mirror of
https://github.com/Walter-Sparrow/lunar-tear.git
synced 2026-07-02 05:43:41 +03:00
Add --no-register flag and register-account CLI
Build and Push Docker images to Docker Hub / build-and-push (push) Has been cancelled
Build and Push Docker images to Docker Hub / build-and-push (push) Has been cancelled
Author: https://github.com/REUSS-dev
This commit is contained in:
@@ -7,6 +7,7 @@ import (
|
||||
"fmt"
|
||||
"html/template"
|
||||
"log"
|
||||
"lunar-tear/server/internal/auth"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
@@ -39,12 +40,13 @@ var oauthRedirectTmpl = template.Must(template.New("oauthRedirect").Parse(
|
||||
`))
|
||||
|
||||
type Handlers struct {
|
||||
store *AuthStore
|
||||
tok *TokenService
|
||||
store *auth.AuthStore
|
||||
tok *auth.TokenService
|
||||
noRegister bool
|
||||
}
|
||||
|
||||
func NewHandlers(store *AuthStore, tok *TokenService) *Handlers {
|
||||
return &Handlers{store: store, tok: tok}
|
||||
func NewHandlers(store *auth.AuthStore, tok *auth.TokenService, noRegister bool) *Handlers {
|
||||
return &Handlers{store: store, tok: tok, noRegister: noRegister}
|
||||
}
|
||||
|
||||
type loginPageData struct {
|
||||
@@ -139,13 +141,18 @@ func (h *Handlers) oauthPost(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
var user AuthUser
|
||||
var user auth.AuthUser
|
||||
var err error
|
||||
|
||||
switch action {
|
||||
case "register":
|
||||
if h.noRegister {
|
||||
renderErr("This server does not accept user registrations.")
|
||||
return
|
||||
}
|
||||
|
||||
user, err = h.store.CreateUser(username, password)
|
||||
if err == ErrUserExists {
|
||||
if err == auth.ErrUserExists {
|
||||
renderErr("Username is already taken.")
|
||||
return
|
||||
}
|
||||
@@ -158,7 +165,7 @@ func (h *Handlers) oauthPost(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
case "login":
|
||||
user, err = h.store.VerifyUser(username, password)
|
||||
if err == ErrInvalidCreds {
|
||||
if err == auth.ErrInvalidCreds {
|
||||
renderErr("Invalid username or password.")
|
||||
return
|
||||
}
|
||||
@@ -187,7 +194,7 @@ func (h *Handlers) oauthPost(w http.ResponseWriter, r *http.Request) {
|
||||
fragment := url.Values{}
|
||||
fragment.Set("access_token", token)
|
||||
fragment.Set("token_type", "bearer")
|
||||
fragment.Set("expires_in", strconv.FormatInt(int64(tokenTTL.Seconds()), 10))
|
||||
fragment.Set("expires_in", strconv.FormatInt(int64(auth.TokenTTL.Seconds()), 10))
|
||||
fragment.Set("signed_request", "0."+b64)
|
||||
// iOS FBSDKLoginManager treats an empty granted_scopes set as a cancelled login
|
||||
// (LoginManager.swift -> getSuccessResult -> getCancelledResult). Echo back the
|
||||
|
||||
@@ -8,6 +8,8 @@ import (
|
||||
"log"
|
||||
"net/http"
|
||||
|
||||
"lunar-tear/server/internal/auth"
|
||||
|
||||
_ "modernc.org/sqlite"
|
||||
)
|
||||
|
||||
@@ -15,6 +17,7 @@ func main() {
|
||||
listen := flag.String("listen", "0.0.0.0:3000", "HTTP listen address (host:port)")
|
||||
dbPath := flag.String("db", "db/auth.db", "SQLite database path for auth users")
|
||||
secret := flag.String("secret", "", "HMAC secret for tokens (auto-generated if empty)")
|
||||
noRegister := flag.Bool("no-register", false, "Disallow new account registrations for clients, when present. Default = false")
|
||||
flag.Parse()
|
||||
|
||||
hmacSecret := []byte(*secret)
|
||||
@@ -33,13 +36,13 @@ func main() {
|
||||
}
|
||||
defer db.Close()
|
||||
|
||||
store, err := NewAuthStore(db)
|
||||
store, err := auth.NewAuthStore(db)
|
||||
if err != nil {
|
||||
log.Fatalf("init auth store: %v", err)
|
||||
}
|
||||
|
||||
tok := NewTokenService(hmacSecret)
|
||||
h := NewHandlers(store, tok)
|
||||
tok := auth.NewTokenService(hmacSecret)
|
||||
h := NewHandlers(store, tok, *noRegister)
