Remove minecraft_access_keys table and all related code

This commit is contained in:
ErickSkrauch 2024-06-14 05:42:35 +02:00
parent 2111e1769f
commit 0c110213f4
No known key found for this signature in database
GPG Key ID: 669339FCBB30EE0E
21 changed files with 69 additions and 321 deletions

View File

@ -88,10 +88,6 @@ class Component extends YiiUserComponent {
$minecraftSession->revoked_at = time(); $minecraftSession->revoked_at = time();
Assert::true($minecraftSession->save()); Assert::true($minecraftSession->save());
} }
foreach ($account->minecraftAccessKeys as $minecraftAccessKey) {
$minecraftAccessKey->delete();
}
} }
} }

View File

@ -10,7 +10,6 @@ use api\modules\authserver\validators\AccessTokenValidator;
use api\modules\authserver\validators\RequiredValidator; use api\modules\authserver\validators\RequiredValidator;
use api\rbac\Permissions as P; use api\rbac\Permissions as P;
use common\models\Account; use common\models\Account;
use common\models\MinecraftAccessKey;
use common\models\OauthClient; use common\models\OauthClient;
use common\models\OauthSession; use common\models\OauthSession;
use Webmozart\Assert\Assert; use Webmozart\Assert\Assert;
@ -48,17 +47,6 @@ class RefreshTokenForm extends ApiForm {
*/ */
public function refresh(): AuthenticateData { public function refresh(): AuthenticateData {
$this->validate(); $this->validate();
$account = null;
if (mb_strlen($this->accessToken) === 36) {
/** @var MinecraftAccessKey $token */
$token = MinecraftAccessKey::findOne([
'access_token' => $this->accessToken,
'client_token' => $this->clientToken,
]);
if ($token !== null) {
$account = $token->account;
}
} else {
$token = Yii::$app->tokens->parse($this->accessToken); $token = Yii::$app->tokens->parse($this->accessToken);
$tokenReader = new TokenReader($token); $tokenReader = new TokenReader($token);
if ($tokenReader->getMinecraftClientToken() !== $this->clientToken) { if ($tokenReader->getMinecraftClientToken() !== $this->clientToken) {
@ -66,8 +54,6 @@ class RefreshTokenForm extends ApiForm {
} }
$account = Account::findOne(['id' => $tokenReader->getAccountId()]); $account = Account::findOne(['id' => $tokenReader->getAccountId()]);
}
if ($account === null) { if ($account === null) {
throw new ForbiddenOperationException('Invalid token.'); throw new ForbiddenOperationException('Invalid token.');
} }

View File

@ -7,7 +7,6 @@ use api\components\Tokens\TokenReader;
use api\modules\authserver\exceptions\ForbiddenOperationException; use api\modules\authserver\exceptions\ForbiddenOperationException;
use Carbon\Carbon; use Carbon\Carbon;
use common\models\Account; use common\models\Account;
use common\models\MinecraftAccessKey;
use Exception; use Exception;
use Yii; use Yii;
use yii\validators\Validator; use yii\validators\Validator;
@ -22,16 +21,10 @@ class AccessTokenValidator extends Validator {
public bool $verifyAccount = true; public bool $verifyAccount = true;
/** /**
* @param string $value
*
* @return array|null * @return array|null
* @throws ForbiddenOperationException * @throws ForbiddenOperationException
*/ */
protected function validateValue($value): ?array { protected function validateValue($value): ?array {
if (mb_strlen($value) === 36) {
return $this->validateLegacyToken($value);
}
try { try {
$token = Yii::$app->tokens->parse($value); $token = Yii::$app->tokens->parse($value);
} catch (Exception $e) { } catch (Exception $e) {
@ -53,30 +46,6 @@ class AccessTokenValidator extends Validator {
return null; return null;
} }
/**
* @param string $value
*
* @return array|null
* @throws ForbiddenOperationException
*/
private function validateLegacyToken(string $value): ?array {
/** @var MinecraftAccessKey|null $result */
$result = MinecraftAccessKey::findOne(['access_token' => $value]);
if ($result === null) {
throw new ForbiddenOperationException(self::INVALID_TOKEN);
}
if ($this->verifyExpiration && $result->isExpired()) {
throw new ForbiddenOperationException(self::TOKEN_EXPIRED);
}
if ($this->verifyAccount && !$this->validateAccount($result->account_id)) {
throw new ForbiddenOperationException(self::INVALID_TOKEN);
}
return null;
}
private function validateAccount(int $accountId): bool { private function validateAccount(int $accountId): bool {
/** @var Account|null $account */ /** @var Account|null $account */
$account = Account::find()->excludeDeleted()->andWhere(['id' => $accountId])->one(); $account = Account::find()->excludeDeleted()->andWhere(['id' => $accountId])->one();

