Replace separate minecraft access tokens with JWT

api/components/Tokens/Component.php

@@ -4,6 +4,7 @@ declare(strict_types=1);
 namespace api\components\Tokens;
 
 use Carbon\Carbon;
+use Defuse\Crypto\Crypto;
 use Exception;
 use Lcobucci\JWT\Builder;
 use Lcobucci\JWT\Parser;
@@ -35,6 +36,11 @@ class Component extends BaseComponent {
      */
     public $privateKeyPass;
 
+    /**
+     * @var string|\Defuse\Crypto\Key
+     */
+    public $encryptionKey;
+
     /**
      * @var AlgorithmsManager|null
      */
@@ -45,6 +51,7 @@ class Component extends BaseComponent {
         Assert::notEmpty($this->hmacKey, 'hmacKey must be set');
         Assert::notEmpty($this->privateKeyPath, 'privateKeyPath must be set');
         Assert::notEmpty($this->publicKeyPath, 'publicKeyPath must be set');
+        Assert::notEmpty($this->encryptionKey, 'encryptionKey must be set');
     }
 
     public function create(array $payloads = [], array $headers = []): Token {
@@ -53,11 +60,11 @@ class Component extends BaseComponent {
             ->issuedAt($now->getTimestamp())
             ->expiresAt($now->addHour()->getTimestamp());
         foreach ($payloads as $claim => $value) {
-            $builder->withClaim($claim, $value);
+            $builder->withClaim($claim, $this->prepareValue($value));
         }
 
         foreach ($headers as $claim => $value) {
-            $builder->withHeader($claim, $value);
+            $builder->withHeader($claim, $this->prepareValue($value));
         }
 
         /** @noinspection PhpUnhandledExceptionInspection */
@@ -85,6 +92,10 @@ class Component extends BaseComponent {
         }
     }
 
+    public function decryptValue(string $encryptedValue): string {
+        return Crypto::decryptWithPassword($encryptedValue, $this->encryptionKey);
+    }
+
     private function getAlgorithmManager(): AlgorithmsManager {
         if ($this->algorithmManager === null) {
             $this->algorithmManager = new AlgorithmsManager([
@@ -100,4 +111,12 @@ class Component extends BaseComponent {
         return $this->algorithmManager;
     }
 
+    private function prepareValue($value) {
+        if ($value instanceof EncryptedValue) {
+            return Crypto::encryptWithPassword($value->getValue(), $this->encryptionKey);
+        }
+
+        return $value;
+    }
+
 }

api/components/Tokens/EncryptedValue.php

@@ -0,0 +1,21 @@
+<?php
+declare(strict_types=1);
+
+namespace api\components\Tokens;
+
+class EncryptedValue {
+
+    /**
+     * @var string
+     */
+    private $value;
+
+    public function __construct(string $value) {
+        $this->value = $value;
+    }
+
+    public function getValue(): string {
+        return $this->value;
+    }
+
+}

api/components/Tokens/TokensFactory.php

@@ -3,6 +3,8 @@ declare(strict_types=1);
 
 namespace api\components\Tokens;
 
+use api\rbac\Permissions as P;
+use api\rbac\Roles as R;
 use Carbon\Carbon;
 use common\models\Account;
 use common\models\AccountSession;
@@ -10,16 +12,17 @@ use Lcobucci\JWT\Token;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use Yii;
+use yii\base\Component;
 
-class TokensFactory {
+class TokensFactory extends Component {
 
     public const SUB_ACCOUNT_PREFIX = 'ely|';
     public const AUD_CLIENT_PREFIX = 'client|';
 
-    public static function createForAccount(Account $account, AccountSession $session = null): Token {
+    public function createForWebAccount(Account $account, AccountSession $session = null): Token {
         $payloads = [
-            'ely-scopes' => 'accounts_web_user',
-            'sub' => self::buildSub($account->id),
+            'ely-scopes' => R::ACCOUNTS_WEB_USER,
+            'sub' => $this->buildSub($account->id),
         ];
         if ($session === null) {
             // If we don't remember a session, the token should live longer
@@ -32,26 +35,39 @@ class TokensFactory {
         return Yii::$app->tokens->create($payloads);
     }
 
-    public static function createForOAuthClient(AccessTokenEntityInterface $accessToken): Token {
+    public function createForOAuthClient(AccessTokenEntityInterface $accessToken): Token {
         $payloads = [
-            'aud' => self::buildAud($accessToken->getClient()->getIdentifier()),
-            'ely-scopes' => implode(',', array_map(static function(ScopeEntityInterface $scope): string {
+            'aud' => $this->buildAud($accessToken->getClient()->getIdentifier()),
+            'ely-scopes' => $this->joinScopes(array_map(static function(ScopeEntityInterface $scope): string {
                 return $scope->getIdentifier();
             }, $accessToken->getScopes())),
             'exp' => $accessToken->getExpiryDateTime()->getTimestamp(),
         ];
         if ($accessToken->getUserIdentifier() !== null) {
-            $payloads['sub'] = self::buildSub($accessToken->getUserIdentifier());
+            $payloads['sub'] = $this->buildSub($accessToken->getUserIdentifier());
         }
 
         return Yii::$app->tokens->create($payloads);
     }
 
-    private static function buildSub(int $accountId): string {
+    public function createForMinecraftAccount(Account $account, string $clientToken): Token {
+        return Yii::$app->tokens->create([
+            'ely-scopes' => $this->joinScopes([P::MINECRAFT_SERVER_SESSION]),
+            'ely-client-token' => new EncryptedValue($clientToken),
+            'sub' => $this->buildSub($account->id),
+            'exp' => Carbon::now()->addDays(2)->getTimestamp(),
+        ]);
+    }
+
+    private function joinScopes(array $scopes): string {
+        return implode(',', $scopes);
+    }
+
+    private function buildSub(int $accountId): string {
         return self::SUB_ACCOUNT_PREFIX . $accountId;
     }
 
-    private static function buildAud(string $clientId): string {
+    private function buildAud(string $clientId): string {
         return self::AUD_CLIENT_PREFIX . $clientId;
     }