Context Navigation

SessionHandler.cs@ 433

Last change on this file since 433 was 433, checked in by alloc, 19 months ago
Fixed: User registration allowed same username for multiple users
File size: 6.3 KB

Rev	Line
[391]	1	using System;
[402]	2	using System.Collections.Generic;
	3	using System.IO;
[391]	4	using System.Net;
[402]	5	using Platform.Steam;
	6	using Utf8Json;
[404]	7	using Webserver.Permissions;
[391]	8
	9	namespace Webserver.UrlHandlers {
	10	public class SessionHandler : AbsHandler {
[394]	11	private const string pageBasePath = "/app";
	12	private const string pageErrorPath = "/app/error/";
[404]	13
[391]	14	private const string steamOpenIdVerifyUrl = "verifysteamopenid";
	15	private const string steamLoginUrl = "loginsteam";
[404]	16	private const string steamLoginFailedPage = "SteamLoginFailed";
	17
[402]	18	private const string userPassLoginUrl = "login";
[417]	19	public const string userPassLoginName = "User/pass";
[411]	20	public const string userPassErrorPage = "UserPassLoginFailed";
[391]	21
	22	private readonly ConnectionHandler connectionHandler;
	23
[394]	24	public SessionHandler (ConnectionHandler _connectionHandler) : base (null) {
[391]	25	connectionHandler = _connectionHandler;
	26	}
	27
	28	public override void HandleRequest (RequestContext _context) {
[394]	29	if (_context.Request.RemoteEndPoint == null) {
	30	_context.Response.Redirect (pageErrorPath + "NoRemoteEndpoint");
[391]	31	return;
	32	}
	33
	34	string subpath = _context.RequestPath.Remove (0, urlBasePath.Length);
	35
[404]	36	string remoteEndpointString = _context.Request.RemoteEndPoint!.ToString ();
	37
[391]	38	if (subpath.StartsWith (steamOpenIdVerifyUrl)) {
[404]	39	HandleSteamVerification (_context, remoteEndpointString);
[394]	40	return;
	41	}
[391]	42
[394]	43	if (subpath.StartsWith ("logout")) {
	44	HandleLogout (_context);
	45	return;
	46	}
[391]	47
[394]	48	if (subpath.StartsWith (steamLoginUrl)) {
	49	HandleSteamLogin (_context);
	50	return;
	51	}
[404]	52
[402]	53	if (subpath.StartsWith (userPassLoginUrl)) {
[404]	54	HandleUserPassLogin (_context, remoteEndpointString);
[402]	55	return;
	56	}
[391]	57
[394]	58	_context.Response.Redirect (pageErrorPath + "InvalidSessionsCommand");
	59	}
	60
[404]	61	private void HandleUserPassLogin (RequestContext _context, string _remoteEndpointString) {
[402]	62	if (!_context.Request.HasEntityBody) {
[422]	63	WebUtils.WriteText (_context.Response, "NoLoginData", HttpStatusCode.BadRequest);
[402]	64	return;
	65	}
	66
	67	Stream requestInputStream = _context.Request.InputStream;
	68
	69	byte[] jsonInputData = new byte[_context.Request.ContentLength64];
	70	requestInputStream.Read (jsonInputData, 0, (int)_context.Request.ContentLength64);
	71
	72	IDictionary<string, object> inputJson;
	73	try {
	74	inputJson = JsonSerializer.Deserialize<IDictionary<string, object>> (jsonInputData);
	75	} catch (Exception e) {
	76	Log.Error ("Error deserializing JSON from user/password login:");
	77	Log.Exception (e);
[422]	78	WebUtils.WriteText (_context.Response, "InvalidLoginJson", HttpStatusCode.BadRequest);
[402]	79	return;
	80	}
	81
	82	if (!inputJson.TryGetValue ("username", out object fieldNode) \|\| fieldNode is not string username) {
[422]	83	WebUtils.WriteText (_context.Response, "InvalidLoginJson", HttpStatusCode.BadRequest);
[402]	84	return;
	85	}
	86
	87	if (!inputJson.TryGetValue ("password", out fieldNode) \|\| fieldNode is not string password) {
[422]	88	WebUtils.WriteText (_context.Response, "InvalidLoginJson", HttpStatusCode.BadRequest);
[402]	89	return;
	90	}
	91
[433]	92	if (!AdminWebUsers.Instance.TryGetUser (username, password, out AdminWebUsers.WebUser webUser)) {
[404]	93	Log.Out ($"[Web] User/pass login failed from {_remoteEndpointString}");
