H8-Network/TinySkin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
TinySkin/service/yggdrasil/user.go
xmdhs 838652503c
禁用用户登录
2023-10-05 15:34:26 +08:00

384 lines
11 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

package yggdrasil
import (
"bytes"
"context"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/binary"
"errors"
"fmt"
"math/big"
"net/url"
"strconv"
"strings"
"time"
"github.com/google/uuid"
"github.com/samber/lo"
"github.com/xmdhs/authlib-skin/db/cache"
"github.com/xmdhs/authlib-skin/db/ent"
"github.com/xmdhs/authlib-skin/db/ent/texture"
"github.com/xmdhs/authlib-skin/db/ent/user"
"github.com/xmdhs/authlib-skin/db/ent/userprofile"
"github.com/xmdhs/authlib-skin/db/ent/usertoken"
"github.com/xmdhs/authlib-skin/model/yggdrasil"
sutils "github.com/xmdhs/authlib-skin/service/utils"
"github.com/xmdhs/authlib-skin/utils"
"github.com/xmdhs/authlib-skin/utils/sign"
)
var (
ErrRate = errors.New("频率限制")
ErrPassWord = errors.New("错误的密码或邮箱")
ErrNotUser = errors.New("没有这个用户")
ErrUserDisable = errors.New("用户被禁用")
)
func (y *Yggdrasil) validatePass(cxt context.Context, email, pass string) (*ent.User, error) {
err := rate("validatePass"+email, y.cache, 10*time.Second, 3)
if err != nil {
return nil, fmt.Errorf("validatePass: %w", err)
}
u, err := y.client.User.Query().Where(user.EmailEQ(email)).WithProfile().First(cxt)
if err != nil {
var nf *ent.NotFoundError
if errors.As(err, &nf) {
return nil, fmt.Errorf("validatePass: %w", errors.Join(ErrPassWord, err))
}
return nil, fmt.Errorf("validatePass: %w", err)
}
if !utils.Argon2Compare(pass, u.Password, u.Salt) {
return nil, fmt.Errorf("validatePass: %w", ErrPassWord)
}
return u, nil
}
func (y *Yggdrasil) Authenticate(cxt context.Context, auth yggdrasil.Authenticate) (yggdrasil.Token, error) {
u, err := y.validatePass(cxt, auth.Username, auth.Password)
if err != nil {
return yggdrasil.Token{}, fmt.Errorf("Authenticate: %w", err)
}
if sutils.IsDisable(u.State) {
return yggdrasil.Token{}, fmt.Errorf("Authenticate: %w", ErrUserDisable)
}
clientToken := auth.ClientToken
if clientToken == "" {
clientToken = strings.ReplaceAll(uuid.New().String(), "-", "")
}
var utoken *ent.UserToken
err = utils.WithTx(cxt, y.client, func(tx *ent.Tx) error {
utoken, err = tx.User.QueryToken(u).ForUpdate().First(cxt)
if err != nil {
var nf *ent.NotFoundError
if !errors.As(err, &nf) {
return err
}
}
if utoken == nil {
ut, err := tx.UserToken.Create().SetTokenID(1).SetUser(u).Save(cxt)
if err != nil {
return err
}
utoken = ut
}
return nil
})
if err != nil {
return yggdrasil.Token{}, fmt.Errorf("Authenticate: %w", err)
}
err = y.cache.Del([]byte("auth" + strconv.Itoa(u.ID)))
if err != nil {
return yggdrasil.Token{}, fmt.Errorf("Authenticate: %w", err)
}
jwts, err := newJwtToken(y.prikey, strconv.FormatUint(utoken.TokenID, 10), clientToken, u.Edges.Profile.UUID, u.ID)
if err != nil {
return yggdrasil.Token{}, fmt.Errorf("Authenticate: %w", err)
}
p := yggdrasil.UserInfo{
ID: u.Edges.Profile.UUID,
Name: u.Edges.Profile.Name,
}
return yggdrasil.Token{
AccessToken: jwts,
AvailableProfiles: []yggdrasil.UserInfo{p},
ClientToken: clientToken,
SelectedProfile: p,
User: yggdrasil.TokenUserID{
ID: utils.UUIDGen(strconv.Itoa(u.ID)),
Properties: []any{},
},
}, nil
}
func (y *Yggdrasil) ValidateToken(ctx context.Context, t yggdrasil.ValidateToken) error {
_, err := sutils.Auth(ctx, t, y.client, y.cache, &y.prikey.PublicKey, true)
if err != nil {
return fmt.Errorf("ValidateToken: %w", err)
}
return nil
}
func (y *Yggdrasil) SignOut(ctx context.Context, t yggdrasil.Pass) error {
u, err := y.validatePass(ctx, t.Username, t.Password)