|
||||
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/", h.HandleOAuth)
|
||||
|
||||
@@ -1,103 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"database/sql"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
var (
|
||||
ErrUserExists = errors.New("username already taken")
|
||||
ErrInvalidCreds = errors.New("invalid username or password")
|
||||
)
|
||||
|
||||
type AuthUser struct {
|
||||
ID int64
|
||||
Username string
|
||||
}
|
||||
|
||||
type AuthStore struct {
|
||||
db *sql.DB
|
||||
}
|
||||
|
||||
func NewAuthStore(db *sql.DB) (*AuthStore, error) {
|
||||
_, err := db.Exec(`
|
||||
CREATE TABLE IF NOT EXISTS auth_users (
|
||||
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||
username TEXT NOT NULL UNIQUE,
|
||||
password BLOB NOT NULL,
|
||||
created_at TEXT NOT NULL
|
||||
)
|
||||
`)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("create auth_users table: %w", err)
|
||||
}
|
||||
return &AuthStore{db: db}, nil
|
||||
}
|
||||
|
||||
func (s *AuthStore) CreateUser(username, password string) (AuthUser, error) {
|
||||
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
||||
if err != nil {
|
||||
return AuthUser{}, fmt.Errorf("hash password: %w", err)
|
||||
}
|
||||
|
||||
res, err := s.db.Exec(
|
||||
`INSERT INTO auth_users (username, password, created_at) VALUES (?, ?, ?)`,
|
||||
username, hash, time.Now().UTC().Format(time.RFC3339),
|
||||
)
|
||||
if err != nil {
|
||||
if isUniqueViolation(err) {
|
||||
return AuthUser{}, ErrUserExists
|
||||
}
|
||||
return AuthUser{}, fmt.Errorf("insert user: %w", err)
|
||||
}
|
||||
|
||||
id, _ := res.LastInsertId()
|
||||
return AuthUser{ID: id, Username: username}, nil
|
||||
}
|
||||
|
||||
func (s *AuthStore) VerifyUser(username, password string) (AuthUser, error) {
|
||||
var id int64
|
||||
var hash []byte
|
||||
err := s.db.QueryRow(
|
||||
`SELECT id, password FROM auth_users WHERE username = ?`, username,
|
||||
).Scan(&id, &hash)
|
||||
if err != nil {
|
||||
return AuthUser{}, ErrInvalidCreds
|
||||
}
|
||||
|
||||
if err := bcrypt.CompareHashAndPassword(hash, []byte(password)); err != nil {
|
||||
return AuthUser{}, ErrInvalidCreds
|
||||
}
|
||||
|
||||
return AuthUser{ID: id, Username: username}, nil
|
||||
}
|
||||
|
||||
func (s *AuthStore) UserExists(username string) bool {
|
||||
var n int
|
||||
err := s.db.QueryRow(`SELECT 1 FROM auth_users WHERE username = ?`, username).Scan(&n)
|
||||
return err == nil
|
||||
}
|
||||
|
||||
func isUniqueViolation(err error) bool {
|
||||
return err != nil && (errors.Is(err, sql.ErrNoRows) ||
|
||||
// modernc.org/sqlite returns error strings containing "UNIQUE constraint failed"
|
||||
fmt.Sprintf("%v", err) == fmt.Sprintf("%v", err) &&
|
||||
contains(err.Error(), "UNIQUE constraint failed"))
|
||||
}
|
||||
|
||||
func contains(s, substr string) bool {
|
||||
return len(s) >= len(substr) && searchStr(s, substr)
|
||||
}
|
||||
|
||||
func searchStr(s, sub string) bool {
|
||||
for i := 0; i <= len(s)-len(sub); i++ {
|
||||
if s[i:i+len(sub)] == sub {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
@@ -1,102 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/hmac"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
)
|
||||
|
||||
const tokenTTL = 24 * time.Hour
|
||||
|
||||
var (
|
||||
ErrTokenInvalid = errors.New("invalid token")
|
||||
ErrTokenExpired = errors.New("token expired")
|
||||
)
|
||||
|
||||
type TokenClaims struct {
|
||||
Sub int64 `json:"sub"`
|
||||
Name string `json:"name"`
|
||||
Iat int64 `json:"iat"`
|
||||
Exp int64 `json:"exp"`
|
||||
}
|
||||
|
||||
type TokenService struct {
|
||||
secret []byte
|
||||
}
|
||||
|
||||
func NewTokenService(secret []byte) *TokenService {
|
||||