[422]	94	WebUtils.WriteText (_context.Response, "UserPassInvalid", HttpStatusCode.Unauthorized);
[402]	95	return;
	96	}
	97
[433]	98	HandleUserIdLogin (connectionHandler, _context, _remoteEndpointString, userPassLoginName, userPassErrorPage, webUser.Name, webUser.PlatformUser, webUser.CrossPlatformUser);
[402]	99	}
	100
[394]	101	private void HandleSteamLogin (RequestContext _context) {
[402]	102	string host = $"{(WebUtils.IsSslRedirected (_context.Request) ? "https://" : "http://")}{_context.Request.UserHostName}";
	103	string url = OpenID.GetOpenIdLoginUrl (host, $"{host}{urlBasePath}{steamOpenIdVerifyUrl}");
[394]	104	_context.Response.Redirect (url);
	105	}
	106
	107	private void HandleLogout (RequestContext _context) {
	108	Cookie cookie = new Cookie ("sid", "", "/") {
	109	Expired = true
	110	};
	111	_context.Response.AppendCookie (cookie);
	112
	113	if (_context.Connection == null) {
	114	_context.Response.Redirect (pageErrorPath + "NotLoggedIn");
	115	return;
	116	}
	117
	118	connectionHandler.LogOut (_context.Connection.SessionID);
	119	_context.Response.Redirect (pageBasePath);
	120	}
	121
[404]	122	private void HandleSteamVerification (RequestContext _context, string _remoteEndpointString) {
	123	ulong id;
	124	try {
	125	id = OpenID.Validate (_context.Request);
	126	} catch (Exception e) {
	127	Log.Error ($"[Web] Error validating Steam login from {_remoteEndpointString}:");
	128	Log.Exception (e);
	129	_context.Response.Redirect (pageErrorPath + steamLoginFailedPage);
	130	return;
	131	}
[394]	132
[404]	133	if (id <= 0) {
	134	Log.Out ($"[Web] Steam OpenID login failed (invalid ID) from {_remoteEndpointString}");
	135	_context.Response.Redirect (pageErrorPath + steamLoginFailedPage);
	136	return;
	137	}
	138
	139	UserIdentifierSteam userId = new UserIdentifierSteam (id);
[411]	140	HandleUserIdLogin (connectionHandler, _context, _remoteEndpointString, "Steam OpenID", steamLoginFailedPage, userId.ToString (), userId);
[404]	141	}
	142
[411]	143	public static void HandleUserIdLogin (ConnectionHandler _connectionHandler, RequestContext _context, string _remoteEndpointString,
[422]	144	string _loginName, string _errorPage, string _username, PlatformUserIdentifierAbs _userId, PlatformUserIdentifierAbs _crossUserId = null, bool _sendResponse = true) {
[394]	145	try {
[411]	146	WebConnection con = _connectionHandler.LogIn (_context.Request.RemoteEndPoint!.Address, _username, _userId, _crossUserId);
[394]	147
[404]	148	int level1 = GameManager.Instance.adminTools.Users.GetUserPermissionLevel (_userId);
	149	int level2 = int.MaxValue;
	150	if (_crossUserId != null) {
	151	level2 = GameManager.Instance.adminTools.Users.GetUserPermissionLevel (_crossUserId);
	152	}
[394]	153
[404]	154	int higherLevel = Math.Min (level1, level2);
	155
	156	Log.Out ($"[Web] {_loginName} login from {_remoteEndpointString}, name {_username} with ID {_userId}, CID {(_crossUserId != null ? _crossUserId : "none")}, permission level {higherLevel}");
	157	Cookie cookie = new Cookie ("sid", con.SessionID, "/") {
	158	Expired = false,
	159	Expires = DateTime.MinValue,
	160	HttpOnly = true,
	161	Secure = false
	162	};
	163	_context.Response.AppendCookie (cookie);
[417]	164
[422]	165	if (_sendResponse) {
	166	WebUtils.WriteText (_context.Response, "");
[417]	167	}
[394]	168	} catch (Exception e) {
[404]	169	Log.Error ($"[Web] Error during {_loginName} login:");
[394]	170	Log.Exception (e);
[422]	171	if (_sendResponse) {
	172	WebUtils.WriteText (_context.Response, "LoginError", HttpStatusCode.InternalServerError);
[417]	173	}
[391]	174	}
[394]	175	}
[391]	176	}
	177	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: binary-improvements2/WebServer/src/UrlHandlers/SessionHandler.cs@ 433

Download in other formats: