Leahnaya/pokemon-showdown-client
1
0
Fork 0
mirror of https://github.com/smogon/pokemon-showdown-client.git synced 2026-03-21 17:50:29 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity
polyfill
pokemon-showdown-client/lib/dispatcher.lib.php
Annika 367ed82e56
Support configurable URLs (#1543)
2020-07-21 15:27:21 -07:00

598 lines
21 KiB
PHP
Raw Permalink Blame History

<?php
class ActionDispatcher {
private $reqs;
private $multiReqs = false;
private $reqData;
private $outPrefix = ']'; // JSON output should not be valid JavaScript
private $outArray = array();
public function __construct($handlers) {
$this->handlers = $handlers;
if (empty($_REQUEST)) {
$this->reqs = null;
if (substr($_SERVER["CONTENT_TYPE"] ?? '', 0, 16) === 'application/json') {
// screw you too Axios
// also come on PHP, you could just support JSON natively instead of putting me through this
$input = trim(file_get_contents('php://input'));
if ($input[0] === '[') {
$this->reqs = json_decode($input, true);
} else if ($input[0] === '{') {
$this->reqs = [json_decode($input, true)];
}
}
if (empty($this->reqs)) die("no request data found - you need to send some sort of data");
$_POST['is_post_request'] = true;
} else {
$this->reqs = [$_REQUEST];
}
if (@$_REQUEST['json']) {
$this->reqs = json_decode($_REQUEST['json'], true);
$this->multiReqs = true;
}
}
public function setPrefix($prefix) {
$this->outPrefix = $prefix;
}
public function getServerHostName($serverid) {
global $PokemonServers;
$server = @$PokemonServers[$serverid];
return $server ? $server['server'] : $serverid;
}
public function verifyCrossDomainRequest() {
global $psconfig;
// No cross-domain multi-requests for security reasons.
// No need to do anything if this isn't a cross-domain request.
if ($this->multiReqs || !isset($_SERVER['HTTP_ORIGIN'])) {
return '';
}
$origin = $_SERVER['HTTP_ORIGIN'];
$prefix = null;
foreach ($psconfig['cors'] as $i => &$j) {
if (!preg_match($i, $origin)) continue;
$prefix = $j;
break;
}
if ($prefix === null) {
// Bogus request.
return '';
}
// Valid CORS request.
header('Access-Control-Allow-Origin: ' . $origin);
header('Access-Control-Allow-Credentials: true');
return $prefix;
}
public function getIp() {
global $users;
return $users->getIp();
}
public function findServer() {
global $PokemonServers;
$serverid = @$this->reqData['serverid'];
$server = null;
$ip = $this->getIp();
if (!isset($PokemonServers[$serverid])) {
// Try to find the server by source IP, rather than by serverid.
if ($serverid === 'testtimeout') {
foreach ($PokemonServers as &$i) {
gethostbyname($i['server']);
}
}
return null;
} else {
$server =& $PokemonServers[$serverid];
if (empty($server['skipipcheck']) && empty($server['token']) && $serverid !== 'showdown') {
if (!isset($server['ipcache'])) {
$server['ipcache'] = gethostbyname($server['server']);
}
if ($ip !== $server['ipcache']) return null;
}
}
if (!empty($server['token'])) {
if ($server['token'] !== md5($this->reqData['servertoken'] ?? '')) return null;
}
return $server;
}
public function executeActions() {
$outArray = null;
if ($this->multiReqs) $outArray = array();
foreach ($this->reqs as $this->reqData) {
$this->reqData = array_merge($_REQUEST, $this->reqData);
if (!isset($this->reqData['act'])) die("action not found - make sure your request data includes act=something");
$action = $this->reqData['act'];
if (!ctype_alnum($action)) die("invalid action: " . var_export($action, true));
$out = array();
foreach ($this->handlers as &$i) {
if (is_callable(array($i, $action))) {
$i->$action($this, $this->reqData, $out);
}
}
if ($this->multiReqs) $outArray[] = $out;
}
// json output
if ($this->outPrefix !== '') {
// Technically this is not JSON because of the initial prefix.
