support for updating token

pydt · Dec 17, 2024 · a78e5af · a78e5af
1 parent 5b17a72
commit a78e5af
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 15 deletions.
diff --git a/api/controllers/authController.ts b/api/controllers/authController.ts
@@ -1,19 +1,26 @@
 import * as querystring from 'querystring';
-import { Get, Request, Route, Tags } from 'tsoa';
+import { Get, Request, Response, Route, Security, Tags } from 'tsoa';
 
 import { JwtUtil } from '../../lib/auth/jwtUtil';
 import { IUserRepository, USER_REPOSITORY_SYMBOL } from '../../lib/dynamoose/userRepository';
 import { inject, provideSingleton } from '../../lib/ioc';
 import { pydtLogger } from '../../lib/logging';
 import { SteamProfile, User } from '../../lib/models';
 import { steamPassport } from '../../lib/steamUtil';
-import { HttpRequest, HttpResponseError } from '../framework';
+import { ErrorResponse, HttpRequest, HttpResponseError } from '../framework';
+import {
+  IPrivateUserDataRepository,
+  PRIVATE_USER_DATA_REPOSITORY_SYMBOL
+} from '../../lib/dynamoose/privateUserDataRepository';
 
 @Route('auth')
 @Tags('auth')
 @provideSingleton(AuthController)
 export class AuthController {
-  constructor(@inject(USER_REPOSITORY_SYMBOL) private userRepository: IUserRepository) {}
+  constructor(
+    @inject(USER_REPOSITORY_SYMBOL) private userRepository: IUserRepository,
+    @inject(PRIVATE_USER_DATA_REPOSITORY_SYMBOL) private pudRepository: IPrivateUserDataRepository
+  ) {}
 
   @Get('steam')
   public authenticate(@Request() request: HttpRequest): Promise<AuthenticateResponse> {
@@ -53,6 +60,22 @@ export class AuthController {
     });
   }
 
+  @Get('auth/updateTokenNonce')
+  @Security('api_key')
+  @Response<ErrorResponse>(401, 'Unauthorized')
+  public async updateTokenNonce(@Request() request: HttpRequest): Promise<string> {
+    const pud = await this.pudRepository.get(request.user);
+
+    pud.tokenNonce = (pud.tokenNonce || 0) + 1;
+
+    await this.pudRepository.saveVersioned(pud);
+
+    return JwtUtil.createToken({
+      steamId: request.user,
+      nonce: pud.tokenNonce
+    });
+  }
+
   @Get('steam/validate')
   public validate(@Request() request: HttpRequest): Promise<ValidateResponse> {
     return new Promise((resolve, reject) => {
@@ -96,8 +119,14 @@ export class AuthController {
               return this.userRepository.saveVersioned(dbUser);
             })
             .then(() => {
+              return this.pudRepository.get(user.profile.id);
+            })
+            .then(pud => {
               resolve({
-                token: JwtUtil.createToken(user.profile.id),
+                token: JwtUtil.createToken({
+                  steamId: user.profile.id,
+                  nonce: pud.tokenNonce
+                }),
                 steamProfile: user.profile._json
               });
             })

diff --git a/api/websocket.ts b/api/websocket.ts
@@ -3,6 +3,7 @@ import { JwtUtil } from '../lib/auth/jwtUtil';
 import { loggingHandler, pydtLogger } from '../lib/logging';
 import { IWebsocketProvider, WEBSOCKET_PROVIDER_SYMBOL } from '../lib/websocketProvider';
 import { LambdaProxyEvent } from './framework';
+import { validateNonce } from '../lib/auth/expressAuthentication';
 
 export const handler = loggingHandler(async (event: LambdaProxyEvent, context, iocContainer) => {
   const doug = iocContainer.resolve(WebsocketHandler);
@@ -27,8 +28,11 @@ export class WebsocketHandler {
 
       case 'auth':
         // validate token and tie user to connection
-        const steamId = JwtUtil.parseToken(body);
-        await this.wsProvider.registerUser(steamId, connectionId);
+        const data = JwtUtil.parseToken(body);
+
+        await validateNonce(data);
+
+        await this.wsProvider.registerUser(data.steamId, connectionId);
         break;
 
       case '$disconnect':

diff --git a/lib/auth/expressAuthentication.ts b/lib/auth/expressAuthentication.ts
@@ -1,7 +1,19 @@
 import { HttpRequest, HttpResponseError } from '../../api/framework/index';
 import { Config } from '../config';
+import { PrivateUserDataRepository } from '../dynamoose/privateUserDataRepository';
+import { iocContainer } from '../ioc';
 import { pydtLogger } from '../logging';
-import { JwtUtil } from './jwtUtil';
+import { JwtData, JwtUtil } from './jwtUtil';
+
+export async function validateNonce(data: JwtData) {
+  const pudRepo = iocContainer.resolve(PrivateUserDataRepository);
+  const pud = await pudRepo.get(data.steamId);
+
+  if ((pud.tokenNonce || -1) !== (data.nonce || -1)) {
+    pydtLogger.warn(`Nonce mismatch: ${pud.tokenNonce} vs ${data.nonce}`);
+    throw HttpResponseError.createUnauthorized();
+  }
+}
 
 export async function expressAuthentication(
   request: HttpRequest,
@@ -14,11 +26,14 @@ export async function expressAuthentication(
   if (securityName === 'api_key') {
     try {
       if (request.headers && request.headers['authorization']) {
-        const steamId = JwtUtil.parseToken(request.headers['authorization']);
+        const data = JwtUtil.parseToken(request.headers['authorization']);
+
+        await validateNonce(data);
+
         if (!Config.runningLocal) {
-          request.subSegment.addAnnotation('user', steamId);
+          request.subSegment.addAnnotation('user', data.steamId);
         }
-        return steamId;
+        return data.steamId;
       }
     } catch (e) {
       pydtLogger.warn('Error parsing JWT token', e);

diff --git a/lib/auth/jwtUtil.ts b/lib/auth/jwtUtil.ts
@@ -1,12 +1,25 @@
 import * as jwt from 'jsonwebtoken';
 import { Config } from '../config';
 
+export type JwtData = {
+  steamId: string;
+  nonce?: number;
+};
+
 export class JwtUtil {
-  public static createToken(steamId: string): string {
-    return jwt.sign(steamId, Config.jwtSecret);
+  public static createToken(data: JwtData): string {
+    return jwt.sign(data, Config.jwtSecret);
   }
 
-  public static parseToken(token: string): string {
-    return jwt.verify(token, Config.jwtSecret);
+  public static parseToken(token: string): JwtData {
+    const data = jwt.verify(token, Config.jwtSecret);
+
+    if (!data.steamId) {
+      return {
+        steamId: data
+      };
+    }
+
+    return data;
   }
 }
diff --git a/lib/dynamoose/privateUserDataRepository.ts b/lib/dynamoose/privateUserDataRepository.ts
@@ -49,7 +49,8 @@ export class PrivateUserDataRepository
         schema: [String]
       },
       newGameEmailFilter: String,
-      lastTurnIpAddress: String
+      lastTurnIpAddress: String,
+      tokenNonce: Number
     });
   }
 

diff --git a/lib/models/privateUserData.ts b/lib/models/privateUserData.ts
@@ -10,6 +10,7 @@ export interface PrivateUserData {
   newGameEmailTypes?: string[];
   newGameEmailFilter?: string;
   lastTurnIpAddress?: string;
+  tokenNonce?: number;
 }
 
 export interface WebPushSubscription {