View File

@ -9,9 +9,9 @@ use api\modules\session\models\protocols\JoinInterface;
use api\modules\session\Module as Session; use api\modules\session\Module as Session;
use api\modules\session\validators\RequiredValidator; use api\modules\session\validators\RequiredValidator;
use api\rbac\Permissions as P; use api\rbac\Permissions as P;
use Closure;
use common\helpers\StringHelper; use common\helpers\StringHelper;
use common\models\Account; use common\models\Account;
use common\models\MinecraftAccessKey;
use Ramsey\Uuid\Uuid; use Ramsey\Uuid\Uuid;
use Webmozart\Assert\Assert; use Webmozart\Assert\Assert;
use Yii; use Yii;
@ -47,13 +47,12 @@ class JoinForm extends Model {
public function rules(): array { public function rules(): array {
return [ return [
[['accessToken', 'serverId'], RequiredValidator::class], [['accessToken', 'serverId'], RequiredValidator::class],
[['accessToken', 'selectedProfile'], 'validateUuid'], [['accessToken', 'selectedProfile'], Closure::fromCallable([$this, 'validateUuid'])],
[['accessToken'], 'validateAccessToken'], [['accessToken'], Closure::fromCallable([$this, 'validateAccessToken'])],
]; ];
} }
/** /**
* @return bool
* @throws IllegalArgumentException * @throws IllegalArgumentException
* @throws ForbiddenOperationException * @throws ForbiddenOperationException
*/ */
@ -66,7 +65,7 @@ class JoinForm extends Model {
return false; return false;
} }
$account = $this->getAccount(); $account = $this->account;
$sessionModel = new SessionModel($account->username, $serverId); $sessionModel = new SessionModel($account->username, $serverId);
Assert::true($sessionModel->save()); Assert::true($sessionModel->save());
@ -96,7 +95,7 @@ class JoinForm extends Model {
* *
* @throws IllegalArgumentException * @throws IllegalArgumentException
*/ */
public function validateUuid(string $attribute): void { private function validateUuid(string $attribute): void {
if ($this->hasErrors($attribute)) { if ($this->hasErrors($attribute)) {
return; return;
} }
@ -109,25 +108,15 @@ class JoinForm extends Model {
/** /**
* @throws \api\modules\session\exceptions\ForbiddenOperationException * @throws \api\modules\session\exceptions\ForbiddenOperationException
*/ */
public function validateAccessToken(): void { private function validateAccessToken(): void {
$accessToken = $this->accessToken; $accessToken = $this->accessToken;
/** @var MinecraftAccessKey|null $accessModel */
$accessModel = MinecraftAccessKey::findOne(['access_token' => $accessToken]);
if ($accessModel !== null) {
Yii::$app->statsd->inc('sessionserver.authentication.legacy_minecraft_protocol');
/** @var MinecraftAccessKey|\api\components\OAuth2\Entities\AccessTokenEntity $accessModel */
if ($accessModel->isExpired()) {
Session::error("User with access_token = '{$accessToken}' failed join by expired access_token.");
Yii::$app->statsd->inc('sessionserver.authentication.legacy_minecraft_protocol_token_expired');
throw new ForbiddenOperationException('Expired access_token.');
}
$account = $accessModel->account;
} else {
try { try {
$identity = Yii::$app->user->loginByAccessToken($accessToken); $identity = Yii::$app->user->loginByAccessToken($accessToken);
} catch (UnauthorizedHttpException $e) { } catch (UnauthorizedHttpException $e) {
if ($e->getMessage() === 'Token expired') {
throw new ForbiddenOperationException('Expired access_token.', 0, $e);
}
$identity = null; $identity = null;
} }
@ -146,8 +135,8 @@ class JoinForm extends Model {
throw new ForbiddenOperationException('The token does not have required scope.'); throw new ForbiddenOperationException('The token does not have required scope.');
} }
/** @var Account $account */
$account = $identity->getAccount(); $account = $identity->getAccount();
}
$selectedProfile = $this->selectedProfile; $selectedProfile = $this->selectedProfile;
$isUuid = StringHelper::isUuid($selectedProfile); $isUuid = StringHelper::isUuid($selectedProfile);
@ -172,10 +161,6 @@ class JoinForm extends Model {
$this->account = $account; $this->account = $account;
} }
protected function getAccount(): Account {
return $this->account;
}
private function normalizeUUID(string $uuid): string { private function normalizeUUID(string $uuid): string {
return Uuid::fromString($uuid)->toString(); return Uuid::fromString($uuid)->toString();
} }

