parse access token before online checking

2025-02-20 02:22:32 +01:00 · 2024-11-23 14:16:42 -03:00 · 2024-11-23 14:16:42 -03:00 · 181f4b613e
commit 181f4b613e
parent 26699454a1
2 changed files with 10 additions and 2 deletions
--- a/src/main/kotlin/com/viaversion/aas/web/WebLogin.kt
+++ b/src/main/kotlin/com/viaversion/aas/web/WebLogin.kt
@ -1,5 +1,6 @@
 package com.viaversion.aas.web

+import com.auth0.jwt.JWT
 import com.google.common.net.HostAndPort
 import com.google.common.primitives.Ints
 import com.google.gson.JsonObject
@ -11,6 +12,7 @@ import io.ktor.client.call.*
 import io.ktor.client.request.*
 import io.ktor.server.websocket.*
 import java.time.Duration
+import java.time.Instant
 import java.util.*
 import kotlin.math.absoluteValue

@ -153,10 +155,17 @@ class WebLogin : WebState {

    private suspend fun handleSaveAccessToken(webClient: WebClient, obj: JsonObject) {
        val accessToken = obj["mc_access_token"].asString
+        val decodedToken = JWT.decode(accessToken)
+        assert(decodedToken.expiresAtAsInstant <= Instant.now())
+        assert(decodedToken.notBeforeAsInstant >= Instant.now())
+        val expectedId = UUID.fromString(decodedToken.getClaim("profiles").asMap()["mc"].toString())
+
        val profile = AspirinServer.httpClient.get("https://api.minecraftservices.com/minecraft/profile") {
            header("Authorization", "Bearer $accessToken")
        }.body<JsonObject>()
        val uuid = parseUndashedId(profile["id"].asString)
+        assert(uuid == expectedId)
+
        webClient.server.minecraftAccessTokens.put(uuid, accessToken)
        webLogger.info("Received token: {} {}", webClient.id, uuid)
    }
--- a/src/main/kotlin/com/viaversion/aas/web/WebServer.kt
+++ b/src/main/kotlin/com/viaversion/aas/web/WebServer.kt
@ -13,7 +13,6 @@ import com.viaversion.aas.config.VIAaaSConfig
 import com.viaversion.aas.util.StacklessException
 import io.ktor.client.call.body
 import io.ktor.client.request.*
-import io.ktor.client.statement.*
 import io.ktor.http.*
 import io.ktor.server.netty.*
 import io.ktor.server.websocket.*
@ -170,7 +169,7 @@ class WebServer {
                it.addProperty("serverId", hash)
            })
            contentType(ContentType.Application.Json)
-        }.bodyAsText().isEmpty()
+        }.status.isSuccess()
    }

    suspend fun requestSessionJoin(