diff --git a/VelocityCore/src/de/steamwar/velocitycore/listeners/ChatListener.java b/VelocityCore/src/de/steamwar/velocitycore/listeners/ChatListener.java index 0445be62..daccaa9f 100644 --- a/VelocityCore/src/de/steamwar/velocitycore/listeners/ChatListener.java +++ b/VelocityCore/src/de/steamwar/velocitycore/listeners/ChatListener.java @@ -42,6 +42,7 @@ import de.steamwar.velocitycore.network.NetworkSender; import java.util.Arrays; import java.util.List; +import java.util.Set; import java.util.concurrent.TimeUnit; import java.util.logging.Level; import java.util.logging.Logger; @@ -53,6 +54,8 @@ public class ChatListener extends BasicListener { private static final List rankedModes = ArenaMode.getAllModes().stream().filter(ArenaMode::isRanked).map(ArenaMode::getSchemTypeOrInternalName).toList(); + private static final Set noLogCommands = Set.of("webpw", "webpassword"); + @Subscribe(order = PostOrder.FIRST) public void fixCommands(CommandExecuteEvent e) { String command = e.getCommand(); @@ -73,7 +76,8 @@ public class ChatListener extends BasicListener { public void logCommands(CommandExecuteEvent e) { String command = e.getCommand(); int space = command.indexOf(' '); - if(VelocityCore.getProxy().getCommandManager().hasCommand(space != -1 ? command.substring(0, space) : command)) { + String cmd = space != -1 ? command.substring(0, space) : command; + if(VelocityCore.getProxy().getCommandManager().hasCommand(cmd)) { CommandSource source = e.getCommandSource(); String name; if(source instanceof Player player) @@ -83,6 +87,10 @@ public class ChatListener extends BasicListener { else name = source.toString(); + if (noLogCommands.contains(cmd)) { + return; + } + cmdLogger.log(Level.INFO, "%s -> executed command /%s".formatted(name, command)); } else if (e.getCommandSource() instanceof Player player) { // System.out.println("spoofChatInput " + e); diff --git a/WebsiteBackend/src/de/steamwar/plugins/Plugins.kt b/WebsiteBackend/src/de/steamwar/plugins/Plugins.kt index 0cff0a03..95389abe 100644 --- a/WebsiteBackend/src/de/steamwar/plugins/Plugins.kt +++ b/WebsiteBackend/src/de/steamwar/plugins/Plugins.kt @@ -74,7 +74,7 @@ fun Application.configurePlugins() { token.delete() return@authenticate null } - if (token.type == TokenType.RESET_PASSWORD || token.type == TokenType.REFRESH_TOKEN) { + if (token.type == TokenType.REFRESH_TOKEN) { token.delete() } diff --git a/WebsiteBackend/src/de/steamwar/routes/Auth.kt b/WebsiteBackend/src/de/steamwar/routes/Auth.kt index 52238c32..e76ae47b 100644 --- a/WebsiteBackend/src/de/steamwar/routes/Auth.kt +++ b/WebsiteBackend/src/de/steamwar/routes/Auth.kt @@ -1,7 +1,7 @@ /* * This file is a part of the SteamWar software. * - * Copyright (C) 2024 SteamWar.de-Serverteam + * Copyright (C) 2025 SteamWar.de-Serverteam * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as published by @@ -21,9 +21,11 @@ package de.steamwar.routes import de.steamwar.ResponseError import de.steamwar.plugins.SWAuthPrincipal -import de.steamwar.plugins.SWPermissionCheck import de.steamwar.sql.SteamwarUser import de.steamwar.sql.Token +import de.steamwar.util.TokenType +import de.steamwar.util.lifetime +import de.steamwar.util.type import io.ktor.http.* import io.ktor.server.application.* import io.ktor.server.auth.* @@ -31,64 +33,73 @@ import io.ktor.server.request.* import io.ktor.server.response.* import io.ktor.server.routing.* import kotlinx.serialization.Serializable -import java.time.format.DateTimeFormatter import java.time.LocalDateTime +import kotlin.time.Duration +import kotlin.time.toJavaDuration @Serializable -data class AuthLoginRequest(val username: String, val password: String) +data class UsernamePassword(val name: String, val password: String, val keepLoggedIn: Boolean = false) @Serializable -data class AuthTokenResponse(val token: String) - -@Serializable -data class ResponseToken(val id: Int, val name: String, val created: String) { - constructor(token: Token) : this(token.id, token.name, token.created.toLocalDateTime().toString()) +data class ResponseToken(val token: String, val expires: String) { + constructor(token: String, lifetime: Duration) : this(token, LocalDateTime.now().plus(lifetime.toJavaDuration()).toString()) } @Serializable -data class CreateTokenRequest(val name: String, val password: String) +data class AuthTokenResponse(val accessToken: ResponseToken, val refreshToken: ResponseToken? = null) -fun Route.configureAuthRoutes() { +fun SteamwarUser.createAccessAndRefreshToken(keepLoggedIn: Boolean = false): AuthTokenResponse { + val code = System.currentTimeMillis() % 1000 + val accessToken = Token.createToken("AT-${userName}-${code}", this) + val refreshToken = if (keepLoggedIn) Token.createToken("RT-${userName}-${code}", this) else null + + return AuthTokenResponse(ResponseToken(accessToken, TokenType.ACCESS_TOKEN.lifetime), refreshToken?.let { ResponseToken(it, TokenType.REFRESH_TOKEN.lifetime) }) +} + +fun Route.configureAuth() { route("/auth") { - post("/login") { - if (call.principal() != null) { - call.respond(HttpStatusCode.Forbidden, ResponseError("Already logged in", "already_logged_in")) - return@post - } + post { + val request = call.receive() - val request = call.receive() + val user = SteamwarUser.get(request.name) + val valid = user?.verifyPassword(request.password) ?: false - val user = SteamwarUser.get(request.username) - - if (user == null) { + if (!valid) { call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid")) return@post } - if (!user.verifyPassword(request.password)) { - call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid")) - return@post - } - - val code = Token.createToken("Website: ${DateTimeFormatter.ISO_LOCAL_DATE_TIME.format(LocalDateTime.now())}", user) - call.respond(AuthTokenResponse(code)) + call.respond(user.createAccessAndRefreshToken(request.keepLoggedIn)) } - route("/tokens") { - install(SWPermissionCheck) { - mustAuth = true + put { + val token = call.principal() + + if (token == null || token.token.type != TokenType.REFRESH_TOKEN) { + call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token type", "invalid")) + return@put } - post("/logout") { - val auth = call.principal() + val code = token.token.name.substringAfterLast('-') - if(auth == null) { - call.respond(HttpStatusCode.InternalServerError) - return@post - } + Token.listUser(token.user) + .filter { it.type == TokenType.ACCESS_TOKEN } + .filter { it.name.endsWith(code) } + .forEach { it.delete() } - auth.token.delete() - call.respond(HttpStatusCode.OK) + call.respond(token.user.createAccessAndRefreshToken(true)) + } + delete { + val token = call.principal() + token?.let { t -> + t.token.delete() + val code = t.token.name.substringAfterLast('-') + Token.listUser(token.user) + .filter { it.type == TokenType.REFRESH_TOKEN } + .filter { it.name.endsWith(code) } + .forEach { it.delete() } } + + call.respond(HttpStatusCode.OK) } } } \ No newline at end of file diff --git a/WebsiteBackend/src/de/steamwar/routes/Routes.kt b/WebsiteBackend/src/de/steamwar/routes/Routes.kt index f0e287f0..388f8055 100644 --- a/WebsiteBackend/src/de/steamwar/routes/Routes.kt +++ b/WebsiteBackend/src/de/steamwar/routes/Routes.kt @@ -19,7 +19,6 @@ package de.steamwar.routes -import de.steamwar.routes.v2.* import io.ktor.server.application.* import io.ktor.server.auth.* import io.ktor.server.routing.* @@ -34,7 +33,7 @@ fun Application.configureRoutes() { configureStats() configurePage() configureSchematic() - configureNewAuth() + configureAuth() } } } \ No newline at end of file diff --git a/WebsiteBackend/src/de/steamwar/routes/v2/Auth.kt b/WebsiteBackend/src/de/steamwar/routes/v2/Auth.kt deleted file mode 100644 index 79fcd2ac..00000000 --- a/WebsiteBackend/src/de/steamwar/routes/v2/Auth.kt +++ /dev/null @@ -1,137 +0,0 @@ -/* - * This file is a part of the SteamWar software. - * - * Copyright (C) 2025 SteamWar.de-Serverteam - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see . - */ - -package de.steamwar.routes.v2 - -import de.steamwar.ResponseError -import de.steamwar.plugins.SWAuthPrincipal -import de.steamwar.sql.SWException -import de.steamwar.sql.SteamwarUser -import de.steamwar.sql.Token -import de.steamwar.util.TokenType -import de.steamwar.util.isValid -import de.steamwar.util.lifetime -import de.steamwar.util.type -import io.ktor.http.* -import io.ktor.server.application.* -import io.ktor.server.auth.