mirror of
https://github.com/pmmp/PocketMine-MP.git
synced 2025-09-10 03:34:06 +00:00
Compare commits
2 Commits
new-auth
...
dependabot
| Author | SHA1 | Date | |
|---|---|---|---|
| 327a9b020e | |||
| ce90835c7b |
Submodule build/php updated: b839e5227b...1d9cda6688
@ -36,7 +36,7 @@
|
||||
"pocketmine/bedrock-block-upgrade-schema": "~5.1.0+bedrock-1.21.60",
|
||||
"pocketmine/bedrock-data": "~6.0.0+bedrock-1.21.100",
|
||||
"pocketmine/bedrock-item-upgrade-schema": "~1.15.0+bedrock-1.21.100",
|
||||
"pocketmine/bedrock-protocol": "~41.0.0+bedrock-1.21.100",
|
||||
"pocketmine/bedrock-protocol": "~40.0.0+bedrock-1.21.100",
|
||||
"pocketmine/binaryutils": "^0.2.1",
|
||||
"pocketmine/callback-validator": "^1.0.2",
|
||||
"pocketmine/color": "^0.3.0",
|
||||
|
||||
28
composer.lock
generated
28
composer.lock
generated
@ -4,7 +4,7 @@
|
||||
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
|
||||
"This file is @generated automatically"
|
||||
],
|
||||
"content-hash": "7bf7cd54642c2d65ecdfdcb28f3a64a8",
|
||||
"content-hash": "27fee330bdcb6ea2373c57cdfb3bc22f",
|
||||
"packages": [
|
||||
{
|
||||
"name": "adhocore/json-comment",
|
||||
@ -256,16 +256,16 @@
|
||||
},
|
||||
{
|
||||
"name": "pocketmine/bedrock-protocol",
|
||||
"version": "41.0.0+bedrock-1.21.100",
|
||||
"version": "40.0.0+bedrock-1.21.100",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/pmmp/BedrockProtocol.git",
|
||||
"reference": "920ac291fe1b0143b2ebc90b3374ddab0b8531bf"
|
||||
"reference": "5e95cab3a6e6c24920e0c25ca4aaf887ed4b70ca"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/pmmp/BedrockProtocol/zipball/920ac291fe1b0143b2ebc90b3374ddab0b8531bf",
|
||||
"reference": "920ac291fe1b0143b2ebc90b3374ddab0b8531bf",
|
||||
"url": "https://api.github.com/repos/pmmp/BedrockProtocol/zipball/5e95cab3a6e6c24920e0c25ca4aaf887ed4b70ca",
|
||||
"reference": "5e95cab3a6e6c24920e0c25ca4aaf887ed4b70ca",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@ -296,9 +296,9 @@
|
||||
"description": "An implementation of the Minecraft: Bedrock Edition protocol in PHP",
|
||||
"support": {
|
||||
"issues": "https://github.com/pmmp/BedrockProtocol/issues",
|
||||
"source": "https://github.com/pmmp/BedrockProtocol/tree/41.0.0+bedrock-1.21.100"
|
||||
"source": "https://github.com/pmmp/BedrockProtocol/tree/40.0.0+bedrock-1.21.100"
|
||||
},
|
||||
"time": "2025-09-09T20:52:18+00:00"
|
||||
"time": "2025-08-06T15:13:45+00:00"
|
||||
},
|
||||
{
|
||||
"name": "pocketmine/binaryutils",
|
||||
@ -818,20 +818,20 @@
|
||||
},
|
||||
{
|
||||
"name": "ramsey/uuid",
|
||||
"version": "4.9.0",
|
||||
"version": "4.9.1",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/ramsey/uuid.git",
|
||||
"reference": "4e0e23cc785f0724a0e838279a9eb03f28b092a0"
|
||||
"reference": "81f941f6f729b1e3ceea61d9d014f8b6c6800440"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/ramsey/uuid/zipball/4e0e23cc785f0724a0e838279a9eb03f28b092a0",
|
||||
"reference": "4e0e23cc785f0724a0e838279a9eb03f28b092a0",
|
||||
"url": "https://api.github.com/repos/ramsey/uuid/zipball/81f941f6f729b1e3ceea61d9d014f8b6c6800440",
|
||||
"reference": "81f941f6f729b1e3ceea61d9d014f8b6c6800440",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"brick/math": "^0.8.8 || ^0.9 || ^0.10 || ^0.11 || ^0.12 || ^0.13",
|
||||
"brick/math": "^0.8.8 || ^0.9 || ^0.10 || ^0.11 || ^0.12 || ^0.13 || ^0.14",
|
||||
"php": "^8.0",
|
||||
"ramsey/collection": "^1.2 || ^2.0"
|
||||
},
|
||||
@ -890,9 +890,9 @@
|
||||
],
|
||||
"support": {
|
||||
"issues": "https://github.com/ramsey/uuid/issues",
|
||||
"source": "https://github.com/ramsey/uuid/tree/4.9.0"
|
||||
"source": "https://github.com/ramsey/uuid/tree/4.9.1"
|
||||
},
|
||||
"time": "2025-06-25T14:20:11+00:00"
