forked from SteamWar/SteamWar
Refactor V2 Auth
This commit is contained in:
@@ -42,6 +42,7 @@ import de.steamwar.velocitycore.network.NetworkSender;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
@@ -53,6 +54,8 @@ public class ChatListener extends BasicListener {
|
||||
|
||||
private static final List<String> rankedModes = ArenaMode.getAllModes().stream().filter(ArenaMode::isRanked).map(ArenaMode::getSchemTypeOrInternalName).toList();
|
||||
|
||||
private static final Set<String> noLogCommands = Set.of("webpw", "webpassword");
|
||||
|
||||
@Subscribe(order = PostOrder.FIRST)
|
||||
public void fixCommands(CommandExecuteEvent e) {
|
||||
String command = e.getCommand();
|
||||
@@ -73,7 +76,8 @@ public class ChatListener extends BasicListener {
|
||||
public void logCommands(CommandExecuteEvent e) {
|
||||
String command = e.getCommand();
|
||||
int space = command.indexOf(' ');
|
||||
if(VelocityCore.getProxy().getCommandManager().hasCommand(space != -1 ? command.substring(0, space) : command)) {
|
||||
String cmd = space != -1 ? command.substring(0, space) : command;
|
||||
if(VelocityCore.getProxy().getCommandManager().hasCommand(cmd)) {
|
||||
CommandSource source = e.getCommandSource();
|
||||
String name;
|
||||
if(source instanceof Player player)
|
||||
@@ -83,6 +87,10 @@ public class ChatListener extends BasicListener {
|
||||
else
|
||||
name = source.toString();
|
||||
|
||||
if (noLogCommands.contains(cmd)) {
|
||||
return;
|
||||
}
|
||||
|
||||
cmdLogger.log(Level.INFO, "%s -> executed command /%s".formatted(name, command));
|
||||
} else if (e.getCommandSource() instanceof Player player) {
|
||||
// System.out.println("spoofChatInput " + e);
|
||||
|
||||
@@ -74,7 +74,7 @@ fun Application.configurePlugins() {
|
||||
token.delete()
|
||||
return@authenticate null
|
||||
}
|
||||
if (token.type == TokenType.RESET_PASSWORD || token.type == TokenType.REFRESH_TOKEN) {
|
||||
if (token.type == TokenType.REFRESH_TOKEN) {
|
||||
token.delete()
|
||||
}
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* This file is a part of the SteamWar software.
|
||||
*
|
||||
* Copyright (C) 2024 SteamWar.de-Serverteam
|
||||
* Copyright (C) 2025 SteamWar.de-Serverteam
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as published by
|
||||
@@ -21,9 +21,11 @@ package de.steamwar.routes
|
||||
|
||||
import de.steamwar.ResponseError
|
||||
import de.steamwar.plugins.SWAuthPrincipal
|
||||
import de.steamwar.plugins.SWPermissionCheck
|
||||
import de.steamwar.sql.SteamwarUser
|
||||
import de.steamwar.sql.Token
|
||||
import de.steamwar.util.TokenType
|
||||
import de.steamwar.util.lifetime
|
||||
import de.steamwar.util.type
|
||||
import io.ktor.http.*
|
||||
import io.ktor.server.application.*
|
||||
import io.ktor.server.auth.*
|
||||
@@ -31,64 +33,73 @@ import io.ktor.server.request.*
|
||||
import io.ktor.server.response.*
|
||||
import io.ktor.server.routing.*
|
||||
import kotlinx.serialization.Serializable
|
||||
import java.time.format.DateTimeFormatter
|
||||
import java.time.LocalDateTime
|
||||
import kotlin.time.Duration
|
||||
import kotlin.time.toJavaDuration
|
||||
|
||||
@Serializable
|
||||
data class AuthLoginRequest(val username: String, val password: String)
|
