source: binary-improvements2/WebServer/src/UrlHandlers/SessionHandler.cs@ 433

Last change on this file since 433 was 433, checked in by alloc, 2 years ago

Fixed: User registration allowed same username for multiple users
File size: 6.3 KB
Line 
1using System;
2using System.Collections.Generic;
3using System.IO;
4using System.Net;
5using Platform.Steam;
6using Utf8Json;
7using Webserver.Permissions;
8
9namespace Webserver.UrlHandlers {
10 public class SessionHandler : AbsHandler {
11 private const string pageBasePath = "/app";
12 private const string pageErrorPath = "/app/error/";
13
14 private const string steamOpenIdVerifyUrl = "verifysteamopenid";
15 private const string steamLoginUrl = "loginsteam";
16 private const string steamLoginFailedPage = "SteamLoginFailed";
17
18 private const string userPassLoginUrl = "login";
19 public const string userPassLoginName = "User/pass";
20 public const string userPassErrorPage = "UserPassLoginFailed";
21
22 private readonly ConnectionHandler connectionHandler;
23
24 public SessionHandler (ConnectionHandler _connectionHandler) : base (null) {
25 connectionHandler = _connectionHandler;
26 }
27
28 public override void HandleRequest (RequestContext _context) {
29 if (_context.Request.RemoteEndPoint == null) {
30 _context.Response.Redirect (pageErrorPath + "NoRemoteEndpoint");
31 return;
32 }
33
34 string subpath = _context.RequestPath.Remove (0, urlBasePath.Length);
35
36 string remoteEndpointString = _context.Request.RemoteEndPoint!.ToString ();
37
38 if (subpath.StartsWith (steamOpenIdVerifyUrl)) {
39 HandleSteamVerification (_context, remoteEndpointString);
40 return;
41 }
42
43 if (subpath.StartsWith ("logout")) {
44 HandleLogout (_context);
45 return;
46 }
47
48 if (subpath.StartsWith (steamLoginUrl)) {
49 HandleSteamLogin (_context);
50 return;
51 }
52
53 if (subpath.StartsWith (userPassLoginUrl)) {
54 HandleUserPassLogin (_context, remoteEndpointString);
55 return;
56 }
57
58 _context.Response.Redirect (pageErrorPath + "InvalidSessionsCommand");
59 }
60
61 private void HandleUserPassLogin (RequestContext _context, string _remoteEndpointString) {
62 if (!_context.Request.HasEntityBody) {
63 WebUtils.WriteText (_context.Response, "NoLoginData", HttpStatusCode.BadRequest);
64 return;
65 }
66
67 Stream requestInputStream = _context.Request.InputStream;
68
69 byte[] jsonInputData = new byte[_context.Request.ContentLength64];
70 requestInputStream.Read (jsonInputData, 0, (int)_context.Request.ContentLength64);
71
72 IDictionary<string, object> inputJson;
73 try {
74 inputJson = JsonSerializer.Deserialize<IDictionary<string, object>> (jsonInputData);
75 } catch (Exception e) {
76 Log.Error ("Error deserializing JSON from user/password login:");
77 Log.Exception (e);
78 WebUtils.WriteText (_context.Response, "InvalidLoginJson", HttpStatusCode.BadRequest);
79 return;
80 }
81
82 if (!inputJson.TryGetValue ("username", out object fieldNode) || fieldNode is not string username) {
83 WebUtils.WriteText (_context.Response, "InvalidLoginJson", HttpStatusCode.BadRequest);
84 return;
85 }
86
87 if (!inputJson.TryGetValue ("password", out fieldNode) || fieldNode is not string password) {
88 WebUtils.WriteText (_context.Response, "InvalidLoginJson", HttpStatusCode.BadRequest);
89 return;
90 }
91
92 if (!AdminWebUsers.Instance.TryGetUser (username, password, out AdminWebUsers.WebUser webUser)) {
93 Log.Out ($"[Web] User/pass login failed from {_remoteEndpointString}");
