mode for NS IDENTIFY

Standard nickserv clients like znc's expect (by default) to send just:

PRIVMSG NickServ :identify $passphrase

with the account name assumed to be the currently held nick.

Let's support this in the common case where the client doesn't have a certfp
(if it does, the first argument is the account name, not the passphrase).
---
 irc/nickserv.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/irc/nickserv.go b/irc/nickserv.go
index 2d3113c0..eccc0464 100644
--- a/irc/nickserv.go
+++ b/irc/nickserv.go
@@ -256,9 +256,18 @@ func nsIdentifyHandler(server *Server, client *Client, command string, params []
 
 	loginSuccessful := false
 
-	username := params[0]
-	var passphrase string
-	if len(params) > 1 {
+	var username, passphrase string
+	if len(params) == 1 {
+		if client.certfp != "" {
+			username = params[0]
+		} else {
+			// XXX undocumented compatibility mode with other nickservs, allowing
+			// /msg NickServ identify passphrase
+			username = client.NickCasefolded()
+			passphrase = params[0]
+		}
+	} else {
+		username = params[0]
 		passphrase = params[1]
 	}
 

From 6d690b0e369f4128b4c5fd183b3534574d9518f5 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Wed, 13 Feb 2019 02:42:35 -0500
Subject: [PATCH 2/4] add loglines for account registration, login, and
 unregistration

---
 irc/accounts.go |  5 +++++
 irc/handlers.go | 14 ++++++++------
 irc/nickserv.go |  1 +
 oragono.yaml    |  3 ++-
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/irc/accounts.go b/irc/accounts.go
index dc08aba6..34a617d2 100644
--- a/irc/accounts.go
+++ b/irc/accounts.go
@@ -593,6 +593,11 @@ func (am *AccountManager) Verify(client *Client, account string, code string) er
 		return err
 	}
 
+	nick := "[server admin]"
+	if client != nil {
+		nick = client.Nick()
+	}
+	am.server.logger.Info("accounts", "client", nick, "registered account", casefoldedAccount)
 	raw.Verified = true
 	clientAccount, err := am.deserializeRawAccount(raw)
 	if err != nil {
diff --git a/irc/handlers.go b/irc/handlers.go
index 7723c1ed..e6210d03 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -201,21 +201,23 @@ func sendSuccessfulRegResponse(client *Client, rb *ResponseBuffer, forNS bool) {
 
 // sendSuccessfulSaslAuth means that a SASL auth attempt completed successfully, and is used to dispatch messages.
 func sendSuccessfulSaslAuth(client *Client, rb *ResponseBuffer, forNS bool) {
-	account := client.AccountName()
+	details := client.Details()
 
 	if forNS {
-		rb.Notice(fmt.Sprintf(client.t("You're now logged in as %s"), client.AccountName()))
+		rb.Notice(fmt.Sprintf(client.t("You're now logged in as %s"), details.accountName))
 	} else {
-		rb.Add(nil, client.server.name, RPL_LOGGEDIN, client.nick, client.nickMaskString, account, fmt.Sprintf(client.t("You are now logged in as %s"), account))
-		rb.Add(nil, client.server.name, RPL_SASLSUCCESS, client.nick, client.t("Authentication successful"))
+		rb.Add(nil, client.server.name, RPL_LOGGEDIN, details.nick, details.nickMask, details.accountName, fmt.Sprintf(client.t("You are now logged in as %s"), details.accountName))
+		rb.Add(nil, client.server.name, RPL_SASLSUCCESS, details.nick, client.t("Authentication successful"))
 	}
 
 	// dispatch account-notify
 	for friend := range client.Friends(caps.AccountNotify) {
-		friend.Send(nil, client.nickMaskString, "ACCOUNT", account)
+		friend.Send(nil, details.nickMask, "ACCOUNT", details.accountName)
 	}
 
-	client.server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Client $c[grey][$r%s$c[grey]] logged into account $c[grey][$r%s$c[grey]]"), client.nickMaskString, account))
+	client.server.snomasks.Send(sno.LocalAccounts, fmt.Sprintf(ircfmt.Unescape("Client $c[grey][$r%s$c[grey]] logged into account $c[grey][$r%s$c[grey]]"), details.nickMask, details.accountName))
+
+	client.server.logger.Info("accounts", "client", details.nick, "logged into account", details.accountName)
 }
 