if err != nil {
return fmt.Errorf("SignOut: %w", err)
}
ut, err := y.client.UserToken.Query().Where(usertoken.HasUserWith(user.IDEQ(u.ID))).First(ctx)
if err != nil {
var nf *ent.NotFoundError
if !errors.As(err, &nf) {
return fmt.Errorf("SignOut: %w", err)
}
return nil
}
err = y.client.UserToken.UpdateOne(ut).AddTokenID(1).Exec(ctx)
if err != nil {
return fmt.Errorf("SignOut: %w", err)
}
err = y.cache.Del([]byte("auth" + strconv.Itoa(u.ID)))
if err != nil {
return fmt.Errorf("SignOut: %w", err)
}
return nil
}
func (y *Yggdrasil) Invalidate(ctx context.Context, accessToken string) error {
t, err := sutils.Auth(ctx, yggdrasil.ValidateToken{AccessToken: accessToken}, y.client, y.cache, &y.prikey.PublicKey, true)
if err != nil {
return fmt.Errorf("Invalidate: %w", err)
}
err = y.client.UserToken.Update().Where(usertoken.HasUserWith(user.ID(t.UID))).AddTokenID(1).Exec(ctx)
if err != nil {
return fmt.Errorf("Invalidate: %w", err)
}
err = y.cache.Del([]byte("auth" + strconv.Itoa(t.UID)))
if err != nil {
return fmt.Errorf("Invalidate: %w", err)
}
return nil
}
func (y *Yggdrasil) Refresh(ctx context.Context, token yggdrasil.RefreshToken) (yggdrasil.Token, error) {
t, err := sutils.Auth(ctx, yggdrasil.ValidateToken{AccessToken: token.AccessToken, ClientToken: token.ClientToken}, y.client, y.cache, &y.prikey.PublicKey, false)
if err != nil {
return yggdrasil.Token{}, fmt.Errorf("Refresh: %w", err)
}
jwts, err := newJwtToken(y.prikey, t.Tid, t.CID, t.Subject, t.UID)
if err != nil {
return yggdrasil.Token{}, fmt.Errorf("Refresh: %w", err)
}
up, err := y.client.UserProfile.Query().Where(userprofile.HasUserWith(user.ID(t.UID))).First(ctx)
if err != nil {
return yggdrasil.Token{}, fmt.Errorf("Refresh: %w", err)
}
u := yggdrasil.UserInfo{ID: up.UUID, Name: up.Name}
return yggdrasil.Token{
AccessToken: jwts,
AvailableProfiles: []yggdrasil.UserInfo{u},
ClientToken: t.CID,
SelectedProfile: u,
User: yggdrasil.TokenUserID{
ID: utils.UUIDGen(strconv.Itoa(t.UID)),
Properties: []any{},
},
}, nil
}
func (y *Yggdrasil) GetProfile(ctx context.Context, uuid string, unsigned bool, host string) (yggdrasil.UserInfo, error) {
baseURl := func() string {
if y.config.TextureBaseUrl == "" {
u := &url.URL{}
u.Host = host
u.Scheme = "http"
u.Path = "texture"
return u.String()
}
return y.config.TextureBaseUrl
}()
c := cache.CacheHelp[yggdrasil.UserTextures]{Cache: y.cache}
key := []byte("Profile" + uuid)
ut, err := c.Get(key)
if err != nil {
return yggdrasil.UserInfo{}, fmt.Errorf("GetProfile: %w", err)
}
if ut.ProfileName != "" {
for k, v := range ut.Textures {
u, err := url.Parse(v.Url)
if err != nil {
return yggdrasil.UserInfo{}, fmt.Errorf("GetProfile: %w", err)
}
baseu, err := url.Parse(baseURl)
if err != nil {
return yggdrasil.UserInfo{}, fmt.Errorf("GetProfile: %w", err)
}
u.Host = baseu.Host
v.Url = u.String()
ut.Textures[k] = v
}
} else {
up, err := y.client.UserProfile.Query().Where(userprofile.UUID(uuid)).WithUsertexture().Only(ctx)
if err != nil {
var nf *ent.NotFoundError
if errors.As(err, &nf) {
return yggdrasil.UserInfo{}, fmt.Errorf("GetProfile: %w", ErrNotUser)
}
return yggdrasil.UserInfo{}, fmt.Errorf("GetProfile: %w", err)
}
ut = yggdrasil.UserTextures{
ProfileID: up.UUID,
ProfileName: up.Name,
Textures: map[string]yggdrasil.Textures{},
Timestamp: time.Now().UnixMilli(),
}
for _, v := range up.Edges.Usertexture {
dt, err := y.client.Texture.Query().Where(texture.ID(v.TextureID)).Only(ctx)
if err != nil {
return yggdrasil.UserInfo{}, fmt.Errorf("GetProfile: %w", err)
}
hashstr := dt.TextureHash
t := yggdrasil.Textures{
