From 77ae329d6ef39c055d5710ee209cf0bec2a2d167 Mon Sep 17 00:00:00 2001 From: Lixfel Date: Mon, 26 Sep 2022 16:10:39 +0200 Subject: [PATCH] Bugfixes --- bukkit/build.gradle | 3 --- .../lixfel/altauth/bungee/AltAuthBungee.java | 7 ++++-- .../lixfel/altauth/bungee/AltAuthHandler.java | 10 +++----- fabric/src/altauth.accesswidener | 1 - .../fabric/mixin/LoginRequestMixin.java | 6 ++--- proxy.py | 25 +++++++++++-------- 6 files changed, 25 insertions(+), 27 deletions(-) mode change 100644 => 100755 proxy.py diff --git a/bukkit/build.gradle b/bukkit/build.gradle index 78be4fc..5bfa8ca 100644 --- a/bukkit/build.gradle +++ b/bukkit/build.gradle @@ -27,9 +27,6 @@ dependencies { compileOnly 'org.spigotmc:spigot-api:1.19-R0.1-SNAPSHOT' compileOnly 'io.netty:netty-all:4.1.68.Final' - //compileOnly swdep("Spigot-1.8") files("${rootDir}/lib/${s}.jar") - //compileOnly swdep("Spigot-1.19") files("${rootDir}/lib/${s}.jar") - compileOnly 'org.projectlombok:lombok:1.18.22' testCompileOnly 'org.projectlombok:lombok:1.18.22' annotationProcessor 'org.projectlombok:lombok:1.18.22' diff --git a/bungee/src/de/lixfel/altauth/bungee/AltAuthBungee.java b/bungee/src/de/lixfel/altauth/bungee/AltAuthBungee.java index 22611fc..d4ce7fd 100644 --- a/bungee/src/de/lixfel/altauth/bungee/AltAuthBungee.java +++ b/bungee/src/de/lixfel/altauth/bungee/AltAuthBungee.java @@ -21,10 +21,13 @@ public class AltAuthBungee extends Plugin implements Listener { @Override public void onEnable() { - File config = new File(getDataFolder(), "config.yml"); + File dataFolder = getDataFolder(); + File config = new File(dataFolder, "config.yml"); ConfigurationProvider provider = ConfigurationProvider.getProvider(YamlConfiguration.class); if(!config.exists()) { + dataFolder.mkdir(); + try (InputStream in = getResourceAsStream("config.yml")) { try (FileOutputStream out = new FileOutputStream(config)) { int read; @@ -33,7 +36,7 @@ public class AltAuthBungee extends Plugin implements Listener { out.write(buffer, 0, read); } } catch (IOException e) { - throw new IllegalStateException("Could not create config"); + throw new IllegalStateException("Could not create config", e); } } diff --git a/bungee/src/de/lixfel/altauth/bungee/AltAuthHandler.java b/bungee/src/de/lixfel/altauth/bungee/AltAuthHandler.java index 0c94f54..ecc8969 100644 --- a/bungee/src/de/lixfel/altauth/bungee/AltAuthHandler.java +++ b/bungee/src/de/lixfel/altauth/bungee/AltAuthHandler.java @@ -34,7 +34,7 @@ import java.util.List; import java.util.UUID; import java.util.logging.Level; -public class AltAuthHandler extends MessageToMessageCodec { +public class AltAuthHandler extends MessageToMessageCodec { private static final Class InitialHandler = ReflectionUtil.getClass("net.md_5.bungee.connection.InitialHandler"); private static final ReflectionUtil.FieldWrapper CH = ReflectionUtil.getField(InitialHandler, ChannelWrapper.class, 0); @@ -54,17 +54,14 @@ public class AltAuthHandler extends MessageToMessageCodec out) { - DefinedPacket packet = packetWrapper.packet; - + protected void encode(ChannelHandlerContext ctx, DefinedPacket packet, List out) { if(packet instanceof EncryptionRequest) ((EncryptionRequest)packet).setServerId(altAuthUrl); - out.add(packetWrapper); + out.add(packet); } @SuppressWarnings("deprecation") @@ -76,6 +73,7 @@ public class AltAuthHandler extends MessageToMessageCodec client.setScreen(new TrustServerScreen(server, cs.parent))); } diff --git a/proxy.py b/proxy.py old mode 100644 new mode 100755 index 63f7e55..f88eff1 --- a/proxy.py +++ b/proxy.py @@ -1,6 +1,7 @@ #!