return &TokenService{secret: secret}
|
||||
}
|
||||
|
||||
func (t *TokenService) Generate(user AuthUser) (string, error) {
|
||||
now := time.Now().Unix()
|
||||
claims := TokenClaims{
|
||||
Sub: user.ID,
|
||||
Name: user.Username,
|
||||
Iat: now,
|
||||
Exp: now + int64(tokenTTL.Seconds()),
|
||||
}
|
||||
|
||||
payload, err := json.Marshal(claims)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("marshal claims: %w", err)
|
||||
}
|
||||
|
||||
enc := base64.RawURLEncoding
|
||||
payloadB64 := enc.EncodeToString(payload)
|
||||
|
||||
mac := hmac.New(sha256.New, t.secret)
|
||||
mac.Write(payload)
|
||||
sig := enc.EncodeToString(mac.Sum(nil))
|
||||
|
||||
return payloadB64 + "." + sig, nil
|
||||
}
|
||||
|
||||
func (t *TokenService) Validate(token string) (TokenClaims, error) {
|
||||
dot := -1
|
||||
for i := range token {
|
||||
if token[i] == '.' {
|
||||
dot = i
|
||||
break
|
||||
}
|
||||
}
|
||||
if dot < 0 {
|
||||
return TokenClaims{}, ErrTokenInvalid
|
||||
}
|
||||
|
||||
payloadB64 := token[:dot]
|
||||
sigB64 := token[dot+1:]
|
||||
|
||||
enc := base64.RawURLEncoding
|
||||
|
||||
payload, err := enc.DecodeString(payloadB64)
|
||||
if err != nil {
|
||||
return TokenClaims{}, ErrTokenInvalid
|
||||
}
|
||||
|
||||
sig, err := enc.DecodeString(sigB64)
|
||||
if err != nil {
|
||||
return TokenClaims{}, ErrTokenInvalid
|
||||
}
|
||||
|
||||
mac := hmac.New(sha256.New, t.secret)
|
||||
mac.Write(payload)
|
||||
if !hmac.Equal(mac.Sum(nil), sig) {
|
||||
return TokenClaims{}, ErrTokenInvalid
|
||||
}
|
||||
|
||||
var claims TokenClaims
|
||||
if err := json.Unmarshal(payload, &claims); err != nil {
|
||||
return TokenClaims{}, ErrTokenInvalid
|
||||
}
|
||||
|
||||
if time.Now().Unix() > claims.Exp {
|
||||
return TokenClaims{}, ErrTokenExpired
|
||||
}
|
||||
|
||||
return claims, nil
|
||||
}
|
||||
+18
-2
@@ -97,7 +97,12 @@ func main() {
|
||||
// (the listener still only binds if LUNAR_ADMIN_TOKEN is set in the env).
|
||||
adminListen := flag.String("admin.listen", "", "lunar-tear admin webhook listen address (host:port). Empty = leave default; webhook only binds when LUNAR_ADMIN_TOKEN is set in the env.")
|
||||
|
||||
// Controlled server access
|
||||
noRegister := flag.Bool("no-register", false, "Disallow new account registrations for clients, when present. Default = false")
|
||||
|
||||
// dev utility output config
|
||||
noColor := flag.Bool("no-color", false, "disable colored output")
|
||||
|
||||
flag.Parse()
|
||||
|
||||
if *grpcOctoURL == "" {
|
||||
@@ -122,6 +127,11 @@ func main() {
|
||||
ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
|
||||
defer stop()
|
||||
|
||||
noreg_s := ""
|
||||
if *noRegister {
|
||||
noreg_s = "--no-register"
|
||||
}
|
||||
|
||||
services := []service{
|
||||
{
|
||||
label: "auth",
|
||||
@@ -129,6 +139,7 @@ func main() {
|
||||
cmd: exec.CommandContext(ctx, filepath.Join("bin", "auth-server"+ext),
|
||||
"--listen", *authListen,
|
||||
"--db", *authDB,
|
||||
noreg_s,
|
||||
),
|
||||
},
|
||||
{
|
||||
@@ -143,7 +154,7 @@ func main() {
|
||||
label: "grpc",
|
||||
color: colorYellow,
|
||||
cmd: exec.CommandContext(ctx, filepath.Join("bin", "lunar-tear"+ext),
|
||||
grpcArgs(*grpcListen, *grpcPublicAddr, *grpcDB, *grpcOctoURL, *grpcAuthURL, *adminListen)...,
|
||||
grpcArgs(*grpcListen, *grpcPublicAddr, *grpcDB, *grpcOctoURL, *grpcAuthURL, *adminListen, *noRegister)...,
|
||||
),
|
||||
},
|
||||
}
|
||||
@@ -204,7 +215,7 @@ func prefixLines(wg *sync.WaitGroup, prefix string, r io.Reader) {
|
||||
// grpcArgs assembles the argv for the lunar-tear subprocess. The admin flag
|
||||
// is appended only when --admin.listen was supplied so we don't override
|
||||
// lunar-tear's own default when the operator hasn't opted in.