header('Content-Type: text/plain; charset=utf-8');
} else {
header('Content-Type: application/json');
}
if ($this->multiReqs) {
die($this->outPrefix . json_encode($outArray));
} else {
die($this->outPrefix . json_encode($out));
}
}
}
class DefaultActionHandler {
public function login($dispatcher, &$reqData, &$out) {
global $users, $curuser;
$challengeprefix = $dispatcher->verifyCrossDomainRequest();
if (!$_POST) die('for security reasons, logins must happen with POST data');
if (empty($reqData['name']) || empty($reqData['pass'])) die('incorrect login data, you need "name" and "pass" fields');
try {
$users->login($reqData['name'], $reqData['pass']);
} catch (Exception $e) {
$out['error'] = $e->getMessage() . "\n" . $e->getFile() . '(' . $e->getLine() . ')' . "\n" . $e->getTraceAsString();
}
unset($curuser['userdata']);
$out['curuser'] = $curuser;
$out['actionsuccess'] = ($curuser ? $curuser['loggedin'] : false);
$serverhostname = '' . $dispatcher->getServerHostName(@$reqData['serverid']);
$challengekeyid = !isset($reqData['challengekeyid']) ? -1 : intval($reqData['challengekeyid']);
$challenge = !isset($reqData['challenge']) ? '' : $reqData['challenge'];
if (!$challenge) {
$challenge = !isset($reqData['challstr']) ? '' : $reqData['challstr'];
}
$out['assertion'] = $users->getAssertion($curuser['userid'], $serverhostname, null,
$challengekeyid, $challenge, $challengeprefix);
}
public function register($dispatcher, &$reqData, &$out) {
global $users, $curuser;
$challengeprefix = $dispatcher->verifyCrossDomainRequest();
$serverhostname = '' . $dispatcher->getServerHostName(@$reqData['serverid']);
$user = [
'username' => @$_POST['username'],
];
$userid = $users->userid($user['username']);
if ((mb_strlen($userid) < 1) || ctype_digit($userid)) {
$out['actionerror'] = 'Your username must contain at least one letter.';
} else if (substr($userid, 0, 5) === 'guest') {
$out['actionerror'] = 'Your username cannot start with \'guest\'.';
} else if (mb_strlen($user['username']) > 18) {
$out['actionerror'] = 'Your username must be less than 19 characters long.';
} else if (mb_strlen(@$_POST['password']) < 5) {
$out['actionerror'] = 'Your password must be at least 5 characters long.';
} else if (@$_POST['password'] !== @$_POST['cpassword']) {
$out['actionerror'] = 'Your passwords do not match.';
} else if (trim(strtolower(@$_POST['captcha'])) !== 'pikachu') {
$out['actionerror'] = 'Please answer the anti-spam question given.';
} else if (($registrationcount = $users->getRecentRegistrationCount()) === false) {
$out['actionerror'] = 'A database error occurred. Please try again.';
} else if ($registrationcount >= 2) {
$out['actionerror'] = 'You can\'t register more than two usernames every two hours. Try again later.';
} else if ($user = $users->addUser($user, $_POST['password'])) {
$challengekeyid = !isset($reqData['challengekeyid']) ? -1 : intval($reqData['challengekeyid']);
$challenge = !isset($reqData['challenge']) ? '' : $reqData['challenge'];
if (!$challenge) {
$challenge = !isset($reqData['challstr']) ? '' : $reqData['challstr'];
}
$out['curuser'] = $user;
$out['assertion'] = $users->getAssertion($user['userid'],
$serverhostname, $user, $challengekeyid, $challenge, $challengeprefix);
$out['actionsuccess'] = true;
} else {
$out['actionerror'] = 'Your username is already taken.';
}
}
public function changepassword($dispatcher, &$reqData, &$out) {
global $users, $curuser;
if (!$_POST ||
!isset($reqData['oldpassword']) ||
!isset($reqData['password']) ||
!isset($reqData['cpassword'])) {
$out['actionerror'] = 'Invalid request.';
} else if (!$curuser['loggedin']) {
$out['actionerror'] = 'Your session has expired. Please log in again.';
} else if ($reqData['password'] !== $reqData['cpassword']) {
$out['actionerror'] = 'Your new passwords do not match.';
} else if (!$users->passwordVerify($curuser['userid'], $reqData['oldpassword'])) {
$out['actionerror'] = 'Your old password was incorrect.';
} else if (mb_strlen($reqData['password']) < 5) {
