mirror of
https://github.com/smogon/pokemon-showdown-loginserver.git
synced 2026-04-26 09:43:03 -05:00
Fix bugs in OAuth UI
This commit is contained in:
Mia
parent
df7194b914
commit
2810ce68c6
|
|
@ -16,7 +16,7 @@ import IPTools from './ip-tools';
|
|||
import * as crypto from 'crypto';
|
||||
import * as url from 'url';
|
||||
|
||||
const OAUTH_TOKEN_TIME = 2 * 7 * 24 * 60 * 1000;
|
||||
const OAUTH_TOKEN_TIME = 2 * 7 * 24 * 60 * 60 * 1000;
|
||||
|
||||
async function getOAuthClient(clientId?: string, origin?: string) {
|
||||
if (!clientId) throw new ActionError("No client_id provided.");
|
||||
|
|
@ -274,7 +274,7 @@ export const actions: {[k: string]: QueryHandler} = {
|
|||
},
|
||||
|
||||
async getassertion(params) {
|
||||
this.setPrefix('');
|
||||
this.verifyCrossDomainRequest();
|
||||
params.userid = toID(params.userid) || this.user.id;
|
||||
// NaN is falsy so this validates
|
||||
const challengekeyid = Number(params.challengekeyid) || -1;
|
||||
|
|
@ -573,15 +573,13 @@ export const actions: {[k: string]: QueryHandler} = {
|
|||
if (!token) {
|
||||
throw new ActionError('No token provided.');
|
||||
}
|
||||
const tokenEntry = await (
|
||||
tables.oauthTokens.selectOne()
|
||||
)`WHERE owner = ${this.user.id} and client = ${clientInfo.id}`;
|
||||
if (!tokenEntry || tokenEntry.id !== token) {
|
||||
const tokenEntry = await tables.oauthTokens.get(token);
|
||||
if (!tokenEntry) {
|
||||
return {success: false};
|
||||
}
|
||||
const id = crypto.randomBytes(16).toString('hex');
|
||||
await tables.oauthTokens.insert({
|
||||
id, owner: this.user.id, client: clientInfo.id, time: Date.now(),
|
||||
id, owner: tokenEntry.owner, client: clientInfo.id, time: Date.now(),
|
||||
});
|
||||
await tables.oauthTokens.delete(tokenEntry.id);
|
||||
return {success: id, expires: Date.now() + OAUTH_TOKEN_TIME};
|
||||
|
|
@ -590,7 +588,7 @@ export const actions: {[k: string]: QueryHandler} = {
|
|||
// validate assertion & get token if it's valid
|
||||
async 'oauth/api/getassertion'(params) {
|
||||
this.allowCORS();
|
||||
const client = await getOAuthClient(params.client_id);
|
||||
await getOAuthClient(params.client_id);
|
||||
const token = (params.token || "").toString();
|
||||
if (!token) {
|
||||
throw new ActionError('No token provided.');
|
||||
|
|
@ -599,14 +597,17 @@ export const actions: {[k: string]: QueryHandler} = {
|
|||
if (!challstr) {
|
||||
throw new ActionError('No challstr provided.');
|
||||
}
|
||||
const tokenEntry = await (
|
||||
tables.oauthTokens.selectOne()
|
||||
)`WHERE owner = ${this.user.id} and client = ${client.id}`;
|
||||
const tokenEntry = await tables.oauthTokens.get(token);
|
||||
if (!tokenEntry || tokenEntry.id !== token) {
|
||||
return {success: false};
|
||||
}
|
||||
if ((Date.now() - tokenEntry.time) > OAUTH_TOKEN_TIME) { // 2w
|
||||
await tables.oauthTokens.delete(tokenEntry.id);
|
||||
return {success: false};
|
||||
}
|
||||
this.user.login(tokenEntry.owner);
|
||||
return this.session.getAssertion(
|
||||
tokenEntry.owner, Config.challengekeyid, this.user, challstr
|
||||
this.user.id, Config.challengekeyid, this.user, challstr
|
||||
);
|
||||
},
|
||||
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@
|
|||
$.get('/api/oauth/api/getassertion', {
|
||||
token: params.get('token'),
|
||||
client_id: params.get('client_id'),
|
||||
challenge: params.get('challenge'),
|
||||
challenge: params.get('challenge') || params.get('challstr'),
|
||||
}, safeJSON(function (data) {
|
||||
if (data.success === false) {
|
||||
params.delete('token');
|
||||
|
|
|
|||
|
|
@ -178,7 +178,7 @@ export class ActionContext {
|
|||
return result;
|
||||
}
|
||||
allowCORS(origin?: string) {
|
||||
if (!origin) origin = this.request.headers.origin || "*";
|
||||
if (!origin) origin = this.request.headers.origin || '*';
|
||||
this.setHeader('Access-Control-Allow-Origin', origin);
|
||||
this.setHeader('Access-Control-Allow-Credentials', 'true');
|
||||
}
|
||||
|
|
@ -211,17 +211,21 @@ export class ActionContext {
|
|||
}
|
||||
isTrustedProxy(ip: string) {
|
||||
// account for shit like ::ffff:127.0.0.1
|
||||
return Config.trustedproxies.some(f => IPTools.checkPattern(f, ip));
|
||||
return ip === '::ffff:127.0.0.1' || Config.trustedproxies.some(f => IPTools.checkPattern(f, ip));
|
||||
}
|
||||
_ip = '';
|
||||
getIp() {
|
||||
if (this._ip) return this._ip;
|
||||
const ip = this.request.socket.remoteAddress || "";
|
||||
let forwarded = this.request.headers['x-forwarded-for'] || '';
|
||||
if (!Array.isArray(forwarded)) forwarded = forwarded.split(',');
|
||||
const notProxy = forwarded.filter(f => !this.isTrustedProxy(f));
|
||||
if (notProxy.length !== forwarded.length) {
|
||||
return notProxy.pop() || ip;
|
||||
this._ip = notProxy.pop() || ip;
|
||||
return this._ip;
|
||||
}
|
||||
return ip || '';
|
||||
this._ip = ip || '';
|
||||
return this._ip;
|
||||
}
|
||||
setHeader(name: string, value: string | string[]) {
|
||||
this.response.setHeader(name, value);
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user