|
||||
"time": "2025-09-04T20:59:21+00:00"
|
||||
},
|
||||
{
|
||||
"name": "symfony/filesystem",
|
||||
|
||||
@ -50,7 +50,6 @@ use pocketmine\lang\Language;
|
||||
use pocketmine\lang\LanguageNotFoundException;
|
||||
use pocketmine\lang\Translatable;
|
||||
use pocketmine\nbt\tag\CompoundTag;
|
||||
use pocketmine\network\mcpe\auth\AuthKeyProvider;
|
||||
use pocketmine\network\mcpe\compression\CompressBatchPromise;
|
||||
use pocketmine\network\mcpe\compression\CompressBatchTask;
|
||||
use pocketmine\network\mcpe\compression\Compressor;
|
||||
@ -271,7 +270,6 @@ class Server{
|
||||
private int $maxPlayers;
|
||||
|
||||
private bool $onlineMode = true;
|
||||
private AuthKeyProvider $authKeyProvider;
|
||||
|
||||
private Network $network;
|
||||
private bool $networkCompressionAsync = true;
|
||||
@ -984,8 +982,6 @@ class Server{
|
||||
$this->logger->warning($this->language->translate(KnownTranslationFactory::pocketmine_server_authProperty_disabled()));
|
||||
}
|
||||
|
||||
$this->authKeyProvider = new AuthKeyProvider(new \PrefixedLogger($this->logger, "Minecraft Auth Key Provider"), $this->asyncPool);
|
||||
|
||||
if($this->configGroup->getConfigBool(ServerProperties::HARDCORE, false) && $this->getDifficulty() < World::DIFFICULTY_HARD){
|
||||
$this->configGroup->setConfigInt(ServerProperties::DIFFICULTY, World::DIFFICULTY_HARD);
|
||||
}
|
||||
@ -1804,10 +1800,6 @@ class Server{
|
||||
return $this->forceLanguage;
|
||||
}
|
||||
|
||||
public function getAuthKeyProvider() : AuthKeyProvider{
|
||||
return $this->authKeyProvider;
|
||||
}
|
||||
|
||||
public function getNetwork() : Network{
|
||||
return $this->network;
|
||||
}
|
||||
|
||||
@ -24,7 +24,6 @@ declare(strict_types=1);
|
||||
namespace pocketmine\network\mcpe;
|
||||
|
||||
use pocketmine\utils\AssumptionFailedError;
|
||||
use pocketmine\utils\Binary;
|
||||
use pocketmine\utils\BinaryStream;
|
||||
use pocketmine\utils\Utils;
|
||||
use function base64_decode;
|
||||
@ -33,7 +32,6 @@ use function bin2hex;
|
||||
use function chr;
|
||||
use function count;
|
||||
use function explode;
|
||||
use function hex2bin;
|
||||
use function is_array;
|
||||
use function json_decode;
|
||||
use function json_encode;
|
||||
@ -56,7 +54,6 @@ use function strlen;
|
||||
use function strtr;
|
||||
use function substr;
|
||||
use const JSON_THROW_ON_ERROR;
|
||||
use const OPENSSL_ALGO_SHA256;
|
||||
use const OPENSSL_ALGO_SHA384;
|
||||
use const STR_PAD_LEFT;
|
||||
|
||||
@ -173,17 +170,17 @@ final class JwtUtils{
|
||||
/**
|
||||
* @throws JwtException
|
||||
*/
|
||||
public static function verify(string $jwt, string $signingKeyDer, bool $ec) : bool{
|
||||
public static function verify(string $jwt, \OpenSSLAsymmetricKey $signingKey) : bool{
|
||||
[$header, $body, $signature] = self::split($jwt);
|
||||
|
||||
$rawSignature = self::b64UrlDecode($signature);
|
||||
$derSignature = $ec ? self::rawSignatureToDer($rawSignature) : $rawSignature;
|
||||
$derSignature = self::rawSignatureToDer($rawSignature);
|
||||
|
||||
$v = openssl_verify(
|
||||
$header . '.' . $body,
|
||||
$derSignature,
|
||||
self::derPublicKeyToPem($signingKeyDer),
|
||||
$ec ? self::SIGNATURE_ALGORITHM : OPENSSL_ALGO_SHA256
|
||||
$signingKey,
|
||||
self::SIGNATURE_ALGORITHM
|
||||
);
|
||||
switch($v){
|
||||
case 0: return false;
|
||||
@ -241,56 +238,22 @@ final class JwtUtils{
|
||||
throw new AssumptionFailedError("OpenSSL resource contains invalid public key");
|
||||
}
|
||||
|
||||
/**
|
||||
* DER supports lengths up to (2**8)**127, however, we'll only support lengths up to (2**8)**4. See
|
||||
* {@link http://itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf#p=13 X.690 paragraph 8.1.3} for more information.
