Jaki/SteamWar
1
0
Fork 0
forked from SteamWar/SteamWar
Code Pull Requests Activity

Merge pull request 'Authentication v2' (#17) from Backend/new-auth into main

Browse Source 
Reviewed-on: SteamWar/SteamWar#17
This commit is contained in:
Chaoscaot
2025-02-25 22:40:09 +01:00
parent 11cf0b6c54 3db327eb84
commit d9b58d7170
6 changed files with 124 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
VelocityCore/src/de/steamwar/velocitycore/listeners/ChatListener.java
+9 -1
View File
@@ -42,6 +42,7 @@ import de.steamwar.velocitycore.network.NetworkSender;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -53,6 +54,8 @@ public class ChatListener extends BasicListener {
private static final List<String> rankedModes = ArenaMode.getAllModes().stream().filter(ArenaMode::isRanked).map(ArenaMode::getSchemTypeOrInternalName).toList();
private static final Set<String> noLogCommands = Set.of("webpw", "webpassword", "web");
@Subscribe(order = PostOrder.FIRST)
public void fixCommands(CommandExecuteEvent e) {
String command = e.getCommand();
@@ -73,7 +76,8 @@ public class ChatListener extends BasicListener {
public void logCommands(CommandExecuteEvent e) {
String command = e.getCommand();
int space = command.indexOf(' ');
if(VelocityCore.getProxy().getCommandManager().hasCommand(space != -1 ? command.substring(0, space) : command)) {
String cmd = space != -1 ? command.substring(0, space) : command;
if(VelocityCore.getProxy().getCommandManager().hasCommand(cmd)) {
CommandSource source = e.getCommandSource();
String name;
if(source instanceof Player player)
@@ -83,6 +87,10 @@ public class ChatListener extends BasicListener {
else
name = source.toString();
if (noLogCommands.contains(cmd)) {
return;
}
cmdLogger.log(Level.INFO, "%s -> executed command /%s".formatted(name, command));
} else if (e.getCommandSource() instanceof Player player) {
// System.out.println("spoofChatInput " + e);
WebsiteBackend/src/de/steamwar/plugins/Plugins.kt
+12
View File
@@ -20,7 +20,11 @@
package de.steamwar.plugins
import de.steamwar.sql.Token
import de.steamwar.util.TokenType
import de.steamwar.util.isValid
import de.steamwar.util.type
import io.ktor.http.*
import io.ktor.http.auth.*
import io.ktor.serialization.kotlinx.json.*
import io.ktor.server.application.*
import io.ktor.server.auth.*
@@ -66,6 +70,14 @@ fun Application.configurePlugins() {
if (token == null) {
null
} else {
if (!token.isValid) {
token.delete()
return@authenticate null
}
if (token.type == TokenType.REFRESH_TOKEN) {
token.delete()
}
SWAuthPrincipal(token, token.owner)
}
}
WebsiteBackend/src/de/steamwar/routes/Auth.kt
+49 -38
View File
@@ -1,7 +1,7 @@
/*
* This file is a part of the SteamWar software.
*
* Copyright (C) 2024 SteamWar.de-Serverteam
* Copyright (C) 2025 SteamWar.de-Serverteam
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
@@ -21,9 +21,11 @@ package de.steamwar.routes
import de.steamwar.ResponseError
import de.steamwar.plugins.SWAuthPrincipal
import de.steamwar.plugins.SWPermissionCheck
import de.steamwar.sql.SteamwarUser
import de.steamwar.sql.Token
import de.steamwar.util.TokenType
import de.steamwar.util.lifetime
import de.steamwar.util.type
import io.ktor.http.*
import io.ktor.server.application.*
import io.ktor.server.auth.*
@@ -31,64 +33,73 @@ import io.ktor.server.request.*
import io.ktor.server.response.*
import io.ktor.server.routing.*
import kotlinx.serialization.Serializable
import java.time.format.DateTimeFormatter
import java.time.LocalDateTime
import kotlin.time.Duration
import kotlin.time.toJavaDuration
@Serializable
data class AuthLoginRequest(val username: String, val password: String)
data class UsernamePassword(val name: String, val password: String, val keepLoggedIn: Boolean = false)
@Serializable
data class AuthTokenResponse(val token: String)
@Serializable
data class ResponseToken(val id: Int, val name: String, val created: String) {
constructor(token: Token) : this(token.id, token.name, token.created.toLocalDateTime().toString())
data class ResponseToken(val token: String, val expires: String) {
constructor(token: String, lifetime: Duration) : this(token, LocalDateTime.now().plus(lifetime.toJavaDuration()).toString())
}
@Serializable
