scout_ante/dashboard-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Token validation check

Browse Source
This commit is contained in:
rxdn 2022-05-30 20:44:18 +01:00
parent d9e4df9e8e
commit 10b39fd4b4
1 changed files with 53 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
app/http/endpoints/api/whitelabel/whitelabelpost.go
View File

@ -3,10 +3,14 @@ package api
import ( import (
dbclient "github.com/TicketsBot/GoPanel/database" dbclient "github.com/TicketsBot/GoPanel/database"
"github.com/TicketsBot/GoPanel/redis" "github.com/TicketsBot/GoPanel/redis"
"github.com/TicketsBot/GoPanel/utils"
"github.com/TicketsBot/common/tokenchange" "github.com/TicketsBot/common/tokenchange"
"github.com/TicketsBot/database" "github.com/TicketsBot/database"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/rxdn/gdl/rest" "github.com/rxdn/gdl/rest"
"math"
"strconv"
"strings"
) )
func WhitelabelPost(ctx *gin.Context) { func WhitelabelPost(ctx *gin.Context) {
@ -24,28 +28,24 @@ func WhitelabelPost(ctx *gin.Context) {
token, ok := data["token"].(string) token, ok := data["token"].(string)
if !ok || token == "" { if !ok || token == "" {
ctx.JSON(400, gin.H{ ctx.JSON(400, utils.ErrorStr("Missing token"))
"success": false, return
"error": "Missing token", }
})
if !validateToken(token) {
ctx.JSON(400, utils.ErrorStr("Invalid token"))
return return
} }
// Validate token + get bot ID // Validate token + get bot ID
bot, err := rest.GetCurrentUser(token, nil) bot, err := rest.GetCurrentUser(token, nil)
if err != nil { if err != nil {
ctx.JSON(400, gin.H{ ctx.JSON(400, utils.ErrorJson(err))
"success": false,
"error": err.Error(),
})
return return
} }
if !bot.Bot { if !bot.Bot {
ctx.JSON(400, gin.H{ ctx.JSON(400, utils.ErrorStr("Token is not of a bot user"))
"success": false,
"error": "Token is not of a bot user",
})
return return
} }
@ -59,15 +59,6 @@ func WhitelabelPost(ctx *gin.Context) {
return return
} }
/*if existing.Token == token {
// Respond with 200 to prevent information disclosure attack
ctx.JSON(200, gin.H{
"success": true,
"bot": bot,
})
return
}*/
if err = dbclient.Client.Whitelabel.Set(database.WhitelabelBot{ if err = dbclient.Client.Whitelabel.Set(database.WhitelabelBot{
UserId: userId, UserId: userId,
BotId: bot.Id, BotId: bot.Id,
@ -99,3 +90,43 @@ func WhitelabelPost(ctx *gin.Context) {
"bot": bot, "bot": bot,
}) })
} }
const (
unixTimestamp2015 = 1420070400
tokenEpoch = 1293840000
)
func validateToken(token string) bool {
// Check for 2 dots
if strings.Count(token, ".") != 2 {
return false
}
split := strings.Split(token, ".")
// Validate bot ID
if _, err := strconv.ParseUint(utils.Base64Decode(split[0]), 10, 64); err != nil {
return false
}
// TODO: We could check the date on the snowflake
// Validate time
timestamp, err := strconv.ParseUint(utils.Base64Decode(split[1]), 10, 64)
if err != nil {
return false
}
// Check timestamp correction won't overflow
if timestamp > math.MaxUint64-tokenEpoch {
return false
}
// Correct timestamp and check if it is before 2015
timestamp += tokenEpoch
if timestamp < unixTimestamp2015 {
return false
}
return true
}