 // ACC VERIFY <accountname> <auth_code>
diff --git a/irc/nickserv.go b/irc/nickserv.go
index eccc0464..078ce2f0 100644
--- a/irc/nickserv.go
+++ b/irc/nickserv.go
@@ -463,6 +463,7 @@ func nsUnregisterHandler(server *Server, client *Client, command string, params
 		nsNotice(rb, client.t("Error while unregistering account"))
 	} else {
 		nsNotice(rb, fmt.Sprintf(client.t("Successfully unregistered account %s"), cfname))
+		server.logger.Info("accounts", "client", client.Nick(), "unregistered account", cfname)
 	}
 }
 
diff --git a/oragono.yaml b/oragono.yaml
index 587143a0..1c27065b 100644
--- a/oragono.yaml
+++ b/oragono.yaml
@@ -372,7 +372,8 @@ logging:
         #   channels        channel creation and operations
         #   commands        command calling and operations
         #   opers           oper actions, authentication, etc
-        #   password        password hashing and comparing
+        #   services        actions related to NickServ, ChanServ, etc.
+        #   internal        unexpected runtime behavior, including potential bugs
         #   userinput       raw lines sent by users
         #   useroutput      raw lines sent to users
         type: "* -userinput -useroutput"

From 44a0770215bdd91a780e267e70431762d2c5b5e1 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Tue, 12 Feb 2019 22:57:48 -0500
Subject: [PATCH 3/4] document logging methods

---
 README.md      |  2 +-
 docs/MANUAL.md | 11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index ed3873c7..f0d44db1 100644
--- a/README.md
+++ b/README.md
@@ -94,7 +94,7 @@ You can use the `--conf` parameter when launching Oragono to control where it lo
 
 ### Logs
 
-By default, logs are stored in the file `ircd.log`. The configuration format of logs is designed to be easily pluggable, and is inspired by the logging config provided by InspIRCd.
+By default, logs go to stderr only. They can be configured to go to a file, or you can use systemd to direct the stderr to the system journal (see the manual for details). The configuration format of logs is designed to be easily pluggable, and is inspired by the logging config provided by InspIRCd.
 
 ### Passwords
 
diff --git a/docs/MANUAL.md b/docs/MANUAL.md
index ddb5c26c..ee88a15d 100644
--- a/docs/MANUAL.md
+++ b/docs/MANUAL.md
@@ -103,9 +103,16 @@ To get started with Oragono on macOS, Linux, or on a Raspberry Pi:
 
 To start the server, type `./oragono run` and hit enter, and the server should be ready to use!
 
-If you're using Arch Linux, you can also install the [`oragono` package](https://aur.archlinux.org/packages/oragono/) from the AUR. This lets you bypass the above process and bundles a systemd service file for easily starting the server.
+If you're using Arch Linux, you can also install the [`oragono` package](https://aur.archlinux.org/packages/oragono/) from the AUR.
 
-If you're rolling your own deployment, here's another [example](https://github.com/darwin-network/slash/blob/master/etc/systemd/system/ircd.service) of a systemd unit file that can be used to run Oragono as an unprivileged role user.
+
+## Running oragono as a service on Linux
+
+The recommended way to operate oragono as a service on Linux is via systemd. This provides a standard interface for starting, stopping, and rehashing (via `systemctl reload`) the service. It also captures oragono's loglines (sent to stderr in the default configuration) and writes them to the system journal.
+
+If you're using Arch, the abovementioned AUR package bundles a systemd file for starting and stopping the server. If you're rolling your own deployment, here's an [example](https://github.com/darwin-network/slash/blob/master/etc/systemd/system/ircd.service) of a systemd unit file that can be used to run Oragono as an unprivileged role user.
+
+On a non-systemd system, oragono can be configured to log to a file and used [logrotate(8)](https://linux.die.net/man/8/logrotate), since it will reopen its log files (as well as rehashing the config file) upon receiving a SIGHUP.
 
 
 --------------------------------------------------------------------------------------------

From 7786043275c57216b2aca3f9b264231512eb6f5a Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Sun, 10 Feb 2019 05:53:36 -0500
Subject: [PATCH 4/4] make the land-grab check case-insensitive

---
 irc/accounts.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/irc/accounts.go b/irc/accounts.go
index 34a617d2..18bd5ae2 100644
--- a/irc/accounts.go
+++ b/irc/accounts.go
@@ -311,7 +311,7 @@ func (am *AccountManager) Register(client *Client, account string, callbackNames
 	// as an account; this prevents "land-grab" situations where someone else
 	// registers your nick out from under you and then NS GHOSTs you
 	// n.b. client is nil during a SAREGISTER:
-	if config.NickReservation.Enabled && client != nil && client.Nick() != account {
+	if config.NickReservation.Enabled && client != nil && client.NickCasefolded() != casefoldedAccount {
 		return errAccountMustHoldNick
 	}