Index: binary-improvements2/WebServer/src/UserRegistrationTokens.cs =================================================================== --- binary-improvements2/WebServer/src/UserRegistrationTokens.cs (revision 413) +++ binary-improvements2/WebServer/src/UserRegistrationTokens.cs (revision 413) @@ -0,0 +1,54 @@ +using System; +using System.Collections.Generic; +using HarmonyLib; +using JetBrains.Annotations; + +namespace Webserver { + public static class UserRegistrationTokens { + private const float tokenExpirationMinutes = 3; + + public class RegistrationData { + public readonly string PlayerName; + public readonly DateTime ExpiryTime; + public readonly PlatformUserIdentifierAbs PlatformUserId; + public readonly PlatformUserIdentifierAbs CrossPlatformUserId; + + public RegistrationData (string _playerName, PlatformUserIdentifierAbs _platformUserId, PlatformUserIdentifierAbs _crossPlatformUserId) { + PlayerName = _playerName; + ExpiryTime = DateTime.Now + TimeSpan.FromMinutes (tokenExpirationMinutes); + PlatformUserId = _platformUserId; + CrossPlatformUserId = _crossPlatformUserId; + } + } + + public static bool TryValidate (string _token, out RegistrationData _data) { + return activeTokens.TryGetValue (_token, out _data) && _data.ExpiryTime > DateTime.Now; + } + + private static readonly Dictionary activeTokens = new Dictionary (); + + [HarmonyPatch(typeof(ConsoleCmdCreateWebUser))] + [HarmonyPatch("createToken")] + private class CommandPatch { + [UsedImplicitly] + private static bool Prefix (ref string __result, string _playerName, PlatformUserIdentifierAbs _platformUserId, PlatformUserIdentifierAbs _crossPlatformUserId) { + string token = Utils.GenerateGuid (); + + bool hasCrossplatformId = _crossPlatformUserId != null; + DateTime currentTime = DateTime.Now; + + // Check if the user already has a registration attempt running and if so delete the old one + // Also clear out any expired tokens + activeTokens.RemoveAll (_data => _data.ExpiryTime < currentTime || _platformUserId.Equals (_data.PlatformUserId) || + (hasCrossplatformId && _crossPlatformUserId.Equals (_data.CrossPlatformUserId))); + + RegistrationData data = new RegistrationData (_playerName, _platformUserId, _crossPlatformUserId); + activeTokens [token] = data; + + __result = token; + return false; + } + } + + } +} Index: binary-improvements2/WebServer/src/WebAPI/APIs/RegisterUser.cs =================================================================== --- binary-improvements2/WebServer/src/WebAPI/APIs/RegisterUser.cs (revision 413) +++ binary-improvements2/WebServer/src/WebAPI/APIs/RegisterUser.cs (revision 413) @@ -0,0 +1,92 @@ +using System; +using System.Collections.Generic; +using System.Net; +using System.Text.RegularExpressions; +using JetBrains.Annotations; +using Utf8Json; +using Webserver.Permissions; +using Webserver.UrlHandlers; + +namespace Webserver.WebAPI.APIs { + [UsedImplicitly] + public class RegisterUser : AbsRestApi { + private static readonly byte[] jsonPlayerNameKey = JsonWriter.GetEncodedPropertyNameWithBeginObject ("playerName"); + private static readonly byte[] jsonExpirationKey = JsonWriter.GetEncodedPropertyNameWithPrefixValueSeparator ("expirationSeconds"); + + // TODO: Rate-limiting + + private static readonly Regex userValidationRegex = new Regex ("^\\w{4,16}$", RegexOptions.ECMAScript | RegexOptions.Compiled); + private static readonly Regex passValidationRegex = new Regex ("^\\w{4,16}$", RegexOptions.ECMAScript | RegexOptions.Compiled); + + public RegisterUser (Web _parentWeb) : base (_parentWeb) { + } + + protected override void HandleRestGet (RequestContext _context) { + string token = _context.RequestPath; + + if (string.IsNullOrEmpty (token)) { + SendErrorResult (_context, HttpStatusCode.BadRequest, null, "NO_TOKEN"); + return; + } + + if (!UserRegistrationTokens.TryValidate (token, out UserRegistrationTokens.RegistrationData regData)) { + SendErrorResult (_context, HttpStatusCode.NotFound, null, "INVALID_OR_EXPIRED_TOKEN"); + return; + } + + PrepareEnvelopedResult (out JsonWriter writer); + + writer.WriteRaw (jsonPlayerNameKey); + writer.WriteString (regData.PlayerName); + + writer.WriteRaw (jsonExpirationKey); + writer.WriteDouble ((regData.ExpiryTime - DateTime.Now).TotalSeconds); + + writer.WriteEndObject (); + + SendEnvelopedResult (_context, ref writer); + } + + protected override void HandleRestPost (RequestContext _context, IDictionary _jsonInput, byte[] _jsonInputData) { + if (!TryGetJsonField (_jsonInput, "token", out string token)) { + SendErrorResult (_context, HttpStatusCode.BadRequest, _jsonInputData, "MISSING_TOKEN"); + return; + } + + if (!TryGetJsonField (_jsonInput, "username", out string username)) { + SendErrorResult (_context, HttpStatusCode.BadRequest, _jsonInputData, "MISSING_USERNAME"); + return; + } + + if (!TryGetJsonField (_jsonInput, "password", out string password)) { + SendErrorResult (_context, HttpStatusCode.BadRequest, _jsonInputData, "MISSING_PASSWORD"); + return; + } + + if (!UserRegistrationTokens.TryValidate (token, out UserRegistrationTokens.RegistrationData regData)) { + SendErrorResult (_context, HttpStatusCode.Unauthorized, null, "INVALID_OR_EXPIRED_TOKEN"); + return; + } + + if (!userValidationRegex.IsMatch (username)) { + SendErrorResult (_context, HttpStatusCode.Unauthorized, _jsonInputData, "INVALID_USERNAME"); + return; + } + + if (!passValidationRegex.IsMatch (password)) { + SendErrorResult (_context, HttpStatusCode.Unauthorized, _jsonInputData, "INVALID_PASSWORD"); + return; + } + + // TODO: Check if username is already used! + + AdminWebUsers.Instance.AddUser (username, password, regData.PlatformUserId, regData.CrossPlatformUserId); + + string remoteEndpointString = _context.Request.RemoteEndPoint!.ToString (); + SessionHandler.HandleUserIdLogin (ParentWeb.ConnectionHandler, _context, remoteEndpointString, SessionHandler.userPassLoginName, + SessionHandler.userPassErrorPage, username, regData.PlatformUserId, regData.CrossPlatformUserId); + } + + public override int DefaultPermissionLevel () => 2000; + } +}