View File

@ -68,7 +68,7 @@ class JoinCest {
public function joinWithExpiredToken(FunctionalTester $I) { public function joinWithExpiredToken(FunctionalTester $I) {
$I->wantTo('join to some server with expired accessToken'); $I->wantTo('join to some server with expired accessToken');
$I->sendPOST('/api/authlib-injector/sessionserver/session/minecraft/join', [ $I->sendPOST('/api/authlib-injector/sessionserver/session/minecraft/join', [
'accessToken' => '6042634a-a1e2-4aed-866c-c661fe4e63e2', 'accessToken' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1MTgzMzQ3NDMsImV4cCI6MTUxODMzNDc5MCwiY2xpZW50X2lkIjoiZWx5Iiwic2NvcGUiOiJtaW5lY3JhZnRfc2VydmVyX3Nlc3Npb24iLCJzdWIiOiJlbHl8MSJ9.0mBXezB2p0eGuusZDklthR8xQLGo-v1qoP0GPdEPpYvckJMoHmlSqiW-2WwLlxGK0_J4KmYlp5vM4ynE14armw',
'selectedProfile' => 'df936908-b2e1-544d-96f8-2977ec213022', 'selectedProfile' => 'df936908-b2e1-544d-96f8-2977ec213022',
'serverId' => uuid(), 'serverId' => uuid(),
]); ]);
@ -125,7 +125,7 @@ class JoinCest {
public function joinByAccountMarkedForDeletion(FunctionalTester $I) { public function joinByAccountMarkedForDeletion(FunctionalTester $I) {
$I->sendPOST('/api/authlib-injector/sessionserver/session/minecraft/join', [ $I->sendPOST('/api/authlib-injector/sessionserver/session/minecraft/join', [
'accessToken' => '239ba889-7020-4383-8d99-cd8c8aab4a2f', 'accessToken' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1MTgzMzQ3NDMsImNsaWVudF9pZCI6ImVseSIsInNjb3BlIjoibWluZWNyYWZ0X3NlcnZlcl9zZXNzaW9uIiwic3ViIjoiZWx5fDE1In0.2qla7RzReBi2WtfgP3x8T6ZA0wn9HOrQo57xaZc2wMKPo1Zc49_o6w-5Ku1tbvzmESZfAxNQpfY4EwclEWjHYA',
'selectedProfile' => '6383de63-8f85-4ed5-92b7-5401a1fa68cd', 'selectedProfile' => '6383de63-8f85-4ed5-92b7-5401a1fa68cd',
'serverId' => uuid(), 'serverId' => uuid(),
]); ]);

View File

@ -24,20 +24,6 @@ class RefreshCest {
$this->assertSuccessResponse($I, $case[0]); $this->assertSuccessResponse($I, $case[0]);
} }
/**
* @example [true]
* @example [false]
*/
public function refreshLegacyAccessToken(AuthserverSteps $I, Example $case) {
$I->wantTo('refresh legacy accessToken');
$I->sendPOST('/api/authserver/authentication/refresh', [
'accessToken' => 'e7bb6648-2183-4981-9b86-eba5e7f87b42',
'clientToken' => '6f380440-0c05-47bd-b7c6-d011f1b5308f',
'requestUser' => $case[0],
]);
$this->assertSuccessResponse($I, $case[0]);
}
public function refreshWithInvalidClientToken(AuthserverSteps $I) { public function refreshWithInvalidClientToken(AuthserverSteps $I) {
$I->wantTo('refresh accessToken with not matched client token'); $I->wantTo('refresh accessToken with not matched client token');
[$accessToken] = $I->amAuthenticated(); [$accessToken] = $I->amAuthenticated();
@ -51,27 +37,11 @@ class RefreshCest {
]); ]);
} }
public function refreshLegacyAccessTokenWithInvalidClientToken(AuthserverSteps $I) { public function refreshExpiredToken(AuthserverSteps $I) {
$I->wantTo('refresh legacy accessToken with not matched client token');
$I->sendPOST('/api/authserver/authentication/refresh', [
'accessToken' => 'e7bb6648-2183-4981-9b86-eba5e7f87b42',
'clientToken' => Uuid::uuid4()->toString(),
]);
$I->canSeeResponseContainsJson([
'error' => 'ForbiddenOperationException',
'errorMessage' => 'Invalid token.',
]);
}
/**
* @example {"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU1NjE1MjgsImV4cCI6MTU3NTU2MTUyOCwiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiIydnByWnRVdk40VTVtSnZzc0ozaXNpekdVWFhQYnFsV1FsQjVVRWVfUV81bkxKYzlsbUJ3VU1hQWJ1MjBtZC1FNzNtengxNWFsZmRJSU1OMTV5YUpBalZOM29vQW9IRDctOWdOcmciLCJzdWIiOiJlbHl8MSJ9.vwjXzy0VtjJlP6B4RxqoE69yRSBsluZ29VELe4vDi8GCy487eC5cIf9hz9oxp5YcdE7uEJZeqX2yi3nk_0nCaA", "clientToken": "4f368b58-9097-4e56-80b1-f421ae4b53cf"}
* @example {"accessToken": "6042634a-a1e2-4aed-866c-c661fe4e63e2", "clientToken": "47fb164a-2332-42c1-8bad-549e67bb210c"}
*/
public function refreshExpiredToken(AuthserverSteps $I, Example $example) {
$I->wantTo('refresh legacy accessToken'); $I->wantTo('refresh legacy accessToken');
$I->sendPOST('/api/authserver/authentication/refresh', [ $I->sendPOST('/api/authserver/authentication/refresh', [
'accessToken' => $example['accessToken'], 'accessToken' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1NzU1NjE1MjgsImV4cCI6MTU3NTU2MTUyOCwiZWx5LXNjb3BlcyI6Im1pbmVjcmFmdF9zZXJ2ZXJfc2Vzc2lvbiIsImVseS1jbGllbnQtdG9rZW4iOiIydnByWnRVdk40VTVtSnZzc0ozaXNpekdVWFhQYnFsV1FsQjVVRWVfUV81bkxKYzlsbUJ3VU1hQWJ1MjBtZC1FNzNtengxNWFsZmRJSU1OMTV5YUpBalZOM29vQW9IRDctOWdOcmciLCJzdWIiOiJlbHl8MSJ9.vwjXzy0VtjJlP6B4RxqoE69yRSBsluZ29VELe4vDi8GCy487eC5cIf9hz9oxp5YcdE7uEJZeqX2yi3nk_0nCaA',
'clientToken' => $example['clientToken'], 'clientToken' => '4f368b58-9097-4e56-80b1-f421ae4b53cf',
]); ]);
$this->assertSuccessResponse($I, false); $this->assertSuccessResponse($I, false);
} }

