Add more security

still insecure but slightly less :3
2023-07-07 19:20:32 +02:00 · 2023-07-07 19:20:32 +02:00 · 9d59b8882b
commit 9d59b8882b
parent 98cc05198f
2 changed files with 28 additions and 7 deletions
--- a/customiwmserver/database.py
+++ b/customiwmserver/database.py
@ -1,11 +1,13 @@
 from datetime import datetime
 from typing import Literal
 from pymongo import MongoClient
+from itsdangerous.serializer import Serializer
+from itsdangerous import TimestampSigner
+from os import environ, urandom
+import json

-
+# Database
 client = MongoClient("mongodb://root:catboys@mongo:27017")
-
-
 db = client["IWM_CustomServer_DB"]

 user_collection = db.users
@ -15,6 +17,12 @@ reports_collection = db.reports
 general_collection = db.general
 admin_log_collection = db.admin_log

+# Auth token stuff
+
+SECRET_KEY = environ.get("SECRET_KEY", urandom(32).hex())
+# s = TimestampSigner(SECRET_KEY)
+s = TimestampSigner(SECRET_KEY)
+

 def LogAdminAction(
    action_type: str, action_data: dict, UserID: int = None, success: bool = True
@ -28,6 +36,13 @@ def LogAdminAction(
        }
    )

+def login_auth_check(username: str, password: str):
+    # FIXME: This function currently DOES NOT perform any authentication.
+    # This means that ANYONE knowing the username could perform actions as the user.
+    query = user_collection.find_one({"Username": username})
+    if not query:
+        return False, "noauth"
+    return True, query

 def auth_check(Authorization) -> (tuple[Literal[False], Literal["noauth"]] | tuple[Literal[True], dict]):
    """Checks credentials.
@ -37,12 +52,15 @@ def auth_check(Authorization) -> (tuple[Literal[False], Literal["noauth"]] | tup
        - False if wrong username or password 
        - True, [dict] if correct
    """
-    # FIXME: This function currently DOES NOT perform any authentication.
+    # FIXME (not relevant here anymore): This function currently DOES NOT perform any authentication.
    # This means that ANYONE knowing the username could perform actions as the user.
    if Authorization is None:
        return False, "noauth"
-    username, password = Authorization.split(":")

+    # In this case I assume that the server already authenticated the user,
+    # and signed the token. 
+    username = s.unsign(Authorization).decode()
+    print("DBG[auth_check]:", username)
    query = user_collection.find_one({"Username": username})
    if not query:
        return False, "noauth"
--- a/customiwmserver/main.py
+++ b/customiwmserver/main.py
@ -39,11 +39,14 @@ async def http_exception_handler(request, exc):
 async def login(username: str = Form(), password: str = Form(), version: str = Form()):
    """User login"""
    hook.execute_hooks("player_login", username=username)
-    auth = db.auth_check(username + ":" + password)
+    auth = db.login_auth_check(username, password) 
+    # auth = db.auth_check(username + ":" + password)
    if not auth[0]:
        raise HTTPException(403, detail="Wrong username or password.")
    else:
-        return {"token": username + ":" + password, "userId": auth[1]["ID"]}
+        token = db.s.sign(username)
+        return {"token": token, "userId": auth[1]["ID"]}
+        # return {"token": username + ":" + password, "userId": auth[1]["ID"]}


@app.put("/api/v1/user")