From 94c58c00b5ee0a4e2a7b87928db44c58c7cad078 Mon Sep 17 00:00:00 2001
From: "Dylan K. Taylor" <odigiman@gmail.com>
Date: Thu, 8 Oct 2020 14:36:02 +0100
Subject: [PATCH] NetworkSession: Restore PM3 unexpected XUID handling
 behaviour (removes XUID instead of kicking the player)

close #3861, close #3089
---
 src/network/mcpe/NetworkSession.php | 14 +++++++++-----
 src/player/PlayerInfo.php           | 19 +++++++++++++++++++
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/src/network/mcpe/NetworkSession.php b/src/network/mcpe/NetworkSession.php
index cdf0296f0..8c370f6e6 100644
--- a/src/network/mcpe/NetworkSession.php
+++ b/src/network/mcpe/NetworkSession.php
@@ -561,8 +561,6 @@ class NetworkSession{
 		if($error === null){
 			if($authenticated and $this->info->getXuid() === ""){
 				$error = "Expected XUID but none found";
-			}elseif(!$authenticated and $this->info->getXuid() !== ""){
-				$error = "Unexpected XUID for non-XBOX-authenticated player";
 			}elseif($clientPubKey === null){
 				$error = "Missing client public key"; //failsafe
 			}
@@ -576,9 +574,15 @@ class NetworkSession{
 
 		$this->authenticated = $authenticated;
 
-		if(!$this->authenticated and $authRequired){
-			$this->disconnect("disconnectionScreen.notAuthenticated");
-			return;
+		if(!$this->authenticated){
+			if($authRequired){
+				$this->disconnect("disconnectionScreen.notAuthenticated");
+				return;
+			}
+			if($this->info->hasXboxData()){
+				$this->logger->warning("Discarding unexpected XUID for non-authenticated player");
+				$this->info = $this->info->withoutXboxData();
+			}
 		}
 		$this->logger->debug("Xbox Live authenticated: " . ($this->authenticated ? "YES" : "NO"));
 
diff --git a/src/player/PlayerInfo.php b/src/player/PlayerInfo.php
index dee690aa1..52e9b2f7a 100644
--- a/src/player/PlayerInfo.php
+++ b/src/player/PlayerInfo.php
@@ -88,4 +88,23 @@ class PlayerInfo{
 	public function getExtraData() : array{
 		return $this->extraData;
 	}
+
+	public function hasXboxData() : bool{
+		return $this->xuid !== "";
+	}
+
+	/**
+	 * Returns a new PlayerInfo with XBL player info stripped. This is used to ensure that non-XBL players can't spoof
+	 * XBL data.
+	 */
+	public function withoutXboxData() : self{
+		return new self(
+			$this->username,
+			$this->uuid,
+			$this->skin,
+			$this->locale,
+			"",
+			$this->extraData
+		);
+	}
 }