View File

@ -18,15 +18,6 @@ class ValidateCest {
$I->canSeeResponseEquals(''); $I->canSeeResponseEquals('');
} }
public function validateLegacyToken(AuthserverSteps $I) {
$I->wantTo('validate my legacy accessToken');
$I->sendPOST('/api/authserver/authentication/validate', [
'accessToken' => 'e7bb6648-2183-4981-9b86-eba5e7f87b42',
]);
$I->seeResponseCodeIs(200);
$I->canSeeResponseEquals('');
}
public function wrongArguments(AuthserverSteps $I) { public function wrongArguments(AuthserverSteps $I) {
$I->wantTo('get error on wrong amount of arguments'); $I->wantTo('get error on wrong amount of arguments');
$I->sendPOST('/api/authserver/authentication/validate', [ $I->sendPOST('/api/authserver/authentication/validate', [
@ -66,23 +57,10 @@ class ValidateCest {
]); ]);
} }
public function expiredLegacyAccessToken(AuthserverSteps $I) {
$I->wantTo('get error on expired legacy accessToken');
$I->sendPOST('/api/authserver/authentication/validate', [
'accessToken' => '6042634a-a1e2-4aed-866c-c661fe4e63e2', // Already expired token from the fixtures
]);
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
'error' => 'ForbiddenOperationException',
'errorMessage' => 'Token expired.',
]);
}
public function credentialsFromBannedAccount(AuthserverSteps $I) { public function credentialsFromBannedAccount(AuthserverSteps $I) {
$I->wantTo('get error on expired legacy accessToken'); $I->wantTo('get error on expired legacy accessToken');
$I->sendPOST('/api/authserver/authentication/validate', [ $I->sendPOST('/api/authserver/authentication/validate', [
'accessToken' => '239ba889-7020-4383-8d99-cd8c8aab4a2f', 'accessToken' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1MTgzMzQ3NDMsImNsaWVudF9pZCI6ImVseSIsInNjb3BlIjoibWluZWNyYWZ0X3NlcnZlcl9zZXNzaW9uIiwic3ViIjoiZWx5fDE1In0.2qla7RzReBi2WtfgP3x8T6ZA0wn9HOrQo57xaZc2wMKPo1Zc49_o6w-5Ku1tbvzmESZfAxNQpfY4EwclEWjHYA',
]); ]);
$I->canSeeResponseCodeIs(401); $I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([ $I->canSeeResponseContainsJson([

View File

@ -79,10 +79,10 @@ class JoinCest {
]); ]);
} }
public function joinWithExpiredToken(FunctionalTester $I) { public function joinWithExpiredToken(OauthSteps $I) {
$I->wantTo('join to some server with expired accessToken'); $I->wantTo('join to some server with expired accessToken');
$this->route->join([ $this->route->join([
'accessToken' => '6042634a-a1e2-4aed-866c-c661fe4e63e2', 'accessToken' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1MTgzMzQ3NDMsImV4cCI6MTUxODMzNDc5MCwiY2xpZW50X2lkIjoiZWx5Iiwic2NvcGUiOiJtaW5lY3JhZnRfc2VydmVyX3Nlc3Npb24iLCJzdWIiOiJlbHl8MSJ9.0mBXezB2p0eGuusZDklthR8xQLGo-v1qoP0GPdEPpYvckJMoHmlSqiW-2WwLlxGK0_J4KmYlp5vM4ynE14armw',
'selectedProfile' => 'df936908-b2e1-544d-96f8-2977ec213022', 'selectedProfile' => 'df936908-b2e1-544d-96f8-2977ec213022',
'serverId' => uuid(), 'serverId' => uuid(),
]); ]);
@ -137,9 +137,9 @@ class JoinCest {
]); ]);
} }
public function joinByAccountMarkedForDeletion(FunctionalTester $I) { public function joinByAccountMarkedForDeletion(AuthserverSteps $I) {
$this->route->join([ $this->route->join([
'accessToken' => '239ba889-7020-4383-8d99-cd8c8aab4a2f', 'accessToken' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpYXQiOjE1MTgzMzQ3NDMsImNsaWVudF9pZCI6ImVseSIsInNjb3BlIjoibWluZWNyYWZ0X3NlcnZlcl9zZXNzaW9uIiwic3ViIjoiZWx5fDE1In0.2qla7RzReBi2WtfgP3x8T6ZA0wn9HOrQo57xaZc2wMKPo1Zc49_o6w-5Ku1tbvzmESZfAxNQpfY4EwclEWjHYA',
'selectedProfile' => '6383de63-8f85-4ed5-92b7-5401a1fa68cd', 'selectedProfile' => '6383de63-8f85-4ed5-92b7-5401a1fa68cd',
'serverId' => uuid(), 'serverId' => uuid(),
]); ]);

