ElyBy-Mirror/accounts
1
0
Fork 0
mirror of https://github.com/elyby/accounts.git synced 2025-05-31 14:11:46 +05:30
Code Issues Packages Projects Releases Wiki Activity

Remove minecraft_access_keys table and all related code

Browse Source
This commit is contained in:
ErickSkrauch
2024-06-14 05:42:35 +02:00
parent 2111e1769f
commit 0c110213f4
21 changed files with 69 additions and 321 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
api/modules/authserver/models/RefreshTokenForm.php
View File

@@ -10,7 +10,6 @@ use api\modules\authserver\validators\AccessTokenValidator;
use api\modules\authserver\validators\RequiredValidator;
use api\rbac\Permissions as P;
use common\models\Account;
use common\models\MinecraftAccessKey;
use common\models\OauthClient;
use common\models\OauthSession;
use Webmozart\Assert\Assert;
@@ -48,26 +47,13 @@ class RefreshTokenForm extends ApiForm {
*/
public function refresh(): AuthenticateData {
$this->validate();
$account = null;
if (mb_strlen($this->accessToken) === 36) {
/** @var MinecraftAccessKey $token */
$token = MinecraftAccessKey::findOne([
'access_token' => $this->accessToken,
'client_token' => $this->clientToken,
]);
if ($token !== null) {
$account = $token->account;
}
} else {
$token = Yii::$app->tokens->parse($this->accessToken);
$tokenReader = new TokenReader($token);
if ($tokenReader->getMinecraftClientToken() !== $this->clientToken) {
throw new ForbiddenOperationException('Invalid token.');
}
$account = Account::findOne(['id' => $tokenReader->getAccountId()]);
$token = Yii::$app->tokens->parse($this->accessToken);
$tokenReader = new TokenReader($token);
if ($tokenReader->getMinecraftClientToken() !== $this->clientToken) {
throw new ForbiddenOperationException('Invalid token.');
}
$account = Account::findOne(['id' => $tokenReader->getAccountId()]);
if ($account === null) {
throw new ForbiddenOperationException('Invalid token.');
}

31
api/modules/authserver/validators/AccessTokenValidator.php
View File

@@ -7,7 +7,6 @@ use api\components\Tokens\TokenReader;
use api\modules\authserver\exceptions\ForbiddenOperationException;
use Carbon\Carbon;
use common\models\Account;
use common\models\MinecraftAccessKey;
use Exception;
use Yii;
use yii\validators\Validator;
@@ -22,16 +21,10 @@ class AccessTokenValidator extends Validator {
public bool $verifyAccount = true;
/**
* @param string $value
*
* @return array|null
* @throws ForbiddenOperationException
*/
protected function validateValue($value): ?array {
if (mb_strlen($value) === 36) {
return $this->validateLegacyToken($value);
}
try {
$token = Yii::$app->tokens->parse($value);
} catch (Exception $e) {
@@ -53,30 +46,6 @@ class AccessTokenValidator extends Validator {
return null;
}
/**
* @param string $value
*
* @return array|null
* @throws ForbiddenOperationException
*/
private function validateLegacyToken(string $value): ?array {
/** @var MinecraftAccessKey|null $result */
$result = MinecraftAccessKey::findOne(['access_token' => $value]);
if ($result === null) {
throw new ForbiddenOperationException(self::INVALID_TOKEN);
}
if ($this->verifyExpiration && $result->isExpired()) {
throw new ForbiddenOperationException(self::TOKEN_EXPIRED);
}
if ($this->verifyAccount && !$this->validateAccount($result->account_id)) {
throw new ForbiddenOperationException(self::INVALID_TOKEN);
}
return null;
}
private function validateAccount(int $accountId): bool {
/** @var Account|null $account */
$account = Account::find()->excludeDeleted()->andWhere(['id' => $accountId])->one();