|
||||
*/
|
||||
private static function encodeDerLength(int $length) : string{
|
||||
if ($length <= 0x7F) {
|
||||
return chr($length);
|
||||
}
|
||||
|
||||
$lengthBytes = ltrim(Binary::writeInt($length), "\x00");
|
||||
|
||||
return chr(0x80 | strlen($lengthBytes)) . $lengthBytes;
|
||||
}
|
||||
|
||||
private static function encodeDerBytes(int $tag, string $data) : string{
|
||||
return chr($tag) . self::encodeDerLength(strlen($data)) . $data;
|
||||
}
|
||||
|
||||
public static function parseDerPublicKey(string $derKey) : \OpenSSLAsymmetricKey{
|
||||
$signingKeyOpenSSL = openssl_pkey_get_public(self::derPublicKeyToPem($derKey));
|
||||
$signingKeyOpenSSL = openssl_pkey_get_public(sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----\n", base64_encode($derKey)));
|
||||
if($signingKeyOpenSSL === false){
|
||||
throw new JwtException("OpenSSL failed to parse key: " . openssl_error_string());
|
||||
}
|
||||
$details = openssl_pkey_get_details($signingKeyOpenSSL);
|
||||
if($details === false){
|
||||
throw new JwtException("OpenSSL failed to get details from key: " . openssl_error_string());
|
||||
}
|
||||
if(!isset($details['ec']['curve_name'])){
|
||||
throw new JwtException("Expected an EC key");
|
||||
}
|
||||
$curve = $details['ec']['curve_name'];
|
||||
if($curve !== self::BEDROCK_SIGNING_KEY_CURVE_NAME){
|
||||
throw new JwtException("Key must belong to curve " . self::BEDROCK_SIGNING_KEY_CURVE_NAME . ", got $curve");
|
||||
}
|
||||
return $signingKeyOpenSSL;
|
||||
}
|
||||
|
||||
public static function derPublicKeyToPem(string $derKey) : string{
|
||||
return sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----\n", base64_encode($derKey));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a public key represented in DER format from RSA modulus and exponent information
|
||||
*
|
||||
* @param string $nBase64 The RSA modulus encoded in Base64
|
||||
* @param string $eBase64 The RSA exponent encoded in Base64
|
||||
*/
|
||||
public static function rsaPublicKeyModExpToDer(string $nBase64, string $eBase64) : string{
|
||||
$mod = self::b64UrlDecode($nBase64);
|
||||
$exp = self::b64UrlDecode($eBase64);
|
||||
|
||||
$modulus = self::encodeDerBytes(2, $mod);
|
||||
$publicExponent = self::encodeDerBytes(2, $exp);
|
||||
|
||||
$rsaPublicKey = self::encodeDerBytes(48, $modulus . $publicExponent);
|
||||
|
||||
// sequence(oid(1.2.840.113549.1.1.1), null)) = rsaEncryption.