data class CreateTokenRequest(val name: String, val password: String)
data class AuthTokenResponse(val accessToken: ResponseToken, val refreshToken: ResponseToken? = null)
fun Route.configureAuthRoutes() {
fun SteamwarUser.createAccessAndRefreshToken(keepLoggedIn: Boolean = false): AuthTokenResponse {
val code = System.currentTimeMillis() % 1000
val accessToken = Token.createToken("AT-${userName}-${code}", this)
val refreshToken = if (keepLoggedIn) Token.createToken("RT-${userName}-${code}", this) else null
return AuthTokenResponse(ResponseToken(accessToken, TokenType.ACCESS_TOKEN.lifetime), refreshToken?.let { ResponseToken(it, TokenType.REFRESH_TOKEN.lifetime) })
}
fun Route.configureAuth() {
route("/auth") {
post("/login") {
if (call.principal<SWAuthPrincipal>() != null) {
call.respond(HttpStatusCode.Forbidden, ResponseError("Already logged in", "already_logged_in"))
return@post
}
post {
val request = call.receive<UsernamePassword>()
val request = call.receive<AuthLoginRequest>()
val user = SteamwarUser.get(request.name)
val valid = user?.verifyPassword(request.password) ?: false
val user = SteamwarUser.get(request.username)
if (user == null) {
if (!valid) {
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
return@post
}
if (!user.verifyPassword(request.password)) {
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid username or password", "invalid"))
return@post
}
val code = Token.createToken("Website: ${DateTimeFormatter.ISO_LOCAL_DATE_TIME.format(LocalDateTime.now())}", user)
call.respond(AuthTokenResponse(code))
call.respond(user.createAccessAndRefreshToken(request.keepLoggedIn))
}
route("/tokens") {
install(SWPermissionCheck) {
mustAuth = true
put {
val token = call.principal<SWAuthPrincipal>()
if (token == null || token.token.type != TokenType.REFRESH_TOKEN) {
call.respond(HttpStatusCode.Forbidden, ResponseError("Invalid token type", "invalid"))
return@put
}
post("/logout") {
val auth = call.principal<SWAuthPrincipal>()
val code = token.token.name.substringAfterLast('-')
if(auth == null) {
call.respond(HttpStatusCode.InternalServerError)
return@post
}
Token.listUser(token.user)
.filter { it.type == TokenType.ACCESS_TOKEN }
.filter { it.name.endsWith(code) }
.forEach { it.delete() }
auth.token.delete()
call.respond(HttpStatusCode.OK)
call.respond(token.user.createAccessAndRefreshToken(true))
}
delete {
val token = call.principal<SWAuthPrincipal>()
token?.let { t ->
t.token.delete()
val code = t.token.name.substringAfterLast('-')
Token.listUser(token.user)
.filter { it.type == TokenType.REFRESH_TOKEN }
.filter { it.name.endsWith(code) }
.forEach { it.delete() }
}
call.respond(HttpStatusCode.OK)
}
}
}
WebsiteBackend/src/de/steamwar/routes/Routes.kt
+1 -1
View File
@@ -33,7 +33,7 @@ fun Application.configureRoutes() {
configureStats()
configurePage()
configureSchematic()
configureAuthRoutes()
configureAuth()
}
}
}
WebsiteBackend/src/de/steamwar/routes/Stats.kt
-1
View File
@@ -21,7 +21,6 @@ package de.steamwar.routes
import de.steamwar.plugins.SWAuthPrincipal
import de.steamwar.plugins.SWPermissionCheck
import de.steamwar.plugins.getUser
import de.steamwar.sql.*
import io.ktor.http.*
import io.ktor.server.application.*
WebsiteBackend/src/de/steamwar/util/TokenUtils.kt
+53
View File
@@ -0,0 +1,53 @@
/*
* This file is a part of the SteamWar software.
*
* Copyright (C) 2025 SteamWar.de-Serverteam
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
package de.steamwar.util
import de.steamwar.sql.Token
import java.time.LocalDateTime
import kotlin.time.Duration
import kotlin.time.Duration.Companion.days
import kotlin.time.Duration.Companion.minutes
import kotlin.time.toJavaDuration
val Token.type: TokenType
get() = when (name.substring((0..1))) {
"RT" -> TokenType.REFRESH_TOKEN
"AT" -> TokenType.ACCESS_TOKEN
else -> TokenType.OLD_TOKEN
}
val TokenType.lifetime: Duration
get() = when (this) {
TokenType.REFRESH_TOKEN -> 7.days
TokenType.ACCESS_TOKEN -> 5.minutes
TokenType.OLD_TOKEN -> 1.days
}
val Token.lifetime: Duration
get() = type.lifetime
val Token.isValid: Boolean
get() = created.toLocalDateTime().plus(lifetime.toJavaDuration()).isAfter(LocalDateTime.now())
enum class TokenType {
ACCESS_TOKEN,
REFRESH_TOKEN,
OLD_TOKEN
}