View File

@ -12,7 +12,6 @@ use common\models\AccountSession;
use common\models\OauthClient; use common\models\OauthClient;
use common\tests\fixtures\AccountFixture; use common\tests\fixtures\AccountFixture;
use common\tests\fixtures\AccountSessionFixture; use common\tests\fixtures\AccountSessionFixture;
use common\tests\fixtures\MinecraftAccessKeyFixture;
use common\tests\fixtures\OauthClientFixture; use common\tests\fixtures\OauthClientFixture;
use common\tests\fixtures\OauthSessionFixture; use common\tests\fixtures\OauthSessionFixture;
use Lcobucci\JWT\Claim\Basic; use Lcobucci\JWT\Claim\Basic;
@ -34,7 +33,6 @@ class ComponentTest extends TestCase {
return [ return [
'accounts' => AccountFixture::class, 'accounts' => AccountFixture::class,
'sessions' => AccountSessionFixture::class, 'sessions' => AccountSessionFixture::class,
'minecraftSessions' => MinecraftAccessKeyFixture::class,
'oauthClients' => OauthClientFixture::class, 'oauthClients' => OauthClientFixture::class,
'oauthSessions' => OauthSessionFixture::class, 'oauthSessions' => OauthSessionFixture::class,
]; ];
@ -82,12 +80,10 @@ class ComponentTest extends TestCase {
// Dry run: no sessions should be removed // Dry run: no sessions should be removed
$component->terminateSessions($account, Component::KEEP_MINECRAFT_SESSIONS | Component::KEEP_SITE_SESSIONS); $component->terminateSessions($account, Component::KEEP_MINECRAFT_SESSIONS | Component::KEEP_SITE_SESSIONS);
$this->assertNotEmpty($account->getMinecraftAccessKeys()->all());
$this->assertNotEmpty($account->getSessions()->all()); $this->assertNotEmpty($account->getSessions()->all());
// All Minecraft sessions should be removed. Web sessions should be kept // All Minecraft sessions should be removed. Web sessions should be kept
$component->terminateSessions($account, Component::KEEP_SITE_SESSIONS); $component->terminateSessions($account, Component::KEEP_SITE_SESSIONS);
$this->assertEmpty($account->getMinecraftAccessKeys()->all());
$this->assertNotEmpty($account->getSessions()->all()); $this->assertNotEmpty($account->getSessions()->all());
$this->assertEqualsWithDelta(time(), $account->getOauthSessions()->andWhere(['client_id' => OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER])->one()->revoked_at, 5); $this->assertEqualsWithDelta(time(), $account->getOauthSessions()->andWhere(['client_id' => OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER])->one()->revoked_at, 5);
@ -100,7 +96,6 @@ class ComponentTest extends TestCase {
// With no arguments each and every session should be removed // With no arguments each and every session should be removed
$component->terminateSessions($account); $component->terminateSessions($account);
$this->assertEmpty($account->getSessions()->all()); $this->assertEmpty($account->getSessions()->all());
$this->assertEmpty($account->getMinecraftAccessKeys()->all());
} }
} }

View File

@ -46,7 +46,6 @@ use const common\LATEST_RULES_VERSION;
* @property-read OauthClient[] $oauthClients * @property-read OauthClient[] $oauthClients
* @property-read UsernameHistory[] $usernameHistory * @property-read UsernameHistory[] $usernameHistory
* @property-read AccountSession[] $sessions * @property-read AccountSession[] $sessions
* @property-read MinecraftAccessKey[] $minecraftAccessKeys
* *
* Behaviors: * Behaviors:
* @mixin TimestampBehavior * @mixin TimestampBehavior
@ -121,10 +120,6 @@ class Account extends ActiveRecord {
return $this->hasMany(AccountSession::class, ['account_id' => 'id']); return $this->hasMany(AccountSession::class, ['account_id' => 'id']);
} }
public function getMinecraftAccessKeys(): ActiveQuery {
return $this->hasMany(MinecraftAccessKey::class, ['account_id' => 'id']);
}
public function hasMojangUsernameCollision(): bool { public function hasMojangUsernameCollision(): bool {
return MojangUsername::find() return MojangUsername::find()
->andWhere(['username' => $this->username]) ->andWhere(['username' => $this->username])