$out['actionerror'] = 'Your new password must be at least 5 characters long.';
} else if (!$users->modifyUser($curuser['userid'], array(
'password' => $reqData['password']))) {
$out['actionerror'] = 'A database error occurred. Please try again.';
} else {
$out['actionsuccess'] = true;
}
}
public function changeusername($dispatcher, &$reqData, &$out) {
global $users, $curuser;
if (!$_POST ||
!isset($reqData['username'])) {
$out['actionerror'] = 'Invalid request.';
} else if (!$curuser['loggedin']) {
$out['actionerror'] = 'Your session has expired. Please log in again.';
} else if (!$users->modifyUser($curuser['userid'], array(
'username' => $reqData['username']))) {
$out['actionerror'] = 'A database error occurred. Please try again.';
} else {
$out['actionsuccess'] = true;
}
}
public function logout($dispatcher, &$reqData, &$out) {
global $users, $curuser, $psconfig;
if (!$_POST ||
!isset($reqData['userid']) ||
// some CSRF protection (client must know current userid)
($reqData['userid'] !== $curuser['userid'])) {
die;
}
$users->logout(); // this kills the `sid` cookie
setcookie('showdown_username', '', time()-60*60*24*2, '/', $psconfig['routes']['client']);
$out['actionsuccess'] = true;
}
public function getassertion($dispatcher, &$reqData, &$out) {
global $users, $curuser;
$challengeprefix = $dispatcher->verifyCrossDomainRequest();
$serverhostname = '' . $dispatcher->getServerHostName(@$reqData['serverid']);
$challengekeyid = !isset($reqData['challengekeyid']) ? -1 : intval($reqData['challengekeyid']);
$challenge = !isset($reqData['challenge']) ? '' : $reqData['challenge'];
if (!$challenge) {
$challenge = !isset($reqData['challstr']) ? '' : $reqData['challstr'];
}
header('Content-Type: text/plain; charset=utf-8');
if (empty($reqData['userid'])) {
$userid = $curuser['userid'];
if ($userid === 'guest') {
// Special error message for this case.
die(';');
}
} else {
$userid = $users->userid($reqData['userid']);
}
$serverhostname = htmlspecialchars($serverhostname); // Protect against theoretical IE6 XSS
die($users->getAssertion($userid, $serverhostname, null, $challengekeyid, $challenge, $challengeprefix));
}
public function upkeep($dispatcher, &$reqData, &$out) {
global $users, $curuser;
$challengeprefix = $dispatcher->verifyCrossDomainRequest();
$out['loggedin'] = $curuser['loggedin'];
$userid = '';
if ($curuser['loggedin']) {
$out['username'] = $curuser['username'];
$userid = $curuser['userid'];
} else if (isset($_COOKIE['showdown_username'])) {
$out['username'] = $_COOKIE['showdown_username'];
$userid = $users->userid($out['username']);
}
if ($userid !== '') {
$serverhostname = '' . $dispatcher->getServerHostName(@$reqData['serverid']);
$challengekeyid = !isset($reqData['challengekeyid']) ? -1 : intval($reqData['challengekeyid']);
$challenge = !isset($reqData['challenge']) ? '' : $reqData['challenge'];
if (!$challenge) {
$challenge = !isset($reqData['challstr']) ? '' : $reqData['challstr'];
}
$out['assertion'] = $users->getAssertion($userid, $serverhostname, null, $challengekeyid, $challenge, $challengeprefix);
}
}
public function updateuserstats($dispatcher, &$reqData, &$out) {
global $psdb;
$server = $dispatcher->findServer();
if (!$server) {
$out = 0;
return;
}
$date = @$reqData['date'];
$usercount = @$reqData['users'];
if (!is_numeric($date) || !is_numeric($usercount)) {
$out = 0;
return;
}
$out = !!$psdb->query(
"INSERT INTO `ntbb_userstats` (`serverid`, `date`, `usercount`) " .
"VALUES ('" . $psdb->escape($server['id']) . "', '" . $psdb->escape($date) . "', '" . $psdb->escape($usercount) . "') " .
"ON DUPLICATE KEY UPDATE `date`='" . $psdb->escape($date) . "', `usercount`='" . $psdb->escape($usercount) . "'");
if ($server['id'] === 'showdown') {
$psdb->query(
"INSERT INTO `ntbb_userstatshistory` (`date`, `usercount`) " .
"VALUES ('" . $psdb->escape($date) . "', '" . $psdb->escape($usercount) . "')");
}
$dispatcher->setPrefix(''); // No need for prefix since only usable by server.
