NetworkSession: Restore PM3 unexpected XUID handling behaviour (removes XUID instead of kicking the player)

close #3861, close #3089

src/network/mcpe/NetworkSession.php

@@ -561,8 +561,6 @@ class NetworkSession{
 		if($error === null){
 			if($authenticated and $this->info->getXuid() === ""){
 				$error = "Expected XUID but none found";
-			}elseif(!$authenticated and $this->info->getXuid() !== ""){
-				$error = "Unexpected XUID for non-XBOX-authenticated player";
 			}elseif($clientPubKey === null){
 				$error = "Missing client public key"; //failsafe
 			}
@@ -576,9 +574,15 @@ class NetworkSession{
 
 		$this->authenticated = $authenticated;
 
-		if(!$this->authenticated and $authRequired){
-			$this->disconnect("disconnectionScreen.notAuthenticated");
-			return;
+		if(!$this->authenticated){
+			if($authRequired){
+				$this->disconnect("disconnectionScreen.notAuthenticated");
+				return;
+			}
+			if($this->info->hasXboxData()){
+				$this->logger->warning("Discarding unexpected XUID for non-authenticated player");
+				$this->info = $this->info->withoutXboxData();
+			}
 		}
 		$this->logger->debug("Xbox Live authenticated: " . ($this->authenticated ? "YES" : "NO"));
 

src/player/PlayerInfo.php

@@ -88,4 +88,23 @@ class PlayerInfo{
 	public function getExtraData() : array{
 		return $this->extraData;
 	}
+
+	public function hasXboxData() : bool{
+		return $this->xuid !== "";
+	}
+
+	/**
+	 * Returns a new PlayerInfo with XBL player info stripped. This is used to ensure that non-XBL players can't spoof
+	 * XBL data.
+	 */
+	public function withoutXboxData() : self{
+		return new self(
+			$this->username,
+			$this->uuid,
+			$this->skin,
+			$this->locale,
+			"",
+			$this->extraData
+		);
+	}
 }