diff --git a/Refresh.GameServer/Authentication/GameAuthenticationProvider.cs b/Refresh.GameServer/Authentication/GameAuthenticationProvider.cs index e0858ea7..8b4126ec 100644 --- a/Refresh.GameServer/Authentication/GameAuthenticationProvider.cs +++ b/Refresh.GameServer/Authentication/GameAuthenticationProvider.cs @@ -5,6 +5,7 @@ using Bunkum.Core.Authentication; using Bunkum.Core.Database; using Refresh.GameServer.Configuration; +using Refresh.GameServer.Endpoints; using Refresh.GameServer.Types.Roles; namespace Refresh.GameServer.Authentication; @@ -31,6 +32,17 @@ public GameAuthenticationProvider(GameServerConfig? config) tokenData = request.RequestHeaders["Authorization"]; } + // ReSharper disable once SwitchExpressionHandlesSomeKnownEnumValuesWithExceptionInDefault + string validBaseRoute = tokenType switch + { + TokenType.Game => GameEndpointAttribute.BaseRoute, + TokenType.Api => ApiV3EndpointAttribute.BaseRoute, + _ => throw new ArgumentOutOfRangeException(), + }; + + if (!request.Uri.AbsolutePath.StartsWith(validBaseRoute)) + return null; + // if still null we dont have a token so bail if (tokenData == null) return null; diff --git a/RefreshTests.GameServer/Tests/Authentication/TokenAbuseTests.cs b/RefreshTests.GameServer/Tests/Authentication/TokenAbuseTests.cs new file mode 100644 index 00000000..7795f6f0 --- /dev/null +++ b/RefreshTests.GameServer/Tests/Authentication/TokenAbuseTests.cs @@ -0,0 +1,39 @@ +using Refresh.GameServer.Authentication; +using Refresh.GameServer.Types.UserData; + +namespace RefreshTests.GameServer.Tests.Authentication; + +public class TokenAbuseTests : GameServerTest +{ + [Test] + public void CantUseGameTokenOnApi() + { + using TestContext context = this.GetServer(); + GameUser user = context.CreateUser(); + + using HttpClient gameClient = context.GetAuthenticatedClient(TokenType.Game, user); + using HttpClient apiClient = context.GetAuthenticatedClient(TokenType.Api, user); + + HttpResponseMessage request = gameClient.GetAsync("/api/v3/users/me").Result; + Assert.That(request.StatusCode, Is.EqualTo(Forbidden)); + + request = apiClient.GetAsync("/api/v3/users/me").Result; + Assert.That(request.StatusCode, Is.EqualTo(OK)); + } + + [Test] + public void CantUseApiTokenOnGame() + { + using TestContext context = this.GetServer(); + GameUser user = context.CreateUser(); + + using HttpClient gameClient = context.GetAuthenticatedClient(TokenType.Game, user); + using HttpClient apiClient = context.GetAuthenticatedClient(TokenType.Api, user); + + HttpResponseMessage request = apiClient.GetAsync("/lbp/eula").Result; + Assert.That(request.StatusCode, Is.EqualTo(Forbidden)); + + request = gameClient.GetAsync("/lbp/eula").Result; + Assert.That(request.StatusCode, Is.EqualTo(OK)); + } +} \ No newline at end of file diff --git a/RefreshTests.GameServer/Tests/Levels/LevelListOverrideTests.cs b/RefreshTests.GameServer/Tests/Levels/LevelListOverrideTests.cs index f4c69096..6ff06195 100644 --- a/RefreshTests.GameServer/Tests/Levels/LevelListOverrideTests.cs +++ b/RefreshTests.GameServer/Tests/Levels/LevelListOverrideTests.cs @@ -42,6 +42,7 @@ public void CanGetOverriddenLevels() GameLevel level = context.CreateLevel(user, "dingus 2B47430C-70F1-4A21-A1D0-EC3011A62239"); using HttpClient client = context.GetAuthenticatedClient(TokenType.Game, user); + using HttpClient apiClient = context.GetAuthenticatedClient(TokenType.Api, user); // Verify that the endpoint isn't already attempting to return anything // This can be any endpoint that doesnt return all levels but I chose mmpicks @@ -55,7 +56,7 @@ public void CanGetOverriddenLevels() Assert.That(overrideService.UserHasOverrides(user), Is.False); //Set a level as the override - message = client.PostAsync($"/api/v3/levels/id/{level.LevelId}/setAsOverride", new ByteArrayContent(Array.Empty())).Result; + message = apiClient.PostAsync($"/api/v3/levels/id/{level.LevelId}/setAsOverride", new ByteArrayContent(Array.Empty())).Result; Assert.That(message.StatusCode, Is.EqualTo(OK)); context.Database.Refresh();