Spacebar/server
1
0
Fork 0
mirror of https://github.com/spacebarchat/server.git synced 2024-11-10 04:32:35 +01:00
Code Issues Releases Activity

refactor checkToken

Browse Source
This commit is contained in:
Madeline 2023-07-28 09:26:18 +10:00
parent 8a3989c297
commit f1f68c3d31
No known key found for this signature in database
GPG Key ID: 80D25DA3BCB24281
8 changed files with 11001 additions and 8202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
assets/openapi.json
View File

@ -2390,12 +2390,16 @@
},
"additionalProperties": false
},
"flags": {
"type": "integer"
},
"id": {
"type": "string"
}
},
"required": [
"color",
"flags",
"guild",
"guild_id",
"hoist",
@ -3632,47 +3636,45 @@
"type": "object",
"additionalProperties": false
},
"id": {
"type": "string"
},
"roles": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Role"
}
},
"name": {
"type": "string"
},
"banner": {
"type": "string"
},
"unavailable": {
"type": "boolean"
},
"channels": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Channel"
}
},
"region": {
"type": "string"
},
"icon": {
"type": "string"
},
"system_channel_id": {
"parent": {
"type": "string"
},
"rules_channel_id": {
"owner_id": {
"type": "string"
},
"afk_timeout": {
"type": "integer"
"nsfw": {
"type": "boolean"
},
"explicit_content_filter": {
"type": "integer"
"invites": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Invite"
}
},
"voice_states": {
"type": "array",
"items": {
"$ref": "#/components/schemas/VoiceState"
}
},
"webhooks": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Webhook"
}
},
"id": {
"type": "string"
},
"_do_validate": {
"type": "object",
"additionalProperties": false
},
"assign": {
"type": "object",
@ -3707,6 +3709,39 @@
"type": "object",
"additionalProperties": false
},
"roles": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Role"
}
},
"banner": {
"type": "string"
},
"unavailable": {
"type": "boolean"
},
"channels": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Channel"
}
},
"region": {
"type": "string"
},
"system_channel_id": {
"type": "string"
},
"rules_channel_id": {
"type": "string"
},
"afk_timeout": {
"type": "integer"
},
"explicit_content_filter": {
"type": "integer"
},
"afk_channel_id": {
"type": "string"
},
@ -3773,30 +3808,9 @@
"$ref": "#/components/schemas/Sticker"
}
},
"invites": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Invite"
}
},
"voice_states": {
"type": "array",
"items": {
"$ref": "#/components/schemas/VoiceState"
}
},
"webhooks": {
"type": "array",
"items": {
"$ref": "#/components/schemas/Webhook"
}
},
"mfa_level": {
"type": "integer"
},
"owner_id": {
"type": "string"
},
"preferred_locale": {
"type": "string"
},
@ -3830,21 +3844,11 @@
"nsfw_level": {
"type": "integer"
},
"nsfw": {
"type": "boolean"
},
"parent": {
"type": "string"
},
"permissions": {
"type": "integer"
},
"premium_progress_bar_enabled": {
"type": "boolean"
},
"_do_validate": {
"type": "object",
"additionalProperties": false
}
},
"required": [
@ -4173,7 +4177,9 @@
"channel": {
"$ref": "#/components/schemas/RateLimitOptions"
},
"auth": {}
"auth": {
"$ref": "#/components/schemas/AuthRateLimit"
}
},
"required": [
"auth",
@ -4182,6 +4188,21 @@
"webhook"
]
},
"AuthRateLimit": {
"type": "object",
"properties": {
"login": {
"$ref": "#/components/schemas/RateLimitOptions"
},
"register": {
"$ref": "#/components/schemas/RateLimitOptions"
}
},
"required": [
"login",
"register"
]
},
"GlobalRateLimits": {
"type": "object",
"properties": {
@ -4664,13 +4685,13 @@
"discovery_splash": {
"type": "string"
},
"region": {
"type": "string"
},
"icon": {
"type": "string",
"nullable": true
},
"region": {
"type": "string"
},
"guild_template_code": {
"type": "string"
},
@ -5406,6 +5427,12 @@
},
"promotional_email_opt_in": {
"type": "boolean"
},
"unique_username_registration": {
"type": "boolean"
},
"global_name": {
"type": "string"
}
},
"required": [
@ -5684,13 +5711,6 @@
"version": {
"type": "integer"
},
"guild_id": {
"type": "string",
"nullable": true
},
"flags": {
"type": "integer"
},
"message_notifications": {
"type": "integer"
},
@ -5716,6 +5736,13 @@
"suppress_roles": {
"type": "boolean"
},
"guild_id": {
"type": "string",
"nullable": true
},
"flags": {
"type": "integer"
},
"mute_scheduled_events": {
"type": "boolean"
},
@ -6934,6 +6961,9 @@
"APIPrivateUser": {
"type": "object",
"properties": {
"flags": {
"type": "string"
},
"id": {
"type": "string"
},
@ -6980,9 +7010,6 @@
"pronouns": {
"type": "string"
},
"flags": {
"type": "string"
},
"mfa_enabled": {
"type": "boolean"
},
@ -7051,6 +7078,9 @@
"newToken": {
"type": "string"
},
"flags": {
"type": "string"
},
"id": {
"type": "string"
},
@ -7097,9 +7127,6 @@
"pronouns": {
"type": "string"
},
"flags": {
"type": "string"
},
"mfa_enabled": {
"type": "boolean"
},
@ -7264,10 +7291,10 @@
"APIPublicMember": {
"type": "object",
"properties": {
"id": {
"guild_id": {
"type": "string"
},
"guild_id": {
"id": {
"type": "string"
},
"nick": {
@ -7696,10 +7723,10 @@
"additionalProperties": false,
"type": "object",
"properties": {
"id": {
"guild_id": {
"type": "string"
},
"guild_id": {
"id": {
"type": "string"
},
"nick": {