View File

@ -1,63 +0,0 @@
<?php
namespace common\models;
use common\behaviors\PrimaryKeyValueBehavior;
use Ramsey\Uuid\Uuid;
use yii\behaviors\TimestampBehavior;
use yii\db\ActiveRecord;
/**
* This is a temporary class where all the logic of the authserver.ely.by service.
* Since the login and password were allowed there, and the format of storage of the issued tokens was different,
* we need to keep the legacy logic and structure under it for the period until we finally migrate.
*
* Fields:
* @property string $access_token
* @property string $client_token
* @property integer $account_id
* @property integer $created_at
* @property integer $updated_at
*
* Relations:
* @property Account $account
*
* Behaviors:
* @mixin TimestampBehavior
* @mixin PrimaryKeyValueBehavior
*
* @deprecated This table is no longer used to store authorization information in Minecraft.
* In time it will be empty (see the cleanup console command) and when it does, this model,
* the table in the database and everything related to the old logic can be removed.
*/
class MinecraftAccessKey extends ActiveRecord {
public const LIFETIME = 172800; // Ключ актуален в течение 2 дней
public static function tableName(): string {
return '{{%minecraft_access_keys}}';
}
public function behaviors(): array {
return [
[
'class' => TimestampBehavior::class,
],
[
'class' => PrimaryKeyValueBehavior::class,
'value' => function() {
return Uuid::uuid4()->toString();
},
],
];
}
public function getAccount(): AccountQuery {
/** @noinspection PhpIncompatibleReturnTypeInspection */
return $this->hasOne(Account::class, ['id' => 'account_id']);
}
public function isExpired(): bool {
return time() > $this->updated_at + self::LIFETIME;
}
}

View File

@ -47,11 +47,6 @@ final class ClearAccountSessions implements RetryableJobInterface {
$authSession->delete(); $authSession->delete();
} }
/** @var \common\models\MinecraftAccessKey $key */
foreach ($account->getMinecraftAccessKeys()->each(100, Yii::$app->unbufferedDb) as $key) {
$key->delete();
}
/** @var \common\models\OauthSession $oauthSession */ /** @var \common\models\OauthSession $oauthSession */
foreach ($account->getOauthSessions()->each(100, Yii::$app->unbufferedDb) as $oauthSession) { foreach ($account->getOauthSessions()->each(100, Yii::$app->unbufferedDb) as $oauthSession) {
$oauthSession->delete(); $oauthSession->delete();

View File

@ -56,7 +56,6 @@ class FixtureHelper extends Module {
'legacyOauthAccessTokens' => fixtures\LegacyOauthAccessTokenFixture::class, 'legacyOauthAccessTokens' => fixtures\LegacyOauthAccessTokenFixture::class,
'legacyOauthAccessTokensScopes' => fixtures\LegacyOauthAccessTokenScopeFixture::class, 'legacyOauthAccessTokensScopes' => fixtures\LegacyOauthAccessTokenScopeFixture::class,
'legacyOauthRefreshTokens' => fixtures\LegacyOauthRefreshTokenFixture::class, 'legacyOauthRefreshTokens' => fixtures\LegacyOauthRefreshTokenFixture::class,
'minecraftAccessKeys' => fixtures\MinecraftAccessKeyFixture::class,
]; ];
} }

View File

@ -1,17 +0,0 @@
<?php
namespace common\tests\fixtures;
use common\models\MinecraftAccessKey;
use yii\test\ActiveFixture;
class MinecraftAccessKeyFixture extends ActiveFixture {
public $modelClass = MinecraftAccessKey::class;
public $dataFile = '@root/common/tests/fixtures/data/minecraft-access-keys.php';
public $depends = [
AccountFixture::class,
];
}

View File

@ -1,31 +0,0 @@
<?php
return [
'admin-token' => [
'access_token' => 'e7bb6648-2183-4981-9b86-eba5e7f87b42',
'client_token' => '6f380440-0c05-47bd-b7c6-d011f1b5308f',
'account_id' => 1,
'created_at' => time() - 10,
'updated_at' => time() - 10,
],
'expired-token' => [
'access_token' => '6042634a-a1e2-4aed-866c-c661fe4e63e2',
'client_token' => '47fb164a-2332-42c1-8bad-549e67bb210c',
'account_id' => 1,
'created_at' => 1472423530,
'updated_at' => 1472423530,
],
'banned-token' => [
'access_token' => '918ecb41-616c-40ee-a7d2-0b0ef0d0d732',
'client_token' => '6042634a-a1e2-4aed-866c-c661fe4e63e2',
'account_id' => 10,
'created_at' => time() - 10,
'updated_at' => time() - 10,
],
'deleted-token' => [
'access_token' => '239ba889-7020-4383-8d99-cd8c8aab4a2f',
'client_token' => '47443658-4ff8-45e7-b33e-dc8915ab6421',
'account_id' => 15,
'created_at' => time() - 10,
'updated_at' => time() - 10,
],
];