}
public function prepreplay($dispatcher, &$reqData, &$out) {
global $psdb, $users;
// include_once dirname(__FILE__) . '/ntbb-ladder.lib.php'; // not clear if this is needed
$server = $dispatcher->findServer();
if (!$server) {
$out['errorip'] = $dispatcher->getIp();
return;
}
if (
// the server must be registered
!$server ||
// the server must send all the required values
!isset($reqData['id']) ||
!isset($reqData['format']) ||
!isset($reqData['loghash']) ||
!isset($reqData['p1']) ||
!isset($reqData['p2']) ||
// player usernames cannot be longer than 18 characters
(mb_strlen($reqData['p1']) > 18) ||
(mb_strlen($reqData['p2']) > 18) ||
// the battle ID must be valid
!preg_match('/^([a-z0-9]+)-[0-9]+$/', $reqData['id'], $m1) ||
// the format ID must be valid
!preg_match('/^([a-z0-9]+)$/', $reqData['format'], $m2) ||
// the format from the battle ID must match the format ID
($m1[1] !== $m2[1])) {
$out = 0;
return;
}
if ($server['id'] !== 'showdown') {
$reqData['id'] = $server['id'].'-'.$reqData['id'];
}
$reqData['serverid'] = $server['id'];
include_once __DIR__.'/../replays/replays.lib.php';
$out = $GLOBALS['Replays']->prepUpload($reqData);
$dispatcher->setPrefix(''); // No need for prefix since only usable by server.
}
public function uploadreplay($dispatcher, &$reqData, &$out) {
global $psdb, $users;
header('Content-Type: text/plain; charset=utf-8');
include __DIR__.'/../replays/replays.lib.php';
die($GLOBALS['Replays']->upload($reqData));
}
public function invalidatecss($dispatcher, &$reqData, &$out) {
$server = $dispatcher->findServer();
if (!$server) {
$out['errorip'] = $dispatcher->getIp();
return;
}
// No need to sanitise $server['id'] because it should be safe already.
$cssfile = dirname(__FILE__) . '/../../pokemonshowdown.com/config/customcss/' . $server['id'] . '.css';
@unlink($cssfile);
}
/**
* This function returns all friends of $curuser
* Formatting:
* [prefix][username]|[prefix][username]|...
* [prefix] is empty if the request has been accepted, a hash (symbol)
* if a request has been sent by the player and is still pending,
* or a comma if it is a received friend request.
* [username] is the username (yes, NAME, not id) of the player.
* Example: Zarel|,haunter|#chaos
* Zarel is already on the friend list, a friend request from haunter is
* still waiting for approval, and a friend request has been sent to
* chaos.
*/
public function getfriends($dispatcher, &$reqData, &$out) {
global $psdb, $curuser;
// A valid curuser array is needed
if (!@$curuser['loggedin'] || !@$curuser['userid']) {
die('Not using a valid nick; you should be registered and logged in in order to add friends.');
}
$player = $psdb->escape($curuser['userid']);
$friends = array();
$friendsQuery = $psdb->query(
"SELECT `us`.`username`, `fr`.`p1`, `fr`.`accepted` " .
"FROM `ntbb_friendlist` AS `fr` " .
"INNER JOIN `ntbb_users` AS `us` ON `us`.`userid` = IF(`fr`.`p1` = '" . $player . "', `fr`.`p2`, `fr`.`p1`) " .
"WHERE `p1`='" . $player . "' OR `p2`='" . $player . "'"
);
while ($friend = $psdb->fetch_assoc($friendsQuery)) {
$prefix = '';
if ((int) $friend['accepted'] === 0) {
if ($friend['p1'] === $curuser['userid']) {
// Request sent and pending
$prefix = '#';
} else {
// Received friend request
$prefix = ',';
}
}
$friends[] = $prefix . $friend['username'];
}
// We add ] here so that we can check in the client if it's a valid
// response that we've received (i.e. check if there are errors or not)
die(']' . implode('|', $friends));
}
/**
* This function does two things:
* - sends a friend request if the player is not in his/her friend list yet
* - accepts a friend request sent by the player given in the query string
*/
public function addfriend($dispatcher, &$reqData, &$out) {
global $psdb, $users, $curuser;
// A valid curuser array is needed
if (!@$curuser['loggedin'] || !@$curuser['userid']) {
die('Not using a valid nick; you should be registered and logged in in order to add friends.');
}
// Check if the other player exists
$id = $users->userid(@$reqData['player']);
if (!$id) die('Invalid playername given.');
$player = $users->getUser($id);
if (!$player) die('The given player does not exist.');
// Check if there isn't a friendship between those two already
$p1 = $psdb->escape($curuser['userid']);
$p2 = $psdb->escape($player['userid']);
$res = $psdb->query(
"SELECT p1, accepted " .
"FROM `ntbb_friendlist` " .
"WHERE (" .
"`p1`='" . $p1 . "' AND `p2`='" . $p2 . "'" .
