Introduce revokation mechanism

2025-05-31 14:11:46 +05:30 · 2019-12-10 01:38:09 +03:00
parent ba7fad84a0
commit 016a193263
11 changed files with 103 additions and 20 deletions
--- a/api/components/Tokens/Component.php
+++ b/api/components/Tokens/Component.php
@@ -36,7 +36,7 @@ class Component extends BaseComponent {
    public $privateKeyPass;

    /**
-     * @var string|\Defuse\Crypto\Key
+     * @var string
     */
    public $encryptionKey;

--- a/api/components/User/Component.php
+++ b/api/components/User/Component.php
@@ -5,6 +5,8 @@ namespace api\components\User;

 use common\models\Account;
 use common\models\AccountSession;
+use common\models\OauthClient;
+use Webmozart\Assert\Assert;
 use yii\web\User as YiiUserComponent;

 /**
@@ -78,6 +80,15 @@ class Component extends YiiUserComponent {
        }

        if (!($mode & self::KEEP_MINECRAFT_SESSIONS)) {
+            /** @var \common\models\OauthSession|null $minecraftSession */
+            $minecraftSession = $account->getSessions()
+                ->andWhere(['client_id' => OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER])
+                ->one();
+            if ($minecraftSession !== null) {
+                $minecraftSession->revoked_at = time();
+                Assert::true($minecraftSession->save());
+            }
+
            foreach ($account->minecraftAccessKeys as $minecraftAccessKey) {
                $minecraftAccessKey->delete();
            }
--- a/api/components/User/JwtIdentity.php
+++ b/api/components/User/JwtIdentity.php
@@ -6,6 +6,8 @@ namespace api\components\User;
 use api\components\Tokens\TokenReader;
 use Carbon\Carbon;
 use common\models\Account;
+use common\models\OauthClient;
+use common\models\OauthSession;
 use Exception;
 use Lcobucci\JWT\Token;
 use Lcobucci\JWT\ValidationData;
@@ -50,9 +52,25 @@ class JwtIdentity implements IdentityInterface {
            throw new UnauthorizedHttpException('Incorrect token');
        }

+        $tokenReader = new TokenReader($token);
+        $accountId = $tokenReader->getAccountId();
+        $iat = $token->getClaim('iat');
+        if ($tokenReader->getMinecraftClientToken() !== null && self::isRevoked($accountId, OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER, $iat)) {
+            throw new UnauthorizedHttpException('Token has been revoked');
+        }
+
+        if ($tokenReader->getClientId() !== null && self::isRevoked($accountId, $tokenReader->getClientId(), $iat)) {
+            throw new UnauthorizedHttpException('Token has been revoked');
+        }
+
        return new self($token);
    }

+    private static function isRevoked(int $accountId, string $clientId, int $iat): bool {
+        $session = OauthSession::findOne(['account_id' => $accountId, 'client_id' => $clientId]);
+        return $session !== null && $session->revoked_at !== null &&  $session->revoked_at > $iat;
+    }
+
    public function getToken(): Token {
        return $this->token;
    }