/usr/bin/env python3 # SPDX-License-Identifier: MIT +from traceback import format_exc from collections import namedtuple from typing import Dict from json import dumps, loads @@ -14,7 +15,9 @@ from http.server import ThreadingHTTPServer, BaseHTTPRequestHandler # Set this to True if behind an ip masking proxy (with X-Forwarded-For support) while using prevent-proxy-connections -behind_proxy = False +behind_proxy = True +# Address and port to listen to +bind_to = ('127.0.0.1', 8080) # Should mojang accounts be allowed to join with this AltAuth proxy allow_mojang_accounts = True # Should banned microsoft accounts ("UserBannedException") be allowed to join? @@ -67,7 +70,7 @@ class AltAuthRequestHandler(BaseHTTPRequestHandler): content_length = int(self.headers['Content-Length']) if content_length > 1024: - raise Exception() + raise Exception("Unusual large request (malicious actor?)") request = loads(self.rfile.read(content_length)) access_token = request["accessToken"] @@ -78,12 +81,12 @@ class AltAuthRequestHandler(BaseHTTPRequestHandler): now = time() use_altauth = False - if token["exp"] >= now: # check token expiration date - raise Exception() + if token["exp"] <= now: # check token expiration date + raise Exception("Expired token") if token["iss"] == "Yggdrasil-Auth" and allow_mojang_accounts: # Mojang account if token["spr"] != selected_profile: - raise Exception() + raise Exception("UUIDs don't match (malicious actor?)") # Valid token (even on other ip): 204 # Invalid token: 403 {"error": "ForbiddenOperationException", "errorMessage": "Invalid token"} @@ -91,7 +94,7 @@ class AltAuthRequestHandler(BaseHTTPRequestHandler): "accessToken": access_token }) if code != 204: - raise Exception() + raise Exception("Token invalid for unknown reasons") use_altauth = True @@ -124,7 +127,7 @@ class AltAuthRequestHandler(BaseHTTPRequestHandler): if code != 204 and data: self.wfile.write(data) except BaseException as e: - print(e) + self.log_message("Exception handling request: %s", format_exc()) # The client continues the login process with a 500 response, therefore 403 instead self.send_response(HTTPStatus.FORBIDDEN) @@ -151,7 +154,7 @@ class AltAuthRequestHandler(BaseHTTPRequestHandler): if altauth_client and "ip" in query: if query.pop("ip") != cached_profile.ip: - raise Exception() + raise Exception("IPs don't match (prevent-proxy-connections)") if altauth_client and cached_profile.use_altauth: code, data = moj_request( @@ -161,7 +164,7 @@ class AltAuthRequestHandler(BaseHTTPRequestHandler): if data: profile = loads(data) if profile["name"] != username: # Disarm server_id hash collisions and prevent username spoofing - raise Exception() + raise Exception("Usernames don't match (potential hash collision)") elif "ip" in query: code, data = moj_request( f"https://sessionserver.mojang.com/session/minecraft/hasJoined?username={username}&serverId={server_id}&ip={query['ip']}" @@ -175,7 +178,7 @@ class AltAuthRequestHandler(BaseHTTPRequestHandler): self.end_headers() self.wfile.write(data) except BaseException as e: - print(e) + self.log_message("Exception handling request: %s", format_exc()) self.send_response(HTTPStatus.FORBIDDEN) self.end_headers() @@ -183,4 +186,4 @@ class AltAuthRequestHandler(BaseHTTPRequestHandler): if __name__ == '__main__': Thread(target=timeout_cleaner, name="TimeoutCleanup", daemon=True).start() - ThreadingHTTPServer(('127.0.0.1', 8080), AltAuthRequestHandler).serve_forever() + ThreadingHTTPServer(bind_to, AltAuthRequestHandler).serve_forever()