Refactor V2 Auth

2025-02-23 17:24:14 +01:00
parent b045f16160
commit a2b3661605
6 changed files with 60 additions and 182 deletions
@@ -42,6 +42,7 @@ import de.steamwar.velocitycore.network.NetworkSender;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -53,6 +54,8 @@ public class ChatListener extends BasicListener {
    private static final List<String> rankedModes = ArenaMode.getAllModes().stream().filter(ArenaMode::isRanked).map(ArenaMode::getSchemTypeOrInternalName).toList();
    private static final Set<String> noLogCommands = Set.of("webpw", "webpassword");
    @Subscribe(order = PostOrder.FIRST)
    public void fixCommands(CommandExecuteEvent e) {
        String command = e.getCommand();
@@ -73,7 +76,8 @@ public class ChatListener extends BasicListener {
    public void logCommands(CommandExecuteEvent e) {
        String command = e.getCommand();
        int space = command.indexOf(' ');
-        if(VelocityCore.getProxy().getCommandManager().hasCommand(space != -1 ? command.substring(0, space) : command)) {
+        String cmd = space != -1 ? command.substring(0, space) : command;
        if(VelocityCore.getProxy().getCommandManager().hasCommand(cmd)) {
            CommandSource source = e.getCommandSource();
            String name;
            if(source instanceof Player player)
@@ -83,6 +87,10 @@ public class ChatListener extends BasicListener {
            else
                name = source.toString();
            if (noLogCommands.contains(cmd)) {
                return;
            }
            cmdLogger.log(Level.INFO, "%s -> executed command /%s".formatted(name, command));
        } else if (e.getCommandSource() instanceof Player player) {
            // System.out.println("spoofChatInput " + e);
@@ -74,7 +74,7 @@ fun Application.configurePlugins() {
                        token.delete()
                        return@authenticate null
                    }
-                    if (token.type == TokenType.RESET_PASSWORD || token.type == TokenType.REFRESH_TOKEN) {
+                    if (token.type == TokenType.REFRESH_TOKEN) {
                        token.delete()
                    }
@@ -1,7 +1,7 @@
 /*
 *   This file is a part of the SteamWar software.
 *
- *   Copyright (C) 2024 SteamWar.de-Serverteam
+ *   Copyright (C) 2025 SteamWar.de-Serverteam
 *
 *   This program is free software: you can redistribute it and/or modify
 *   it under the terms of the GNU Affero General Public License as published by
@@ -21,9 +21,11 @@ package de.steamwar.routes
 import de.steamwar.ResponseError
 import de.steamwar.plugins.SWAuthPrincipal
 import de.steamwar.plugins.SWPermissionCheck
 import de.steamwar.sql.SteamwarUser
 import de.steamwar.sql.Token
 import de.steamwar.util.TokenType
 import de.steamwar.util.lifetime
 import de.steamwar.util.type
 import io.ktor.http.*
 import io.ktor.server.application.*
 import io.ktor.server.auth.*
@@ -31,64 +33,73 @@ import io.ktor.server.request.*
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
 import kotlinx.serialization.Serializable
 import java.time.format.DateTimeFormatter
 import java.time.LocalDateTime
 import kotlin.time.Duration
 import kotlin.time.toJavaDuration
@Serializable
-data class AuthLoginRequest(val username: String, val password: String)
+data class UsernamePassword(val name: String, val password: String, val keepLoggedIn: Boolean = false)
@Serializable
-data class AuthTokenResponse(val token: String)
+data class ResponseToken(val token: String, val expires: String) {
-
+    constructor(token: String, lifetime: Duration) : this(token, LocalDateTime.now().plus(lifetime.toJavaDuration()).toString())
@Serializable
 data class ResponseToken(val id: Int, val name: String, val created: String) {
    constructor(token: Token) : this(token.id, token.name, token.created.toLocalDateTime().toString())
 }
@Serializable
-data class CreateTokenRequest(val name: String, val password: String)
+data class AuthTokenResponse(val accessToken: ResponseToken, val refreshToken: ResponseToken? = null)
-fun Route.configureAuthRoutes() {
