From 10b39fd4b4ddd0c7f87a1aced4f015db32c3ffd6 Mon Sep 17 00:00:00 2001
From: rxdn <29165304+rxdn@users.noreply.github.com>
Date: Mon, 30 May 2022 20:44:18 +0100
Subject: [PATCH] Token validation check

---
 .../api/whitelabel/whitelabelpost.go          | 75 +++++++++++++------
 1 file changed, 53 insertions(+), 22 deletions(-)

diff --git a/app/http/endpoints/api/whitelabel/whitelabelpost.go b/app/http/endpoints/api/whitelabel/whitelabelpost.go
index f049001..8771d11 100644
--- a/app/http/endpoints/api/whitelabel/whitelabelpost.go
+++ b/app/http/endpoints/api/whitelabel/whitelabelpost.go
@@ -3,10 +3,14 @@ package api
 import (
 	dbclient "github.com/TicketsBot/GoPanel/database"
 	"github.com/TicketsBot/GoPanel/redis"
+	"github.com/TicketsBot/GoPanel/utils"
 	"github.com/TicketsBot/common/tokenchange"
 	"github.com/TicketsBot/database"
 	"github.com/gin-gonic/gin"
 	"github.com/rxdn/gdl/rest"
+	"math"
+	"strconv"
+	"strings"
 )
 
 func WhitelabelPost(ctx *gin.Context) {
@@ -24,28 +28,24 @@ func WhitelabelPost(ctx *gin.Context) {
 
 	token, ok := data["token"].(string)
 	if !ok || token == "" {
-		ctx.JSON(400, gin.H{
-			"success": false,
-			"error":   "Missing token",
-		})
+		ctx.JSON(400, utils.ErrorStr("Missing token"))
+		return
+	}
+
+	if !validateToken(token) {
+		ctx.JSON(400, utils.ErrorStr("Invalid token"))
 		return
 	}
 
 	// Validate token + get bot ID
 	bot, err := rest.GetCurrentUser(token, nil)
 	if err != nil {
-		ctx.JSON(400, gin.H{
-			"success": false,
-			"error":   err.Error(),
-		})
+		ctx.JSON(400, utils.ErrorJson(err))
 		return
 	}
 
 	if !bot.Bot {
-		ctx.JSON(400, gin.H{
-			"success": false,
-			"error": "Token is not of a bot user",
-		})
+		ctx.JSON(400, utils.ErrorStr("Token is not of a bot user"))
 		return
 	}
 
@@ -59,15 +59,6 @@ func WhitelabelPost(ctx *gin.Context) {
 		return
 	}
 
-	/*if existing.Token == token {
-		// Respond with 200 to prevent information disclosure attack
-		ctx.JSON(200, gin.H{
-			"success": true,
-			"bot": bot,
-		})
-		return
-	}*/
-
 	if err = dbclient.Client.Whitelabel.Set(database.WhitelabelBot{
 		UserId: userId,
 		BotId:  bot.Id,
@@ -96,6 +87,46 @@ func WhitelabelPost(ctx *gin.Context) {
 
 	ctx.JSON(200, gin.H{
 		"success": true,
-		"bot": bot,
+		"bot":     bot,
 	})
 }
+
+const (
+	unixTimestamp2015 = 1420070400
+	tokenEpoch        = 1293840000
+)
+
+func validateToken(token string) bool {
+	// Check for 2 dots
+	if strings.Count(token, ".") != 2 {
+		return false
+	}
+
+	split := strings.Split(token, ".")
+
+	// Validate bot ID
+	if _, err := strconv.ParseUint(utils.Base64Decode(split[0]), 10, 64); err != nil {
+		return false
+	}
+
+	// TODO: We could check the date on the snowflake
+
+	// Validate time
+	timestamp, err := strconv.ParseUint(utils.Base64Decode(split[1]), 10, 64)
+	if err != nil {
+		return false
+	}
+
+	// Check timestamp correction won't overflow
+	if timestamp > math.MaxUint64-tokenEpoch {
+		return false
+	}
+
+	// Correct timestamp and check if it is before 2015
+	timestamp += tokenEpoch
+	if timestamp < unixTimestamp2015 {
+		return false
+	}
+
+	return true
+}