|
||||
$rsaOID = hex2bin('300d06092a864886f70d0101010500'); // hex version of MA0GCSqGSIb3DQEBAQUA
|
||||
$rsaPublicKey = chr(0) . $rsaPublicKey;
|
||||
$rsaPublicKey = self::encodeDerBytes(3, $rsaPublicKey);
|
||||
|
||||
return self::encodeDerBytes(48, $rsaOID . $rsaPublicKey);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,165 +0,0 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
*
|
||||
* ____ _ _ __ __ _ __ __ ____
|
||||
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
|
||||
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
|
||||
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
|
||||
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* @author PocketMine Team
|
||||
* @link http://www.pocketmine.net/
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe\auth;
|
||||
|
||||
use pocketmine\lang\KnownTranslationFactory;
|
||||
use pocketmine\network\mcpe\JwtException;
|
||||
use pocketmine\network\mcpe\JwtUtils;
|
||||
use pocketmine\network\mcpe\protocol\types\login\JwtBodyRfc7519;
|
||||
use pocketmine\network\mcpe\protocol\types\login\legacy\LegacyAuthJwtBody;
|
||||
use pocketmine\network\mcpe\protocol\types\login\openid\XboxAuthJwtBody;
|
||||
use pocketmine\network\mcpe\protocol\types\login\SelfSignedJwtHeader;
|
||||
use function base64_decode;
|
||||
use function time;
|
||||
|
||||
final class AuthJwtHelper{
|
||||
|
||||
public const MOJANG_AUDIENCE = "api://auth-minecraft-services/multiplayer";
|
||||
|
||||
private const CLOCK_DRIFT_MAX = 60;
|
||||
|
||||
/**
|
||||
* @throws VerifyLoginException if the token is expired or not yet valid
|
||||
*/
|
||||
private static function checkExpiry(JwtBodyRfc7519 $claims) : void{
|
||||
$time = time();
|
||||
if(isset($claims->nbf) && $claims->nbf > $time + self::CLOCK_DRIFT_MAX){
|
||||
throw new VerifyLoginException("JWT not yet valid", KnownTranslationFactory::pocketmine_disconnect_invalidSession_tooEarly());
|
||||
}
|
||||
|
||||
if(isset($claims->exp) && $claims->exp < $time - self::CLOCK_DRIFT_MAX){
|
||||
throw new VerifyLoginException("JWT expired", KnownTranslationFactory::pocketmine_disconnect_invalidSession_tooLate());
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws VerifyLoginException if errors are encountered
|
||||
*/
|
||||
public static function validateOpenIdAuthToken(string $jwt, string $signingKeyDer, string $issuer, string $audience) : XboxAuthJwtBody{
|
||||
try{
|
||||
if(!JwtUtils::verify($jwt, $signingKeyDer, ec: false)){
|
||||
throw new VerifyLoginException("Invalid JWT signature", KnownTranslationFactory::pocketmine_disconnect_invalidSession_badSignature());
|
||||
}
|
||||
}catch(JwtException $e){
|
||||
throw new VerifyLoginException($e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
try{
|
||||
[, $claimsArray, ] = JwtUtils::parse($jwt);
|
||||
}catch(JwtException $e){
|
||||
throw new VerifyLoginException("Failed to parse JWT: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnUndefinedProperty = false; //we only care about the properties we're using in this case
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
$mapper->bRemoveUndefinedAttributes = true;
|
||||
|
||||
try{
|
||||
//nasty dynamic new for JsonMapper
|
||||
$claims = $mapper->map($claimsArray, new XboxAuthJwtBody());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw new VerifyLoginException("Invalid chain link body: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
if(!isset($claims->iss) || $claims->iss !== $issuer){
|
||||
throw new VerifyLoginException("Invalid JWT issuer");
|
||||
}
|
||||
|
||||
if(!isset($claims->aud) || $claims->aud !== $audience){
|
||||
throw new VerifyLoginException("Invalid JWT audience");
|
||||
}
|
||||
|
||||
self::checkExpiry($claims);
|
||||
|
||||
return $claims;
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws VerifyLoginException if errors are encountered
|
||||
*/
|
||||
public static function validateLegacyAuthToken(string $jwt, ?string $expectedKeyDer) : LegacyAuthJwtBody{
|
||||
self::validateSelfSignedToken($jwt, $expectedKeyDer);
|
||||
|
||||
//TODO: this parses the JWT twice and throws away a bunch of parts, optimize this
|
||||
[, $claimsArray, ] = JwtUtils::parse($jwt);
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnUndefinedProperty = false; //we only care about the properties we're using in this case
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
$mapper->bRemoveUndefinedAttributes = true;
|
||||
try{
|
||||
/** @var LegacyAuthJwtBody $claims */
|
||||
$claims = $mapper->map($claimsArray, new LegacyAuthJwtBody());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw new VerifyLoginException("Invalid chain link body: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
self::checkExpiry($claims);
|
||||
|
||||
return $claims;
|
||||
}
|
||||