+fun SteamwarUser.createAccessAndRefreshToken(keepLoggedIn: Boolean = false): AuthTokenResponse {
    val code = System.currentTimeMillis() % 1000
    val accessToken = Token.createToken("AT-${userName}-${code}", this)
    val refreshToken = if (keepLoggedIn) Token.createToken("RT-${userName}-${code}", this) else null
    return AuthTokenResponse(ResponseToken(accessToken, TokenType.ACCESS_TOKEN.lifetime), refreshToken?.let { ResponseToken(it, TokenType.REFRESH_TOKEN.lifetime) })
 }
 fun Route.configureAuth() {
    route("/auth") {
-        post("/login") {
+        post {
-            if (call.principal<SWAuthPrincipal>() != null) {
+            val request = call.receive<UsernamePassword>()
                call.respond(HttpStatusCode.Forbidden, ResponseError("Already logged in", "already_logged_in"))
                return@post
            }
-            val request = call.receive<AuthLoginRequest>()
+            val user = SteamwarUser.get(request.name)
            val valid = user?.verifyPassword(request.password) ?: false
-            val user = SteamwarUser.get(request.username)
+            if (!valid) {
            if (user == null) {
                call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
                return@post
            }
-            if (!user.verifyPassword(request.password)) {
+            call.respond(user.createAccessAndRefreshToken(request.keepLoggedIn))
                call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
                return@post
            }
            val code = Token.createToken("Website: ${DateTimeFormatter.ISO_LOCAL_DATE_TIME.format(LocalDateTime.now())}", user)
            call.respond(AuthTokenResponse(code))
        }
-        route("/tokens") {
+        put {
-            install(SWPermissionCheck) {
+            val token = call.principal<SWAuthPrincipal>()
-                mustAuth = true
+
            if (token == null || token.token.type != TokenType.REFRESH_TOKEN) {
                call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token type", "invalid"))
                return@put
            }
-            post("/logout") {
+            val code = token.token.name.substringAfterLast('-')
                val auth = call.principal<SWAuthPrincipal>()
-                if(auth == null) {
+            Token.listUser(token.user)
-                    call.respond(HttpStatusCode.InternalServerError)
+                .filter { it.type == TokenType.ACCESS_TOKEN }
-                    return@post
+                .filter { it.name.endsWith(code) }
-                }
+                .forEach { it.delete() }
-                auth.token.delete()
+            call.respond(token.user.createAccessAndRefreshToken(true))
-                call.respond(HttpStatusCode.OK)
+        }
        delete {
            val token = call.principal<SWAuthPrincipal>()
            token?.let { t ->
                t.token.delete()
                val code = t.token.name.substringAfterLast('-')
                Token.listUser(token.user)
                    .filter { it.type == TokenType.REFRESH_TOKEN }
                    .filter { it.name.endsWith(code) }
                    .forEach { it.delete() }
            }
            call.respond(HttpStatusCode.OK)
        }
    }
 }
@@ -19,7 +19,6 @@
 package de.steamwar.routes
 import de.steamwar.routes.v2.*
 import io.ktor.server.application.*
 import io.ktor.server.auth.*
 import io.ktor.server.routing.*
@@ -34,7 +33,7 @@ fun Application.configureRoutes() {
            configureStats()
            configurePage()
            configureSchematic()
-            configureNewAuth()
+            configureAuth()
        }
    }
 }
@@ -1,137 +0,0 @@
 /*
 *   This file is a part of the SteamWar software.
 *
 *   Copyright (C) 2025 SteamWar.de-Serverteam
 *
 *   This program is free software: you can redistribute it and/or modify
 *   it under the terms of the GNU Affero General Public License as published by
 *   the Free Software Foundation, either version 3 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 *   GNU Affero General Public License for more details.