|
||||
func grpcArgs(listen, publicAddr, db, octoURL, authURL, adminListen string) []string {
|
||||
func grpcArgs(listen, publicAddr, db, octoURL, authURL, adminListen string, noRegister bool) []string {
|
||||
args := []string{
|
||||
"--listen", listen,
|
||||
"--public-addr", publicAddr,
|
||||
@@ -212,8 +223,13 @@ func grpcArgs(listen, publicAddr, db, octoURL, authURL, adminListen string) []st
|
||||
"--octo-url", octoURL,
|
||||
"--auth-url", authURL,
|
||||
}
|
||||
|
||||
if adminListen != "" {
|
||||
args = append(args, "--admin-listen", adminListen)
|
||||
}
|
||||
|
||||
if noRegister {
|
||||
args = append(args, "--no-register")
|
||||
}
|
||||
return args
|
||||
}
|
||||
|
||||
@@ -39,6 +39,7 @@ func startGRPC(
|
||||
store.SessionRepository
|
||||
},
|
||||
holder *runtime.Holder,
|
||||
noRegister bool,
|
||||
) *grpc.Server {
|
||||
lis, err := net.Listen("tcp", listenAddr)
|
||||
if err != nil {
|
||||
@@ -52,13 +53,17 @@ func startGRPC(
|
||||
grpc.UnknownServiceHandler(interceptor.UnknownService),
|
||||
)
|
||||
|
||||
registerServices(grpcServer, publicAddr, octoURL, authURL, userStore, holder)
|
||||
registerServices(grpcServer, publicAddr, octoURL, authURL, userStore, holder, noRegister)
|
||||
|
||||
reflection.Register(grpcServer)
|
||||
|
||||
log.Printf("gRPC server listening on %s", lis.Addr())
|
||||
log.Printf("public address: %s", publicAddr)
|
||||
|
||||
if noRegister {
|
||||
log.Print("[!!WARNING!!] The gRPC server is running in NO-REGISTER mode. All new user registrations are denied, only existing accounts and auth-server logins are permitted.")
|
||||
}
|
||||
|
||||
go func() {
|
||||
if err := grpcServer.Serve(lis); err != nil {
|
||||
log.Printf("gRPC server stopped: %v", err)
|
||||
@@ -77,12 +82,13 @@ func registerServices(
|
||||
store.SessionRepository
|
||||
},
|
||||
holder *runtime.Holder,
|
||||
noRegister bool,
|
||||
) {
|
||||
pubHost, pubPortStr, _ := net.SplitHostPort(publicAddr)
|
||||
pubPort, _ := strconv.Atoi(pubPortStr)
|
||||
|
||||
pb.RegisterBannerServiceServer(srv, service.NewBannerServiceServer(holder))
|
||||
pb.RegisterUserServiceServer(srv, service.NewUserServiceServer(userStore, userStore, authURL))
|
||||
pb.RegisterUserServiceServer(srv, service.NewUserServiceServer(userStore, userStore, authURL, noRegister))
|
||||
pb.RegisterBattleServiceServer(srv, service.NewBattleServiceServer(userStore, userStore))
|
||||
pb.RegisterConfigServiceServer(srv, service.NewConfigServiceServer(pubHost, int32(pubPort), octoURL))
|
||||
pb.RegisterDataServiceServer(srv, service.NewDataServiceServer(userStore, userStore))
|
||||
|
||||
@@ -23,6 +23,7 @@ func main() {
|
||||
octoURL := flag.String("octo-url", "", "Octo CDN base URL the client will use for assets (e.g. http://10.0.2.2:8080)")
|
||||
authURL := flag.String("auth-url", "", "Auth server base URL for Facebook token validation (e.g. http://localhost:3000)")
|
||||
adminListen := flag.String("admin-listen", "127.0.0.1:8082", "admin webhook listen address (host:port). Loopback by default; only binds when LUNAR_ADMIN_TOKEN is set.")