View File

@ -17,7 +17,6 @@ class ClearAccountSessionsTest extends TestCase {
return [ return [
'accounts' => fixtures\AccountFixture::class, 'accounts' => fixtures\AccountFixture::class,
'oauthSessions' => fixtures\OauthSessionFixture::class, 'oauthSessions' => fixtures\OauthSessionFixture::class,
'minecraftAccessKeys' => fixtures\MinecraftAccessKeyFixture::class,
'authSessions' => fixtures\AccountSessionFixture::class, 'authSessions' => fixtures\AccountSessionFixture::class,
]; ];
} }
@ -28,7 +27,6 @@ class ClearAccountSessionsTest extends TestCase {
$task = new ClearAccountSessions($bannedAccount->id); $task = new ClearAccountSessions($bannedAccount->id);
$task->execute($this->createMock(Queue::class)); $task->execute($this->createMock(Queue::class));
$this->assertEmpty($bannedAccount->sessions); $this->assertEmpty($bannedAccount->sessions);
$this->assertEmpty($bannedAccount->minecraftAccessKeys);
$this->assertEmpty($bannedAccount->oauthSessions); $this->assertEmpty($bannedAccount->oauthSessions);
} }

View File

@ -19,7 +19,6 @@ class DeleteAccountTest extends TestCase {
'accounts' => fixtures\AccountFixture::class, 'accounts' => fixtures\AccountFixture::class,
'authSessions' => fixtures\AccountSessionFixture::class, 'authSessions' => fixtures\AccountSessionFixture::class,
'emailActivations' => fixtures\EmailActivationFixture::class, 'emailActivations' => fixtures\EmailActivationFixture::class,
'minecraftAccessKeys' => fixtures\MinecraftAccessKeyFixture::class,
'usernamesHistory' => fixtures\UsernameHistoryFixture::class, 'usernamesHistory' => fixtures\UsernameHistoryFixture::class,
'oauthClients' => fixtures\OauthClientFixture::class, 'oauthClients' => fixtures\OauthClientFixture::class,
'oauthSessions' => fixtures\OauthSessionFixture::class, 'oauthSessions' => fixtures\OauthSessionFixture::class,
@ -37,7 +36,6 @@ class DeleteAccountTest extends TestCase {
$task->execute($this->createMock(Queue::class)); $task->execute($this->createMock(Queue::class));
$this->assertEmpty($account->emailActivations); $this->assertEmpty($account->emailActivations);
$this->assertEmpty($account->sessions); $this->assertEmpty($account->sessions);
$this->assertEmpty($account->minecraftAccessKeys);
$this->assertEmpty($account->oauthSessions); $this->assertEmpty($account->oauthSessions);
$this->assertEmpty($account->usernameHistory); $this->assertEmpty($account->usernameHistory);
$this->assertEmpty($account->oauthClients); $this->assertEmpty($account->oauthClients);
@ -57,7 +55,6 @@ class DeleteAccountTest extends TestCase {
$task->execute($this->createMock(Queue::class)); $task->execute($this->createMock(Queue::class));
$this->assertNotEmpty($account->emailActivations); $this->assertNotEmpty($account->emailActivations);
$this->assertNotEmpty($account->sessions); $this->assertNotEmpty($account->sessions);
$this->assertNotEmpty($account->minecraftAccessKeys);
$this->assertNotEmpty($account->oauthSessions); $this->assertNotEmpty($account->oauthSessions);
$this->assertNotEmpty($account->usernameHistory); $this->assertNotEmpty($account->usernameHistory);
$this->assertNotEmpty($account->oauthClients); $this->assertNotEmpty($account->oauthClients);
@ -80,7 +77,6 @@ class DeleteAccountTest extends TestCase {
$task->execute($this->createMock(Queue::class)); $task->execute($this->createMock(Queue::class));
$this->assertNotEmpty($account->emailActivations); $this->assertNotEmpty($account->emailActivations);
$this->assertNotEmpty($account->sessions); $this->assertNotEmpty($account->sessions);
$this->assertNotEmpty($account->minecraftAccessKeys);
$this->assertNotEmpty($account->oauthSessions); $this->assertNotEmpty($account->oauthSessions);
$this->assertNotEmpty($account->usernameHistory); $this->assertNotEmpty($account->usernameHistory);
$this->assertNotEmpty($account->oauthClients); $this->assertNotEmpty($account->oauthClients);