 *
 *   You should have received a copy of the GNU Affero General Public License
 *   along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 package de.steamwar.routes.v2
 import de.steamwar.ResponseError
 import de.steamwar.plugins.SWAuthPrincipal
 import de.steamwar.sql.SWException
 import de.steamwar.sql.SteamwarUser
 import de.steamwar.sql.Token
 import de.steamwar.util.TokenType
 import de.steamwar.util.isValid
 import de.steamwar.util.lifetime
 import de.steamwar.util.type
 import io.ktor.http.*
 import io.ktor.server.application.*
 import io.ktor.server.auth.*
 import io.ktor.server.plugins.*
 import io.ktor.server.request.*
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
 import kotlinx.serialization.Serializable
 import java.time.LocalDateTime
 import kotlin.time.Duration
 import kotlin.time.toJavaDuration
@Serializable
 data class UsernamePassword(val name: String, val password: String, val keepLoggedIn: Boolean = false)
@Serializable
 data class ResponseToken(val token: String, val expires: String) {
    constructor(token: String, lifetime: Duration) : this(token, LocalDateTime.now().plus(lifetime.toJavaDuration()).toString())
 }
@Serializable
 data class AuthTokenResponse(val accessToken: ResponseToken, val refreshToken: ResponseToken? = null)
 fun SteamwarUser.createAccessAndRefreshToken(keepLoggedIn: Boolean = false): AuthTokenResponse {
    val code = System.currentTimeMillis() % 1000
    val accessToken = Token.createToken("AT-${userName}-${code}", this)
    val refreshToken = if (keepLoggedIn) Token.createToken("RT-${userName}-${code}", this) else null
    return AuthTokenResponse(ResponseToken(accessToken, TokenType.ACCESS_TOKEN.lifetime), refreshToken?.let { ResponseToken(it, TokenType.REFRESH_TOKEN.lifetime) })
 }
 fun Route.configureNewAuth() {
    route("/auth") {
        post("/register") {
            val requester = call.request.header("X-Forwarded-For") ?: call.request.origin.remoteAddress
            val request = call.receive<UsernamePassword>()
            val token = call.principal<SWAuthPrincipal>()
            if (token == null || token.token.type != TokenType.RESET_PASSWORD || !token.token.isValid) {
                SWException.log("$requester tried registering with invalid token", "")
                call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token", "invalid"))
                return@post
            }
            val user = token.user
            if (user.userName != request.name) {
                SWException.log("$requester tried registering for invalid User", """
                        User: ${user.userName}
                        Request: ${request.name}
                    """.trimIndent())
                call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username", "invalid"))
                return@post
            }
            user.setPassword(request.password)
            call.respond(HttpStatusCode.OK)
        }
        route("/state") {
            post {
                val request = call.receive<UsernamePassword>()
                val user = SteamwarUser.get(request.name)
                val valid = user?.verifyPassword(request.password) ?: false
                if (!valid) {
                    call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
                    return@post
                }
                call.respond(user.createAccessAndRefreshToken(request.keepLoggedIn))
            }
            put {
                val token = call.principal<SWAuthPrincipal>()
                if (token == null || token.token.type != TokenType.REFRESH_TOKEN) {
                    call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token type", "invalid"))
                    return@put
                }
                val code = token.token.name.substringAfterLast('-')
                Token.listUser(token.user)
                    .filter { it.type == TokenType.ACCESS_TOKEN }
                    .filter { it.name.endsWith(code) }
                    .forEach { it.delete() }
                call.respond(token.user.createAccessAndRefreshToken(true))
            }
            delete {
                val token = call.principal<SWAuthPrincipal>()
                token?.let { t ->
                    t.token.delete()
                    val code = t.token.name.substringAfterLast('-')
                    Token.listUser(token.user)
                        .filter { it.type == TokenType.REFRESH_TOKEN }
                        .filter { it.name.endsWith(code) }
                        .forEach { it.delete() }
                }
                call.respond(HttpStatusCode.OK)
            }
        }
    }
 }
@@ -30,7 +30,6 @@ val Token.type: TokenType
    get() = when (name.substring((0..1))) {
        "RT" -> TokenType.REFRESH_TOKEN
        "AT" -> TokenType.ACCESS_TOKEN
        "PT" -> TokenType.RESET_PASSWORD
        else -> TokenType.OLD_TOKEN
    }
@@ -38,7 +37,6 @@ val TokenType.lifetime: Duration
    get() = when (this) {
        TokenType.REFRESH_TOKEN -> 7.days
        TokenType.ACCESS_TOKEN -> 5.minutes
        TokenType.RESET_PASSWORD -> 10.minutes
        TokenType.OLD_TOKEN -> 1.days
    }
@@ -49,7 +47,6 @@ val Token.isValid: Boolean
    get() = created.toLocalDateTime().plus(lifetime.toJavaDuration()).isAfter(LocalDateTime.now())
 enum class TokenType {
    RESET_PASSWORD,
    ACCESS_TOKEN,
    REFRESH_TOKEN,
    OLD_TOKEN