|
||||
noRegister := flag.Bool("no-register", false, "Disallow new account registrations for clients, when present. Default = false")
|
||||
flag.Parse()
|
||||
|
||||
if *octoURL == "" {
|
||||
@@ -46,7 +47,7 @@ func main() {
|
||||
|
||||
userStore := sqlite.New(db, gametime.Now)
|
||||
|
||||
grpcServer := startGRPC(*listen, *publicAddr, *octoURL, *authURL, userStore, holder)
|
||||
grpcServer := startGRPC(*listen, *publicAddr, *octoURL, *authURL, userStore, holder, *noRegister)
|
||||
|
||||
startAdmin(*adminListen, holder)
|
||||
|
||||
|
||||
@@ -0,0 +1,99 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"flag"
|
||||
"log"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"lunar-tear/server/internal/auth"
|
||||
"lunar-tear/server/internal/database"
|
||||
"lunar-tear/server/internal/model"
|
||||
"lunar-tear/server/internal/store/sqlite"
|
||||
)
|
||||
|
||||
func main() {
|
||||
dbPath := flag.String("db", "db/game.db", "SQLite database path")
|
||||
authdbPath := flag.String("auth-db", "db/auth.db", "SQLite auth server database path")
|
||||
|
||||
name := flag.String("name", "", "Nickname of the new account to-be")
|
||||
password := flag.String("password", "", "Password of the new account to-be")
|
||||
platform := flag.String("platform", "android", "Platform of the user. Can be: \"android\", \"ios\"")
|
||||
|
||||
flag.Parse()
|
||||
|
||||
if *name == "" {
|
||||
log.Fatal("--name flag is required")
|
||||
}
|
||||
|
||||
if *password == "" {
|
||||
log.Fatal("--password flag is required")
|
||||
}
|
||||
|
||||
if (*platform != "android") && (*platform != "ios") {
|
||||
log.Fatal("--platform can be either \"android\" or \"ios\"")
|
||||
}
|
||||
|
||||
db, err := database.Open(*dbPath)
|
||||
if err != nil {
|
||||
log.Fatalf("open database: %v", err)
|
||||
}
|
||||
defer db.Close()
|
||||
|
||||
userStore := sqlite.New(db, nil)
|
||||
|
||||
authdb, err := database.Open(*authdbPath)
|
||||
if err != nil {
|
||||
log.Fatalf("open auth database: %v", err)
|
||||
}
|
||||
defer db.Close()
|
||||
|
||||
authStore, err := auth.NewAuthStore(authdb)
|
||||
if err != nil {
|
||||
log.Fatalf("init auth store: %v", err)
|
||||
}
|
||||
|
||||
// Auth user check
|
||||
|
||||
userExists := authStore.UserExists(*name)
|
||||
if userExists {
|
||||
log.Fatal("Username is already taken")
|
||||
}
|
||||
|
||||
// lunar-tear user
|
||||
|
||||
var userPlatform model.ClientPlatform
|
||||
|
||||
if *platform == "android" {
|
||||
userPlatform.OsType = 2
|
||||
userPlatform.PlatformType = 2
|
||||
} else {
|
||||
userPlatform.OsType = 1
|
||||
userPlatform.PlatformType = 1
|
||||
}
|
||||
|
||||
userUuid := uuid.New().String()
|
||||
id, err := userStore.CreateUser(userUuid, userPlatform)
|
||||
|
||||
if err == nil {
|
||||
log.Printf("Registered user %d in database successfully", id)
|
||||
} else {
|
||||
log.Fatalf("Register user in database: %v", err)
|
||||
}
|
||||
|
||||
// Bind
|
||||
|
||||
authUser, err := authStore.CreateUser(*name, *password)
|
||||
if err != nil {
|
||||
log.Fatalf("Register auth account: %v", err)
|
||||
}
|
||||
|
||||
err = userStore.SetFacebookId(id, authUser.ID)
|
||||
if err == nil {
|
||||
log.Printf("Bound user %d with facebook account %v", id, authUser.Username)
|
||||
} else {
|
||||
log.Fatalf("failed to bind user with facebook account: %v", err)
|
||||
}
|
||||
|
||||
log.Printf("Account %v created successfully.", *name)
|
||||
}
|
||||
Reference in New Issue
Block a user