75
api/modules/session/models/JoinForm.php
View File

@@ -9,9 +9,9 @@ use api\modules\session\models\protocols\JoinInterface;
use api\modules\session\Module as Session;
use api\modules\session\validators\RequiredValidator;
use api\rbac\Permissions as P;
use Closure;
use common\helpers\StringHelper;
use common\models\Account;
use common\models\MinecraftAccessKey;
use Ramsey\Uuid\Uuid;
use Webmozart\Assert\Assert;
use Yii;
@@ -47,13 +47,12 @@ class JoinForm extends Model {
public function rules(): array {
return [
[['accessToken', 'serverId'], RequiredValidator::class],
[['accessToken', 'selectedProfile'], 'validateUuid'],
[['accessToken'], 'validateAccessToken'],
[['accessToken', 'selectedProfile'], Closure::fromCallable([$this, 'validateUuid'])],
[['accessToken'], Closure::fromCallable([$this, 'validateAccessToken'])],
];
}
/**
* @return bool
* @throws IllegalArgumentException
* @throws ForbiddenOperationException
*/
@@ -66,7 +65,7 @@ class JoinForm extends Model {
return false;
}
$account = $this->getAccount();
$account = $this->account;
$sessionModel = new SessionModel($account->username, $serverId);
Assert::true($sessionModel->save());
@@ -96,7 +95,7 @@ class JoinForm extends Model {
*
* @throws IllegalArgumentException
*/
public function validateUuid(string $attribute): void {
private function validateUuid(string $attribute): void {
if ($this->hasErrors($attribute)) {
return;
}
@@ -109,46 +108,36 @@ class JoinForm extends Model {
/**
* @throws \api\modules\session\exceptions\ForbiddenOperationException
*/
public function validateAccessToken(): void {
private function validateAccessToken(): void {
$accessToken = $this->accessToken;
/** @var MinecraftAccessKey|null $accessModel */
$accessModel = MinecraftAccessKey::findOne(['access_token' => $accessToken]);
if ($accessModel !== null) {
Yii::$app->statsd->inc('sessionserver.authentication.legacy_minecraft_protocol');
/** @var MinecraftAccessKey|\api\components\OAuth2\Entities\AccessTokenEntity $accessModel */
if ($accessModel->isExpired()) {
Session::error("User with access_token = '{$accessToken}' failed join by expired access_token.");
Yii::$app->statsd->inc('sessionserver.authentication.legacy_minecraft_protocol_token_expired');
throw new ForbiddenOperationException('Expired access_token.');
try {
$identity = Yii::$app->user->loginByAccessToken($accessToken);
} catch (UnauthorizedHttpException $e) {
if ($e->getMessage() === 'Token expired') {
throw new ForbiddenOperationException('Expired access_token.', 0, $e);
}
$account = $accessModel->account;
} else {
try {
$identity = Yii::$app->user->loginByAccessToken($accessToken);
} catch (UnauthorizedHttpException $e) {
$identity = null;
}
if ($identity === null) {
Session::error("User with access_token = '{$accessToken}' failed join by wrong access_token.");
Yii::$app->statsd->inc('sessionserver.join.fail_wrong_token');
throw new ForbiddenOperationException('Invalid access_token.');
}
Yii::$app->statsd->inc('sessionserver.authentication.oauth2');
if (!Yii::$app->user->can(P::MINECRAFT_SERVER_SESSION)) {
Session::error("User with access_token = '{$accessToken}' doesn't have enough scopes to make join.");
Yii::$app->statsd->inc('sessionserver.authentication.oauth2_not_enough_scopes');
throw new ForbiddenOperationException('The token does not have required scope.');
}
$account = $identity->getAccount();
$identity = null;
}
if ($identity === null) {
Session::error("User with access_token = '{$accessToken}' failed join by wrong access_token.");
Yii::$app->statsd->inc('sessionserver.join.fail_wrong_token');
throw new ForbiddenOperationException('Invalid access_token.');
}
Yii::$app->statsd->inc('sessionserver.authentication.oauth2');
if (!Yii::$app->user->can(P::MINECRAFT_SERVER_SESSION)) {
Session::error("User with access_token = '{$accessToken}' doesn't have enough scopes to make join.");
Yii::$app->statsd->inc('sessionserver.authentication.oauth2_not_enough_scopes');
throw new ForbiddenOperationException('The token does not have required scope.');
}
/** @var Account $account */
$account = $identity->getAccount();
$selectedProfile = $this->selectedProfile;
$isUuid = StringHelper::isUuid($selectedProfile);
if ($isUuid && $account->uuid !== $this->normalizeUUID($selectedProfile)) {
@@ -172,10 +161,6 @@ class JoinForm extends Model {
$this->account = $account;
}
protected function getAccount(): Account {
return $this->account;
}
private function normalizeUUID(string $uuid): string {
return Uuid::fromString($uuid)->toString();
}