Url: lo.Must1(url.JoinPath(baseURl, hashstr[:2], hashstr[2:4], hashstr)),
Metadata: map[string]string{},
}
if v.Variant == "slim" {
t.Metadata["model"] = "slim"
}
ut.Textures[strings.ToTitle(v.Type)] = t
}
err = c.Put(key, ut, time.Now().Add(30*time.Minute))
if err != nil {
return yggdrasil.UserInfo{}, fmt.Errorf("GetProfile: %w", err)
}
}
texturesBase64 := ut.Base64()
pl := []yggdrasil.UserProperties{}
pl = append(pl, yggdrasil.UserProperties{
Name: "textures",
Value: texturesBase64,
})
pl = append(pl, yggdrasil.UserProperties{
Name: "uploadableTextures",
Value: "skin,cape",
})
if !unsigned {
s := sign.NewAuthlibSignWithKey(y.prikey)
for i, v := range pl {
sign, err := s.Sign([]byte(v.Value))
if err != nil {
return yggdrasil.UserInfo{}, fmt.Errorf("GetProfile: %w", err)
}
pl[i].Signature = sign
}
}
uinfo := yggdrasil.UserInfo{
ID: ut.ProfileID,
Name: ut.ProfileName,
Properties: pl,
}
return uinfo, nil
}
func (y *Yggdrasil) BatchProfile(ctx context.Context, names []string) ([]yggdrasil.UserInfo, error) {
pl, err := y.client.UserProfile.Query().Where(userprofile.NameIn(names...)).All(ctx)
if err != nil {
return nil, fmt.Errorf("BatchProfile: %w", err)
}
return lo.Map[*ent.UserProfile, yggdrasil.UserInfo](pl, func(item *ent.UserProfile, index int) yggdrasil.UserInfo {
return yggdrasil.UserInfo{
ID: item.UUID,
Name: item.Name,
}
}), nil
}
// publicKey 为 PKIX但要求 pem type 为 RSA PUBLIC KEY
// privateKey 为 PKCS #8 pem type 为 RSA PUBLIC KEY
// 签名使用 rsaWIthsha1
func (y *Yggdrasil) PlayerCertificates(ctx context.Context, token string) (yggdrasil.Certificates, error) {
t, err := sutils.Auth(ctx, yggdrasil.ValidateToken{AccessToken: token}, y.client, y.cache, &y.prikey.PublicKey, false)
if err != nil {
return yggdrasil.Certificates{}, fmt.Errorf("PlayerCertificates: %w", err)
}
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return yggdrasil.Certificates{}, fmt.Errorf("PlayerCertificates: %w", err)
}
s := sign.NewAuthlibSignWithKey(rsa2048)
priKey := lo.Must(s.GetPriKey())
pubKey := lo.Must(s.GetPKIXPubKey())
expiresAt := time.Now().Add(24 * time.Hour)
expiresAtUnix := expiresAt.UnixMilli()
pubV2, err := publicKeySignatureV2(&rsa2048.PublicKey, t.Subject, expiresAtUnix)
if err != nil {
return yggdrasil.Certificates{}, fmt.Errorf("PlayerCertificates: %w", err)
}
pub := publicKeySignature(pubKey, expiresAtUnix)
servicePri := sign.NewAuthlibSignWithKey(y.prikey)
pubV2Base64, err := servicePri.Sign(pubV2)
if err != nil {
return yggdrasil.Certificates{}, fmt.Errorf("PlayerCertificates: %w", err)
}
pubBase64, err := servicePri.Sign(pub)
if err != nil {
return yggdrasil.Certificates{}, fmt.Errorf("PlayerCertificates: %w", err)
}
return yggdrasil.Certificates{
ExpiresAt: expiresAt.Format(time.RFC3339Nano),
KeyPair: yggdrasil.CertificatesKeyPair{
PrivateKey: priKey,
PublicKey: pubKey,
},
PublicKeySignature: pubBase64,
PublicKeySignatureV2: pubV2Base64,
RefreshedAfter: time.Now().Format(time.RFC3339Nano),
}, nil
}
func publicKeySignatureV2(key *rsa.PublicKey, uuid string, expiresAt int64) ([]byte, error) {
bf := &bytes.Buffer{}
u := big.Int{}
u.SetString(uuid, 16)
bf.Write(u.Bytes())
eb := make([]byte, 8)
binary.BigEndian.PutUint64(eb, uint64(expiresAt))
bf.Write(eb)
pubKey, err := x509.MarshalPKIXPublicKey(key)
if err != nil {
return nil, fmt.Errorf("publicKeySignatureV2: %w", err)
}
bf.Write(pubKey)
return bf.Bytes(), nil
}
func publicKeySignature(key string, expiresAt int64) []byte {
bf := &bytes.Buffer{}
bf.WriteString(strconv.FormatInt(expiresAt, 10))
bf.WriteString(key)
return bf.Bytes()
}
Reference in New Issue View Git Blame Copy Permalink