||||
data class UsernamePassword(val name: String, val password: String, val keepLoggedIn: Boolean = false)
|
||||
|
||||
@Serializable
|
||||
data class AuthTokenResponse(val token: String)
|
||||
|
||||
@Serializable
|
||||
data class ResponseToken(val id: Int, val name: String, val created: String) {
|
||||
constructor(token: Token) : this(token.id, token.name, token.created.toLocalDateTime().toString())
|
||||
data class ResponseToken(val token: String, val expires: String) {
|
||||
constructor(token: String, lifetime: Duration) : this(token, LocalDateTime.now().plus(lifetime.toJavaDuration()).toString())
|
||||
}
|
||||
|
||||
@Serializable
|
||||
data class CreateTokenRequest(val name: String, val password: String)
|
||||
data class AuthTokenResponse(val accessToken: ResponseToken, val refreshToken: ResponseToken? = null)
|
||||
|
||||
fun Route.configureAuthRoutes() {
|
||||
fun SteamwarUser.createAccessAndRefreshToken(keepLoggedIn: Boolean = false): AuthTokenResponse {
|
||||
val code = System.currentTimeMillis() % 1000
|
||||
val accessToken = Token.createToken("AT-${userName}-${code}", this)
|
||||
val refreshToken = if (keepLoggedIn) Token.createToken("RT-${userName}-${code}", this) else null
|
||||
|
||||
return AuthTokenResponse(ResponseToken(accessToken, TokenType.ACCESS_TOKEN.lifetime), refreshToken?.let { ResponseToken(it, TokenType.REFRESH_TOKEN.lifetime) })
|
||||
}
|
||||
|
||||
fun Route.configureAuth() {
|
||||
route("/auth") {
|
||||
post("/login") {
|
||||
if (call.principal<SWAuthPrincipal>() != null) {
|
||||
call.respond(HttpStatusCode.Forbidden, ResponseError("Already logged in", "already_logged_in"))
|
||||
return@post
|
||||
}
|
||||
post {
|
||||
val request = call.receive<UsernamePassword>()
|
||||
|
||||
val request = call.receive<AuthLoginRequest>()
|
||||
val user = SteamwarUser.get(request.name)
|
||||
val valid = user?.verifyPassword(request.password) ?: false
|
||||
|
||||
val user = SteamwarUser.get(request.username)
|
||||
|
||||
if (user == null) {
|
||||
if (!valid) {
|
||||
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
|
||||
return@post
|
||||
}
|
||||
|
||||
if (!user.verifyPassword(request.password)) {
|
||||
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
|
||||
return@post
|
||||
call.respond(user.createAccessAndRefreshToken(request.keepLoggedIn))
|
||||
}
|
||||
put {
|
||||
val token = call.principal<SWAuthPrincipal>()
|
||||
|
||||
if (token == null || token.token.type != TokenType.REFRESH_TOKEN) {
|
||||
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token type", "invalid"))
|
||||
return@put
|
||||
}
|
||||
|
||||
val code = Token.createToken("Website: ${DateTimeFormatter.ISO_LOCAL_DATE_TIME.format(LocalDateTime.now())}", user)
|
||||
call.respond(AuthTokenResponse(code))
|
||||
val code = token.token.name.substringAfterLast('-')
|
||||
|
||||
Token.listUser(token.user)
|
||||
.filter { it.type == TokenType.ACCESS_TOKEN }
|
||||
.filter { it.name.endsWith(code) }
|
||||
.forEach { it.delete() }
|
||||
|
||||
call.respond(token.user.createAccessAndRefreshToken(true))
|
||||
}
|
||||
route("/tokens") {
|
||||
install(SWPermissionCheck) {
|
||||
mustAuth = true
|
||||
delete {
|
||||
val token = call.principal<SWAuthPrincipal>()