View File

@ -1,10 +1,8 @@
<?php <?php
namespace console\controllers; namespace console\controllers;
use Carbon\Carbon;
use common\models\AccountSession; use common\models\AccountSession;
use common\models\EmailActivation; use common\models\EmailActivation;
use common\models\MinecraftAccessKey;
use common\models\OauthClient; use common\models\OauthClient;
use common\tasks\ClearOauthSessions; use common\tasks\ClearOauthSessions;
use Yii; use Yii;
@ -31,18 +29,6 @@ class CleanupController extends Controller {
return ExitCode::OK; return ExitCode::OK;
} }
public function actionMinecraftSessions(): int {
$expiredMinecraftSessionsQuery = MinecraftAccessKey::find()
->andWhere(['<', 'updated_at', Carbon::now()->subMonths(3)->getTimestamp()]);
foreach ($expiredMinecraftSessionsQuery->each(100, Yii::$app->unbufferedDb) as $minecraftSession) {
/** @var MinecraftAccessKey $minecraftSession */
$minecraftSession->delete();
}
return ExitCode::OK;
}
/** /**
* Sessions that have not been refreshed for 90 days and those * Sessions that have not been refreshed for 90 days and those
* that have not been refreshed since they were issued more than 2 weeks ago * that have not been refreshed since they were issued more than 2 weeks ago

View File

@ -0,0 +1,24 @@
<?php
declare(strict_types=1);
use console\db\Migration;
class m240614_024554_drop_minecraft_access_keys_table extends Migration {
public function safeUp() {
$this->dropTable('minecraft_access_keys');
}
public function safeDown() {
$this->createTable('minecraft_access_keys', [
'access_token' => $this->string(36)->notNull(),
'client_token' => $this->string()->notNull(),
'account_id' => $this->db->getTableSchema('accounts')->getColumn('id')->dbType . ' NOT NULL',
'created_at' => $this->integer()->unsigned()->notNull(),
'updated_at' => $this->integer()->unsigned()->notNull(),
$this->primary('access_token'),
]);
$this->addForeignKey('FK_minecraft_access_token_to_account', 'minecraft_access_keys', 'account_id', 'accounts', 'id', 'CASCADE', 'CASCADE');
}
}

View File

@ -5,7 +5,6 @@ namespace console\tests\unit\controllers;
use common\models\AccountSession; use common\models\AccountSession;
use common\models\EmailActivation; use common\models\EmailActivation;
use common\models\MinecraftAccessKey;
use common\models\OauthClient; use common\models\OauthClient;
use common\tasks\ClearOauthSessions; use common\tasks\ClearOauthSessions;
use common\tests\fixtures; use common\tests\fixtures;
@ -18,7 +17,6 @@ class CleanupControllerTest extends TestCase {
public function _fixtures(): array { public function _fixtures(): array {
return [ return [
'emailActivations' => fixtures\EmailActivationFixture::class, 'emailActivations' => fixtures\EmailActivationFixture::class,
'minecraftSessions' => fixtures\MinecraftAccessKeyFixture::class,
'accountsSessions' => fixtures\AccountSessionFixture::class, 'accountsSessions' => fixtures\AccountSessionFixture::class,
'oauthClients' => fixtures\OauthClientFixture::class, 'oauthClients' => fixtures\OauthClientFixture::class,
'oauthSessions' => fixtures\OauthSessionFixture::class, 'oauthSessions' => fixtures\OauthSessionFixture::class,
@ -35,16 +33,6 @@ class CleanupControllerTest extends TestCase {
$this->tester->cantSeeRecord(EmailActivation::class, ['key' => $expiredConfirmation->key]); $this->tester->cantSeeRecord(EmailActivation::class, ['key' => $expiredConfirmation->key]);
} }
public function testActionMinecraftSessions() {
/** @var MinecraftAccessKey $expiredSession */
$expiredSession = $this->tester->grabFixture('minecraftSessions', 'expired-token');
$controller = new CleanupController('cleanup', Yii::$app);
$this->assertSame(0, $controller->actionMinecraftSessions());
$this->tester->cantSeeRecord(MinecraftAccessKey::class, ['access_token' => $expiredSession->access_token]);
}
public function testActionWebSessions() { public function testActionWebSessions() {
/** @var AccountSession $expiredSession */ /** @var AccountSession $expiredSession */
$expiredSession = $this->tester->grabFixture('accountsSessions', 'very-expired-session'); $expiredSession = $this->tester->grabFixture('accountsSessions', 'very-expired-session');

View File

@ -1,5 +1,4 @@
# https://crontab.guru/every-day # https://crontab.guru/every-day
0 0 * * * php /var/www/html/yii cleanup/email-keys >/dev/null 2>&1 0 0 * * * php /var/www/html/yii cleanup/email-keys >/dev/null 2>&1
0 1 * * * php /var/www/html/yii cleanup/minecraft-sessions >/dev/null 2>&1
0 2 * * * php /var/www/html/yii cleanup/web-sessions >/dev/null 2>&1 0 2 * * * php /var/www/html/yii cleanup/web-sessions >/dev/null 2>&1
0 3 * * * php /var/www/html/yii cleanup/oauth-clients >/dev/null 2>&1 0 3 * * * php /var/www/html/yii cleanup/oauth-clients >/dev/null 2>&1