94 WebUtils.WriteText (_context.Response, "UserPassInvalid", HttpStatusCode.Unauthorized);
95 return;
96 }
97
98 HandleUserIdLogin (connectionHandler, _context, _remoteEndpointString, userPassLoginName, userPassErrorPage, webUser.Name, webUser.PlatformUser, webUser.CrossPlatformUser);
99 }
100
101 private void HandleSteamLogin (RequestContext _context) {
102 string host = $"{(WebUtils.IsSslRedirected (_context.Request) ? "https://" : "http://")}{_context.Request.UserHostName}";
103 string url = OpenID.GetOpenIdLoginUrl (host, $"{host}{urlBasePath}{steamOpenIdVerifyUrl}");
104 _context.Response.Redirect (url);
105 }
106
107 private void HandleLogout (RequestContext _context) {
108 Cookie cookie = new Cookie ("sid", "", "/") {
109 Expired = true
110 };
111 _context.Response.AppendCookie (cookie);
112
113 if (_context.Connection == null) {
114 _context.Response.Redirect (pageErrorPath + "NotLoggedIn");
115 return;
116 }
117
118 connectionHandler.LogOut (_context.Connection.SessionID);
119 _context.Response.Redirect (pageBasePath);
120 }
121
122 private void HandleSteamVerification (RequestContext _context, string _remoteEndpointString) {
123 ulong id;
124 try {
125 id = OpenID.Validate (_context.Request);
126 } catch (Exception e) {
127 Log.Error ($"[Web] Error validating Steam login from {_remoteEndpointString}:");
128 Log.Exception (e);
129 _context.Response.Redirect (pageErrorPath + steamLoginFailedPage);
130 return;
131 }
132
133 if (id <= 0) {
134 Log.Out ($"[Web] Steam OpenID login failed (invalid ID) from {_remoteEndpointString}");
135 _context.Response.Redirect (pageErrorPath + steamLoginFailedPage);
136 return;
137 }
138
139 UserIdentifierSteam userId = new UserIdentifierSteam (id);
140 HandleUserIdLogin (connectionHandler, _context, _remoteEndpointString, "Steam OpenID", steamLoginFailedPage, userId.ToString (), userId);
141 }
142
143 public static void HandleUserIdLogin (ConnectionHandler _connectionHandler, RequestContext _context, string _remoteEndpointString,
144 string _loginName, string _errorPage, string _username, PlatformUserIdentifierAbs _userId, PlatformUserIdentifierAbs _crossUserId = null, bool _sendResponse = true) {
145 try {
146 WebConnection con = _connectionHandler.LogIn (_context.Request.RemoteEndPoint!.Address, _username, _userId, _crossUserId);
147
148 int level1 = GameManager.Instance.adminTools.Users.GetUserPermissionLevel (_userId);
149 int level2 = int.MaxValue;
150 if (_crossUserId != null) {
151 level2 = GameManager.Instance.adminTools.Users.GetUserPermissionLevel (_crossUserId);
152 }
153
154 int higherLevel = Math.Min (level1, level2);
155
156 Log.Out ($"[Web] {_loginName} login from {_remoteEndpointString}, name {_username} with ID {_userId}, CID {(_crossUserId != null ? _crossUserId : "none")}, permission level {higherLevel}");
157 Cookie cookie = new Cookie ("sid", con.SessionID, "/") {
158 Expired = false,
159 Expires = DateTime.MinValue,
160 HttpOnly = true,
161 Secure = false
162 };
163 _context.Response.AppendCookie (cookie);
164
165 if (_sendResponse) {
166 WebUtils.WriteText (_context.Response, "");
167 }
168 } catch (Exception e) {
169 Log.Error ($"[Web] Error during {_loginName} login:");
170 Log.Exception (e);
171 if (_sendResponse) {
172 WebUtils.WriteText (_context.Response, "LoginError", HttpStatusCode.InternalServerError);
173 }
174 }
175 }
176 }
177}
Note: See TracBrowser for help on using the repository browser.