|
||||
token?.let { t ->
|
||||
t.token.delete()
|
||||
val code = t.token.name.substringAfterLast('-')
|
||||
Token.listUser(token.user)
|
||||
.filter { it.type == TokenType.REFRESH_TOKEN }
|
||||
.filter { it.name.endsWith(code) }
|
||||
.forEach { it.delete() }
|
||||
}
|
||||
|
||||
post("/logout") {
|
||||
val auth = call.principal<SWAuthPrincipal>()
|
||||
|
||||
if(auth == null) {
|
||||
call.respond(HttpStatusCode.InternalServerError)
|
||||
return@post
|
||||
}
|
||||
|
||||
auth.token.delete()
|
||||
call.respond(HttpStatusCode.OK)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -19,7 +19,6 @@
|
||||
|
||||
package de.steamwar.routes
|
||||
|
||||
import de.steamwar.routes.v2.*
|
||||
import io.ktor.server.application.*
|
||||
import io.ktor.server.auth.*
|
||||
import io.ktor.server.routing.*
|
||||
@@ -34,7 +33,7 @@ fun Application.configureRoutes() {
|
||||
configureStats()
|
||||
configurePage()
|
||||
configureSchematic()
|
||||
configureNewAuth()
|
||||
configureAuth()
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,137 +0,0 @@
|
||||
/*
|
||||
* This file is a part of the SteamWar software.
|
||||
*
|
||||
* Copyright (C) 2025 SteamWar.de-Serverteam
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
package de.steamwar.routes.v2
|
||||
|
||||
import de.steamwar.ResponseError
|
||||
import de.steamwar.plugins.SWAuthPrincipal
|
||||
import de.steamwar.sql.SWException
|
||||
import de.steamwar.sql.SteamwarUser
|
||||
import de.steamwar.sql.Token
|
||||
import de.steamwar.util.TokenType
|
||||
import de.steamwar.util.isValid
|
||||
import de.steamwar.util.lifetime
|
||||
import de.steamwar.util.type
|
||||
import io.ktor.http.*
|
||||
import io.ktor.server.application.*
|
||||
import io.ktor.server.auth.*
|
||||
import io.ktor.server.plugins.*
|
||||
import io.ktor.server.request.*
|
||||
import io.ktor.server.response.*
|
||||
import io.ktor.server.routing.*
|
||||
import kotlinx.serialization.Serializable
|
||||
import java.time.LocalDateTime
|
||||
import kotlin.time.Duration
|
||||
import kotlin.time.toJavaDuration
|
||||
|
||||
@Serializable
|
||||
data class UsernamePassword(val name: String, val password: String, val keepLoggedIn: Boolean = false)
|
||||
|
||||
@Serializable
|
||||
data class ResponseToken(val token: String, val expires: String) {
|
||||
constructor(token: String, lifetime: Duration) : this(token, LocalDateTime.now().plus(lifetime.toJavaDuration()).toString())
|
||||
}
|
||||
|
||||
@Serializable
|
||||
data class AuthTokenResponse(val accessToken: ResponseToken, val refreshToken: ResponseToken? = null)
|
||||
|
||||
fun SteamwarUser.createAccessAndRefreshToken(keepLoggedIn: Boolean = false): AuthTokenResponse {
|
||||
val code = System.currentTimeMillis() % 1000
|
||||
val accessToken = Token.createToken("AT-${userName}-${code}", this)
|
||||
val refreshToken = if (keepLoggedIn) Token.createToken("RT-${userName}-${code}", this) else null
|
||||
|
||||
return AuthTokenResponse(ResponseToken(accessToken, TokenType.ACCESS_TOKEN.lifetime), refreshToken?.let { ResponseToken(it, TokenType.REFRESH_TOKEN.lifetime) })
|
||||
}
|
||||
|
||||
fun Route.configureNewAuth() {
|
||||
route("/auth") {
|
||||
post("/register") {
|
||||
val requester = call.request.header("X-Forwarded-For") ?: call.request.origin.remoteAddress
|
||||
|
||||
val request = call.receive<UsernamePassword>()
|
||||
val token = call.principal<SWAuthPrincipal>()
|
||||
|
||||
if (token == null || token.token.type != TokenType.RESET_PASSWORD || !token.token.isValid) {
|
||||
SWException.log("$requester tried registering with invalid token", "")
|
||||
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token", "invalid"))
|
||||
return@post
|
||||
}
|
||||
|
||||
val user = token.user
|
||||
|
||||
if (user.userName != request.name) {
|
||||
SWException.log("$requester tried registering for invalid User", """
|
||||
User: ${user.userName}
|
||||
Request: ${request.name}
|
||||
""".trimIndent())
|
||||
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username", "invalid"))
|
||||
return@post
|
||||
}
|
||||
|
||||
user.setPassword(request.password)
|
||||
|
||||
call.respond(HttpStatusCode.OK)
|
||||
}
|
||||
route("/state") {
|
||||
post {
|
||||
val request = call.receive<UsernamePassword>()
|
||||
|
||||
val user = SteamwarUser.get(request.name)
|
||||
val valid = user?.verifyPassword(request.password) ?: false
|
||||
|
||||
if (!valid) {
|
||||
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
|
||||
return@post
|
||||
}
|
||||
|
||||
call.respond(user.createAccessAndRefreshToken(request.keepLoggedIn))
|
||||
}
|
||||
put {
|
||||
val token = call.principal<SWAuthPrincipal>()
|
||||
|
||||
if (token == null || token.token.type != TokenType.REFRESH_TOKEN) {
|
||||
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token type", "invalid"))
|
||||
return@put
|
||||
}
|
||||
|
||||
val code = token.token.name.substringAfterLast('-')
|
||||
|
||||
Token.listUser(token.user)
|
||||
.filter { it.type == TokenType.ACCESS_TOKEN }
|
||||
.filter { it.name.endsWith(code) }
|
||||
.forEach { it.delete() }
|
||||
|
||||
call.respond(token.user.createAccessAndRefreshToken(true))
|
||||
}
|
||||
delete {
|
||||
val token = call.principal<SWAuthPrincipal>()
|
||||
token?.let { t ->
|
||||
t.token.delete()
|
||||
val code = t.token.name.substringAfterLast('-')
|
||||
Token.listUser(token.user)
|
||||
.filter { it.type == TokenType.REFRESH_TOKEN }
|
||||
.filter { it.name.endsWith(code) }
|
||||
.forEach { it.delete() }
|
||||
}
|
||||
|
||||
call.respond(HttpStatusCode.OK)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -30,7 +30,6 @@ val Token.type: TokenType
|
||||
get() = when (name.substring((0..1))) {
|
||||
"RT" -> TokenType.REFRESH_TOKEN
|
||||
"AT" -> TokenType.ACCESS_TOKEN
|
||||
"PT" -> TokenType.RESET_PASSWORD
|
||||
else -> TokenType.OLD_TOKEN
|
||||
}
|
||||
|
||||
@@ -38,7 +37,6 @@ val TokenType.lifetime: Duration
|
||||
get() = when (this) {
|
||||
TokenType.REFRESH_TOKEN -> 7.days
|
||||
TokenType.ACCESS_TOKEN -> 5.minutes
|
||||
TokenType.RESET_PASSWORD -> 10.minutes
|
||||
TokenType.OLD_TOKEN -> 1.days
|
||||
}
|
||||
|
||||
@@ -49,7 +47,6 @@ val Token.isValid: Boolean
|
||||
get() = created.toLocalDateTime().plus(lifetime.toJavaDuration()).isAfter(LocalDateTime.now())
|
||||
|
||||
enum class TokenType {
|
||||
RESET_PASSWORD,
|
||||
ACCESS_TOKEN,
|
||||
REFRESH_TOKEN,
|
||||
OLD_TOKEN
|
||||
|
||||
Reference in New Issue
Block a user