Prevent token use across different API types

Refresh.GameServer/Authentication/GameAuthenticationProvider.cs

@@ -5,6 +5,7 @@
 using Bunkum.Core.Authentication;
 using Bunkum.Core.Database;
 using Refresh.GameServer.Configuration;
+using Refresh.GameServer.Endpoints;
 using Refresh.GameServer.Types.Roles;
 
 namespace Refresh.GameServer.Authentication;
@@ -31,6 +32,17 @@ public GameAuthenticationProvider(GameServerConfig? config)
             tokenData = request.RequestHeaders["Authorization"];
         }
 
+        // ReSharper disable once SwitchExpressionHandlesSomeKnownEnumValuesWithExceptionInDefault
+        string validBaseRoute = tokenType switch
+        {
+            TokenType.Game => GameEndpointAttribute.BaseRoute,
+            TokenType.Api => ApiV3EndpointAttribute.BaseRoute,
+            _ => throw new ArgumentOutOfRangeException(),
+        };
+
+        if (!request.Uri.AbsolutePath.StartsWith(validBaseRoute))
+            return null;
+
         // if still null we dont have a token so bail 
         if (tokenData == null) return null;
 

RefreshTests.GameServer/Tests/Authentication/TokenAbuseTests.cs

@@ -0,0 +1,39 @@
+using Refresh.GameServer.Authentication;
+using Refresh.GameServer.Types.UserData;
+
+namespace RefreshTests.GameServer.Tests.Authentication;
+
+public class TokenAbuseTests : GameServerTest
+{
+    [Test]
+    public void CantUseGameTokenOnApi()
+    {
+        using TestContext context = this.GetServer();
+        GameUser user = context.CreateUser();
+
+        using HttpClient gameClient = context.GetAuthenticatedClient(TokenType.Game, user);
+        using HttpClient apiClient = context.GetAuthenticatedClient(TokenType.Api, user);
+
+        HttpResponseMessage request = gameClient.GetAsync("/api/v3/users/me").Result;
+        Assert.That(request.StatusCode, Is.EqualTo(Forbidden));
+
+        request = apiClient.GetAsync("/api/v3/users/me").Result;
+        Assert.That(request.StatusCode, Is.EqualTo(OK));
+    }
+
+    [Test]
+    public void CantUseApiTokenOnGame()
+    {
+        using TestContext context = this.GetServer();
+        GameUser user = context.CreateUser();
+
+        using HttpClient gameClient = context.GetAuthenticatedClient(TokenType.Game, user);
+        using HttpClient apiClient = context.GetAuthenticatedClient(TokenType.Api, user);
+
+        HttpResponseMessage request = apiClient.GetAsync("/lbp/eula").Result;
+        Assert.That(request.StatusCode, Is.EqualTo(Forbidden));
+
+        request = gameClient.GetAsync("/lbp/eula").Result;
+        Assert.That(request.StatusCode, Is.EqualTo(OK));
+    }
+}

RefreshTests.GameServer/Tests/Levels/LevelListOverrideTests.cs

@@ -42,6 +42,7 @@ public void CanGetOverriddenLevels()
         GameLevel level = context.CreateLevel(user, "dingus 2B47430C-70F1-4A21-A1D0-EC3011A62239");
 
         using HttpClient client = context.GetAuthenticatedClient(TokenType.Game, user);
+        using HttpClient apiClient = context.GetAuthenticatedClient(TokenType.Api, user);
 
         // Verify that the endpoint isn't already attempting to return anything
         // This can be any endpoint that doesnt return all levels but I chose mmpicks
@@ -55,7 +56,7 @@ public void CanGetOverriddenLevels()
         Assert.That(overrideService.UserHasOverrides(user), Is.False);
 
         //Set a level as the override
-        message = client.PostAsync($"/api/v3/levels/id/{level.LevelId}/setAsOverride", new ByteArrayContent(Array.Empty<byte>())).Result;
+        message = apiClient.PostAsync($"/api/v3/levels/id/{level.LevelId}/setAsOverride", new ByteArrayContent(Array.Empty<byte>())).Result;
         Assert.That(message.StatusCode, Is.EqualTo(OK));
 
         context.Database.Refresh();