Replace separate minecraft access tokens with JWT

2025-05-31 14:11:46 +05:30 · 2019-12-04 21:10:15 +03:00
parent 060a4e960a
commit a81ef5cac2
34 changed files with 432 additions and 303 deletions
--- a/api/modules/authserver/validators/AccessTokenValidator.php
+++ b/api/modules/authserver/validators/AccessTokenValidator.php
@@ -0,0 +1,69 @@
+<?php
+declare(strict_types=1);
+
+namespace api\modules\authserver\validators;
+
+use api\modules\authserver\exceptions\ForbiddenOperationException;
+use Carbon\Carbon;
+use common\models\MinecraftAccessKey;
+use Exception;
+use Lcobucci\JWT\ValidationData;
+use Yii;
+use yii\validators\Validator;
+
+class AccessTokenValidator extends Validator {
+
+    /**
+     * @var bool
+     */
+    public $verifyExpiration = true;
+
+    /**
+     * @param string $value
+     *
+     * @return array|null
+     * @throws ForbiddenOperationException
+     */
+    protected function validateValue($value): ?array {
+        if (mb_strlen($value) === 36) {
+            return $this->validateLegacyToken($value);
+        }
+
+        try {
+            $token = Yii::$app->tokens->parse($value);
+        } catch (Exception $e) {
+            throw new ForbiddenOperationException('Invalid token.');
+        }
+
+        if (!Yii::$app->tokens->verify($token)) {
+            throw new ForbiddenOperationException('Invalid token.');
+        }
+
+        if ($this->verifyExpiration && !$token->validate(new ValidationData(Carbon::now()->getTimestamp()))) {
+            throw new ForbiddenOperationException('Token expired.');
+        }
+
+        return null;
+    }
+
+    /**
+     * @param string $value
+     *
+     * @return array|null
+     * @throws ForbiddenOperationException
+     */
+    private function validateLegacyToken(string $value): ?array {
+        /** @var MinecraftAccessKey|null $result */
+        $result = MinecraftAccessKey::findOne(['access_token' => $value]);
+        if ($result === null) {
+            throw new ForbiddenOperationException('Invalid token.');
+        }
+
+        if ($this->verifyExpiration && $result->isExpired()) {
+            throw new ForbiddenOperationException('Token expired.');
+        }
+
+        return null;
+    }
+
+}
--- a/api/modules/authserver/validators/ClientTokenValidator.php
+++ b/api/modules/authserver/validators/ClientTokenValidator.php
@@ -1,20 +1,23 @@
 <?php
+declare(strict_types=1);
+
 namespace api\modules\authserver\validators;

 use api\modules\authserver\exceptions\IllegalArgumentException;
+use yii\validators\Validator;

 /**
 * The maximum length of clientToken for our database is 255.
 * If the token is longer, we do not accept the passed token at all.
 */
-class ClientTokenValidator extends \yii\validators\RequiredValidator {
+class ClientTokenValidator extends Validator {

    /**
     * @param string $value
     * @return null
     * @throws \api\modules\authserver\exceptions\AuthserverException
     */
-    protected function validateValue($value) {
+    protected function validateValue($value): ?array {
        if (mb_strlen($value) > 255) {
            throw new IllegalArgumentException('clientToken is too long.');
        }
--- a/api/modules/authserver/validators/RequiredValidator.php
+++ b/api/modules/authserver/validators/RequiredValidator.php
@@ -1,4 +1,6 @@
 <?php
+declare(strict_types=1);
+
 namespace api\modules\authserver\validators;

 use api\modules\authserver\exceptions\IllegalArgumentException;
@@ -14,7 +16,7 @@ class RequiredValidator extends \yii\validators\RequiredValidator {
     * @return null
     * @throws \api\modules\authserver\exceptions\AuthserverException
     */
-    protected function validateValue($value) {
+    protected function validateValue($value): ?array {
        if (parent::validateValue($value) !== null) {
            throw new IllegalArgumentException();
        }