") OR (" .
"`p1`='" . $p2 . "' AND `p2`='" . $p1 . "'" .
")"
);
$record = $psdb->fetch_assoc($res);
if ($record) {
// A record in the database exists. Now we check if it's accepted
// or not. If not, we'll accept it, otherwise send an error
if ($record['p1'] !== $curuser['userid'] && ((int) $record['accepted']) === 0) {
$psdb->query("UPDATE `ntbb_friendlist` SET `accepted` = '1' WHERE `p1`='" . $p2 . "' AND `p2`='" . $p1 . "'");
// The ] denotes that it was successful
die(']The friend request by ' . $player['username'] . ' has been accepted.');
} else {
die('This player is already in your friend list or a friend request is still pending.');
}
}
// Everything's okay, so insert it
$psdb->query("INSERT INTO `ntbb_friendlist` (`p1`, `p2`) VALUES ('" . $p1 . "', '" . $p2 . "')");
// The ] denotes that it was successful
die(']A friend request has been sent to ' . $player['username'] . '!');
}
/**
* This function simply removes the friend given in the query string.
*/
public function removefriend($dispatcher, &$reqData, &$out) {
global $psdb, $users, $curuser;
// A valid curuser array is needed
if (!@$curuser['loggedin'] || !@$curuser['userid']) {
die('Not using a valid nick; you should be registered and logged in in order to add friends.');
}
$userid = $psdb->escape($curuser['userid']);
$player = $psdb->escape($reqData['player']);
$res = $psdb->query(
"DELETE FROM `ntbb_friendlist` " .
"WHERE (" .
"`p1`='" . $userid . "' AND `p2`='" . $player . "'" .
") OR (" .
"`p1`='" . $player . "' AND `p2`='" . $userid . "'" .
") " .
"LIMIT 1"
);
if (mysqli_affected_rows($psdb->db)) die(']' . $reqData['player'] . ' has been removed from your friend list.');
die('Could not remove ' . $reqData['player'] . ' from your friend list.');
}
}
// This class should not depend on ntbb-session.lib.php.
class LadderActionHandler {
// There's no need to make a database query for this.
private function getUserData($username) {
if (!$username) $username = '';
$userid = strtr($username, "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz");
$userid = preg_replace('/[^A-Za-z0-9]+/', '', $userid);
if (mb_strlen($userid) > 18) return false;
return array('userid' => $userid, 'username' => $username);
}
public function ladderupdate($dispatcher, &$reqData, &$out) {
include_once dirname(__FILE__) . '/ntbb-ladder.lib.php';
$server = $dispatcher->findServer();
if (!$server || $server['id'] !== 'showdown') {
$out['errorip'] = "Your version of PS is too old for this ladder system. Please update.";
return;
}
$ladder = new NTBBLadder(@$reqData['format']);
$p1 = $this->getUserData(@$reqData['p1']);
$p2 = $this->getUserData(@$reqData['p2']);
if (!$p1 || !$p2) {
// The server should not send usernames > 18 characters long.
$out = 0;
return;
}
$ladder->updateRating($p1, $p2, floatval($reqData['score']));
$out['actionsuccess'] = true;
$out['p1rating'] = $p1['rating'];
$out['p2rating'] = $p2['rating'];
unset($out['p1rating']['rpdata']);
unset($out['p2rating']['rpdata']);
$dispatcher->setPrefix(''); // No need for prefix since only usable by server.
}
public function ladderget($dispatcher, &$reqData, &$out) {
global $PokemonServers;
include_once dirname(__FILE__) . '/ntbb-ladder.lib.php';
$server = @$PokemonServers[@$reqData['serverid']];
if (!$server || $server['id'] !== 'showdown') {
die;
}
$ladder = new NTBBLadder(@$reqData['format']);
$user = $this->getUserData(@$reqData['user']);
if (!$user) die;
$ladder->getAllRatings($user);
$out = $user['ratings'];
}
public function mmr($dispatcher, &$reqData, &$out) {
global $PokemonServers;
include_once dirname(__FILE__) . '/ntbb-ladder.lib.php';
$server = $dispatcher->findServer();
if (!$server || $server['id'] !== 'showdown') {
$out['errorip'] = "Your version of PS is too old for this ladder system. Please update.";
return;
}
$ladder = new NTBBLadder(@$reqData['format']);
$user = $this->getUserData(@$reqData['user']);
$out = 1000;
if ($user) {
$ladder->getRating($user);
if (@$user['rating']) {
$out = intval($user['rating']['elo']);
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink