Token validation check

2022-05-30 20:44:18 +01:00 · 2022-05-30 20:44:18 +01:00 · 10b39fd4b4
commit 10b39fd4b4
parent d9e4df9e8e
1 changed files with 53 additions and 22 deletions
--- a/app/http/endpoints/api/whitelabel/whitelabelpost.go
+++ b/app/http/endpoints/api/whitelabel/whitelabelpost.go
@ -3,10 +3,14 @@ package api
 import (
 	dbclient "github.com/TicketsBot/GoPanel/database"
 	"github.com/TicketsBot/GoPanel/redis"
+	"github.com/TicketsBot/GoPanel/utils"
 	"github.com/TicketsBot/common/tokenchange"
 	"github.com/TicketsBot/database"
 	"github.com/gin-gonic/gin"
 	"github.com/rxdn/gdl/rest"
+	"math"
+	"strconv"
+	"strings"
 )

 func WhitelabelPost(ctx *gin.Context) {
@ -24,28 +28,24 @@ func WhitelabelPost(ctx *gin.Context) {

 	token, ok := data["token"].(string)
 	if !ok || token == "" {
-		ctx.JSON(400, gin.H{
-			"success": false,
-			"error":   "Missing token",
-		})
+		ctx.JSON(400, utils.ErrorStr("Missing token"))
+		return
+	}
+
+	if !validateToken(token) {
+		ctx.JSON(400, utils.ErrorStr("Invalid token"))
 		return
 	}

 	// Validate token + get bot ID
 	bot, err := rest.GetCurrentUser(token, nil)
 	if err != nil {
-		ctx.JSON(400, gin.H{
-			"success": false,
-			"error":   err.Error(),
-		})
+		ctx.JSON(400, utils.ErrorJson(err))
 		return
 	}

 	if !bot.Bot {
-		ctx.JSON(400, gin.H{
-			"success": false,
-			"error": "Token is not of a bot user",
-		})
+		ctx.JSON(400, utils.ErrorStr("Token is not of a bot user"))
 		return
 	}

@ -59,15 +59,6 @@ func WhitelabelPost(ctx *gin.Context) {
 		return
 	}

-	/*if existing.Token == token {
-		// Respond with 200 to prevent information disclosure attack
-		ctx.JSON(200, gin.H{
-			"success": true,
-			"bot": bot,
-		})
-		return
-	}*/
-
 	if err = dbclient.Client.Whitelabel.Set(database.WhitelabelBot{
 		UserId: userId,
 		BotId:  bot.Id,
@ -99,3 +90,43 @@ func WhitelabelPost(ctx *gin.Context) {
 		"bot":     bot,
 	})
 }
+
+const (
+	unixTimestamp2015 = 1420070400
+	tokenEpoch        = 1293840000
+)
+
+func validateToken(token string) bool {
+	// Check for 2 dots
+	if strings.Count(token, ".") != 2 {
+		return false
+	}
+
+	split := strings.Split(token, ".")
+
+	// Validate bot ID
+	if _, err := strconv.ParseUint(utils.Base64Decode(split[0]), 10, 64); err != nil {
+		return false
+	}
+
+	// TODO: We could check the date on the snowflake
+
+	// Validate time
+	timestamp, err := strconv.ParseUint(utils.Base64Decode(split[1]), 10, 64)
+	if err != nil {
+		return false
+	}
+
+	// Check timestamp correction won't overflow
+	if timestamp > math.MaxUint64-tokenEpoch {
+		return false
+	}
+
+	// Correct timestamp and check if it is before 2015
+	timestamp += tokenEpoch
+	if timestamp < unixTimestamp2015 {
+		return false
+	}
+
+	return true
+}