18812
assets/schemas.json
View File

File diff suppressed because it is too large Load Diff

7
src/api/middlewares/Authentication.ts
View File

@ -92,12 +92,7 @@ export async function Authentication(
Sentry.setUser({ id: req.user_id });
try {
const { jwtSecret } = Config.get().security;
const { decoded, user } = await checkToken(
req.headers.authorization,
jwtSecret,
);
const { decoded, user } = await checkToken(req.headers.authorization);
req.token = decoded;
req.user_id = decoded.id;

4
src/api/routes/auth/reset.ts
View File

@ -48,11 +48,9 @@ router.post(
async (req: Request, res: Response) => {
const { password, token } = req.body as PasswordResetSchema;
const { jwtSecret } = Config.get().security;
let user;
try {
const userTokenData = await checkToken(token, jwtSecret, true);
const userTokenData = await checkToken(token);
user = userTokenData.user;
} catch {
throw FieldErrors({

3
src/api/routes/auth/verify/index.ts
View File

@ -78,11 +78,10 @@ router.post(
}
}
const { jwtSecret } = Config.get().security;
let user;
try {
const userTokenData = await checkToken(token, jwtSecret, true);
const userTokenData = await checkToken(token);
user = userTokenData.user;
} catch {
throw FieldErrors({

62
src/gateway/opcodes/Identify.ts
View File

@ -30,7 +30,6 @@ import {
Intents,
Member,
ReadyEventData,
User,
Session,
EVENTEnum,
Config,
@ -60,17 +59,6 @@ import { check } from "./instanceOf";
// TODO: user sharding
// TODO: check privileged intents, if defined in the config
const getUserFromToken = async (token: string): Promise<string | null> => {
try {
const { jwtSecret } = Config.get().security;
const { decoded } = await checkToken(token, jwtSecret);
return decoded.id;
} catch (e) {
console.error(`[Gateway] Invalid token`, e);
return null;
}
};
export async function onIdentify(this: WebSocket, data: Payload) {
if (this.user_id) {
// we've already identified
@ -85,12 +73,12 @@ export async function onIdentify(this: WebSocket, data: Payload) {
this.capabilities = new Capabilities(identify.capabilities || 0);
// Check auth
// TODO: the checkToken call will fetch user, and then we have to refetch with different select
// checkToken should be able to select what we want
const user_id = await getUserFromToken(identify.token);
if (!user_id) return this.close(CLOSECODES.Authentication_failed);
this.user_id = user_id;
const { user } = await checkToken(identify.token, {
relations: ["relationships", "relationships.to", "settings"],
select: [...PrivateUserProjection, "relationships"],
});
if (!user) return this.close(CLOSECODES.Authentication_failed);
this.user_id = user.id;
// Check intents
if (!identify.intents) identify.intents = 30064771071n; // TODO: what is this number?
@ -112,7 +100,7 @@ export async function onIdentify(this: WebSocket, data: Payload) {
) {
// TODO: why do we even care about this right now?
console.log(
`[Gateway] Invalid sharding from ${user_id}: ${identify.shard}`,
`[Gateway] Invalid sharding from ${user.id}: ${identify.shard}`,
);
return this.close(CLOSECODES.Invalid_shard);
}
@ -132,22 +120,14 @@ export async function onIdentify(this: WebSocket, data: Payload) {
});
// Get from database:
// * the current user,
// * the users read states
// * guild members for this user
// * recipients ( dm channels )
// * the bot application, if it exists
const [, user, application, read_states, members, recipients] =
await Promise.all([
const [, application, read_states, members, recipients] = await Promise.all(
[
session.save(),
// TODO: Refactor checkToken to allow us to skip this additional query
User.findOneOrFail({
where: { id: this.user_id },
relations: ["relationships", "relationships.to", "settings"],
select: [...PrivateUserProjection, "relationships"],
}),
Application.findOne({
where: { id: this.user_id },
select: ["id", "flags"],
@ -224,7 +204,8 @@ export async function onIdentify(this: WebSocket, data: Payload) {
},
},
}),
]);
],
);
// We forgot to migrate user settings from the JSON column of `users`
// to the `user_settings` table theyre in now,
@ -407,6 +388,17 @@ export async function onIdentify(this: WebSocket, data: Payload) {
merged_members: merged_members,
sessions: allSessions,
resume_gateway_url:
Config.get().gateway.endpointClient ||
Config.get().gateway.endpointPublic ||
"ws://127.0.0.1:3001",
// lol hack whatever
required_action:
Config.get().login.requireVerification && !user.verified
? "REQUIRE_VERIFIED_EMAIL"
: undefined,
consents: {
personalization: {
consented: false, // TODO
@ -421,18 +413,8 @@ export async function onIdentify(this: WebSocket, data: Payload) {
friend_suggestion_count: 0,
analytics_token: "",
tutorial: null,
resume_gateway_url:
Config.get().gateway.endpointClient ||
Config.get().gateway.endpointPublic ||
"ws://127.0.0.1:3001",
session_type: "normal", // TODO
auth_session_id_hash: "", // TODO
// lol hack whatever
required_action:
Config.get().login.requireVerification && !user.verified
? "REQUIRE_VERIFIED_EMAIL"
: undefined,
};
// Send READY