* -import io.ktor.server.plugins.* -import io.ktor.server.request.* -import io.ktor.server.response.* -import io.ktor.server.routing.* -import kotlinx.serialization.Serializable -import java.time.LocalDateTime -import kotlin.time.Duration -import kotlin.time.toJavaDuration - -@Serializable -data class UsernamePassword(val name: String, val password: String, val keepLoggedIn: Boolean = false) - -@Serializable -data class ResponseToken(val token: String, val expires: String) { - constructor(token: String, lifetime: Duration) : this(token, LocalDateTime.now().plus(lifetime.toJavaDuration()).toString()) -} - -@Serializable -data class AuthTokenResponse(val accessToken: ResponseToken, val refreshToken: ResponseToken? = null) - -fun SteamwarUser.createAccessAndRefreshToken(keepLoggedIn: Boolean = false): AuthTokenResponse { - val code = System.currentTimeMillis() % 1000 - val accessToken = Token.createToken("AT-${userName}-${code}", this) - val refreshToken = if (keepLoggedIn) Token.createToken("RT-${userName}-${code}", this) else null - - return AuthTokenResponse(ResponseToken(accessToken, TokenType.ACCESS_TOKEN.lifetime), refreshToken?.let { ResponseToken(it, TokenType.REFRESH_TOKEN.lifetime) }) -} - -fun Route.configureNewAuth() { - route("/auth") { - post("/register") { - val requester = call.request.header("X-Forwarded-For") ?: call.request.origin.remoteAddress - - val request = call.receive() - val token = call.principal() - - if (token == null || token.token.type != TokenType.RESET_PASSWORD || !token.token.isValid) { - SWException.log("$requester tried registering with invalid token", "") - call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token", "invalid")) - return@post - } - - val user = token.user - - if (user.userName != request.name) { - SWException.log("$requester tried registering for invalid User", """ - User: ${user.userName} - Request: ${request.name} - """.trimIndent()) - call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username", "invalid")) - return@post - } - - user.setPassword(request.password) - - call.respond(HttpStatusCode.OK) - } - route("/state") { - post { - val request = call.receive() - - val user = SteamwarUser.get(request.name) - val valid = user?.verifyPassword(request.password) ?: false - - if (!valid) { - call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid")) - return@post - } - - call.respond(user.createAccessAndRefreshToken(request.keepLoggedIn)) - } - put { - val token = call.principal() - - if (token == null || token.token.type != TokenType.REFRESH_TOKEN) { - call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token type", "invalid")) - return@put - } - - val code = token.token.name.substringAfterLast('-') - - Token.listUser(token.user) - .filter { it.type == TokenType.ACCESS_TOKEN } - .filter { it.name.endsWith(code) } - .forEach { it.delete() } - - call.respond(token.user.createAccessAndRefreshToken(true)) - } - delete { - val token = call.principal() - token?.let { t -> - t.token.delete() - val code = t.token.name.substringAfterLast('-') - Token.listUser(token.user) - .filter { it.type == TokenType.REFRESH_TOKEN } - .filter { it.name.endsWith(code) } - .forEach { it.delete() } - } - - call.respond(HttpStatusCode.OK) - } - } - } -} \ No newline at end of file diff --git a/WebsiteBackend/src/de/steamwar/util/TokenUtils.kt b/WebsiteBackend/src/de/steamwar/util/TokenUtils.kt index 4f5f8a4f..54675dd0 100644 --- a/WebsiteBackend/src/de/steamwar/util/TokenUtils.kt +++ b/WebsiteBackend/src/de/steamwar/util/TokenUtils.kt @@ -30,7 +30,6 @@ val Token.type: TokenType get() = when (name.substring((0..1))) { "RT" -> TokenType.REFRESH_TOKEN "AT" -> TokenType.ACCESS_TOKEN - "PT" -> TokenType.RESET_PASSWORD else -> TokenType.OLD_TOKEN } @@ -38,7 +37,6 @@ val TokenType.lifetime: Duration get() = when (this) { TokenType.REFRESH_TOKEN -> 7.days TokenType.ACCESS_TOKEN -> 5.minutes - TokenType.RESET_PASSWORD -> 10.minutes TokenType.OLD_TOKEN -> 1.days } @@ -49,7 +47,6 @@ val Token.isValid: Boolean get() = created.toLocalDateTime().plus(lifetime.toJavaDuration()).isAfter(LocalDateTime.now()) enum class TokenType { - RESET_PASSWORD, ACCESS_TOKEN, REFRESH_TOKEN, OLD_TOKEN