4
src/util/schemas/RegisterSchema.ts
View File

@ -42,4 +42,8 @@ export interface RegisterSchema {
captcha_key?: string;
promotional_email_opt_in?: boolean;
// part of pomelo
unique_username_registration?: boolean;
global_name?: string;
}

100
src/util/util/Token.ts
View File

@ -19,94 +19,66 @@
import jwt, { VerifyOptions } from "jsonwebtoken";
import { Config } from "./Config";
import { User } from "../entities";
// TODO: dont use deprecated APIs lol
import {
FindOptionsRelationByString,
FindOptionsSelectByString,
} from "typeorm";
export const JWTOptions: VerifyOptions = { algorithms: ["HS256"] };
export type UserTokenData = {
user: User;
decoded: { id: string; iat: number };
decoded: { id: string; iat: number; email?: string };
};
async function checkEmailToken(
decoded: jwt.JwtPayload,
): Promise<UserTokenData> {
// eslint-disable-next-line no-async-promise-executor
return new Promise(async (res, rej) => {
if (!decoded.iat) return rej("Invalid Token"); // will never happen, just for typings.
export const checkToken = (
token: string,
opts?: {
select?: FindOptionsSelectByString<User>;
relations?: FindOptionsRelationByString;
},
): Promise<UserTokenData> =>
new Promise((resolve, reject) => {
jwt.verify(
token,
Config.get().security.jwtSecret,
JWTOptions,
async (err, out) => {
const decoded = out as UserTokenData["decoded"];
if (err || !decoded) return reject("Invalid Token");
const user = await User.findOne({
where: {
email: decoded.email,
},
where: decoded.email
? { email: decoded.email }
: { id: decoded.id },
select: [
"email",
"id",
"verified",
"deleted",
...(opts?.select || []),
"bot",
"disabled",
"username",
"deleted",
"rights",
"data",
],
relations: opts?.relations,
});
if (!user) return rej("Invalid Token");
if (new Date().getTime() > decoded.iat * 1000 + 86400 * 1000)
return rej("Invalid Token");
// Using as here because we assert `id` and `iat` are in decoded.
// TS just doesn't want to assume its there, though.
return res({ decoded, user } as UserTokenData);
});
}
export function checkToken(
token: string,
jwtSecret: string,
isEmailVerification = false,
): Promise<UserTokenData> {
return new Promise((res, rej) => {
token = token.replace("Bot ", "");
token = token.replace("Bearer ", "");
/**
in spacebar, even with instances that have bot distinction; we won't enforce "Bot" prefix,
as we don't really have separate pathways for bots
**/
jwt.verify(token, jwtSecret, JWTOptions, async (err, decoded) => {
if (err || !decoded) return rej("Invalid Token");
if (
typeof decoded == "string" ||
!("id" in decoded) ||
!decoded.iat
)
return rej("Invalid Token"); // will never happen, just for typings.
if (isEmailVerification) return res(checkEmailToken(decoded));
const user = await User.findOne({
where: { id: decoded.id },
select: ["data", "bot", "disabled", "deleted", "rights"],
});
if (!user) return rej("Invalid Token");
if (!user) return reject("User not found");
// we need to round it to seconds as it saved as seconds in jwt iat and valid_tokens_since is stored in milliseconds
if (
decoded.iat * 1000 <
new Date(user.data.valid_tokens_since).setSeconds(0, 0)
)
return rej("Invalid Token");
return reject("Invalid Token");
if (user.disabled) return rej("User disabled");
if (user.deleted) return rej("User not found");
if (user.disabled) return reject("User disabled");
if (user.deleted) return reject("User not found");
// Using as here because we assert `id` and `iat` are in decoded.
// TS just doesn't want to assume its there, though.
return res({ decoded, user } as UserTokenData);
return resolve({ decoded, user });
},
);
});
});
}
export async function generateToken(id: string, email?: string) {
const iat = Math.floor(Date.now() / 1000);