|
||||
public static function validateSelfSignedToken(string $jwt, ?string $expectedKeyDer) : void{
|
||||
try{
|
||||
[$headersArray, ] = JwtUtils::parse($jwt);
|
||||
}catch(JwtException $e){
|
||||
throw new VerifyLoginException("Failed to parse JWT: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bExceptionOnUndefinedProperty = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
|
||||
try{
|
||||
/** @var SelfSignedJwtHeader $headers */
|
||||
$headers = $mapper->map($headersArray, new SelfSignedJwtHeader());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw new VerifyLoginException("Invalid JWT header: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
$headerDerKey = base64_decode($headers->x5u, true);
|
||||
if($headerDerKey === false){
|
||||
throw new VerifyLoginException("Invalid JWT public key: base64 decoding error decoding x5u");
|
||||
}
|
||||
if($expectedKeyDer !== null && $headerDerKey !== $expectedKeyDer){
|
||||
//Fast path: if the header key doesn't match what we expected, the signature isn't going to validate anyway
|
||||
throw new VerifyLoginException("Invalid JWT signature", KnownTranslationFactory::pocketmine_disconnect_invalidSession_badSignature());
|
||||
}
|
||||
|
||||
try{
|
||||
if(!JwtUtils::verify($jwt, $headerDerKey, ec: true)){
|
||||
throw new VerifyLoginException("Invalid JWT signature", KnownTranslationFactory::pocketmine_disconnect_invalidSession_badSignature());
|
||||
}
|
||||
}catch(JwtException $e){
|
||||
throw new VerifyLoginException($e->getMessage(), null, 0, $e);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,164 +0,0 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
*
|
||||
* ____ _ _ __ __ _ __ __ ____
|
||||
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
|
||||
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
|
||||
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
|
||||
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* @author PocketMine Team
|
||||
* @link http://www.pocketmine.net/
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe\auth;
|
||||
|
||||
use pocketmine\network\mcpe\JwtException;
|
||||
use pocketmine\network\mcpe\JwtUtils;
|
||||
use pocketmine\network\mcpe\protocol\types\login\openid\api\AuthServiceKey;
|
||||
use pocketmine\promise\Promise;
|
||||
use pocketmine\promise\PromiseResolver;
|
||||
use pocketmine\scheduler\AsyncPool;
|
||||
use pocketmine\utils\AssumptionFailedError;
|
||||
use function array_keys;
|
||||
use function count;
|
||||
use function implode;
|
||||
use function time;
|
||||
|
||||
class AuthKeyProvider{
|
||||
private const ALLOWED_REFRESH_INTERVAL = 30 * 60; // 30 minutes
|
||||
|
||||
private ?AuthKeyring $keyring = null;
|
||||
|
||||
/** @phpstan-var PromiseResolver<AuthKeyring> */
|
||||
private ?PromiseResolver $resolver = null;
|
||||
|
||||
private int $lastFetch = 0;
|
||||
|
||||
public function __construct(
|
||||
private readonly \Logger $logger,
|
||||
private readonly AsyncPool $asyncPool,
|
||||
private readonly int $keyRefreshIntervalSeconds = self::ALLOWED_REFRESH_INTERVAL
|
||||
){}
|
||||
|
||||
/**
|
||||
* Fetches the key for the given key ID.
|
||||
* The promise will be resolved with an array of [issuer, pemPublicKey].
|
||||
*
|
||||
* @phpstan-return Promise<array{string, string}>
|
||||
*/
|
||||
public function getKey(string $keyId) : Promise{
|
||||
/** @phpstan-var PromiseResolver<array{string, string}> $resolver */
|
||||
$resolver = new PromiseResolver();
|
||||
|
||||
if(
|
||||
$this->keyring === null || //we haven't fetched keys yet
|
||||
($this->keyring->getKey($keyId) === null && $this->lastFetch < time() - $this->keyRefreshIntervalSeconds) //we don't recognise this one & keys might be outdated
|
||||
){
|
||||
//only refresh keys when we see one we don't recognise
|
||||
$this->fetchKeys()->onCompletion(
|
||||
onSuccess: fn(AuthKeyring $newKeyring) => $this->resolveKey($resolver, $newKeyring, $keyId),
|
||||
onFailure: $resolver->reject(...)
|
||||
);
|
||||
}else{
|
||||
$this->resolveKey($resolver, $this->keyring, $keyId);
|
||||
}
|
||||
|
||||
return $resolver->getPromise();
|
||||
}
|
||||
|
||||
/**
|
||||
* @phpstan-param PromiseResolver<array{string, string}> $resolver
|
||||
*/
|
||||
private function resolveKey(PromiseResolver $resolver, AuthKeyring $keyring, string $keyId) : void{
|
||||
$key = $keyring->getKey($keyId);
|
||||
if($key === null){
|
||||
$this->logger->debug("Key $keyId not recognised!");
|
||||
$resolver->reject();
|
||||
return;
|
||||
}
|
||||
|
||||
$this->logger->debug("Key $keyId found in keychain");
|
||||
$resolver->resolve([$keyring->getIssuer(), $key]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @phpstan-param array<string, AuthServiceKey>|null $keys
|
||||
* @phpstan-param string[]|null $errors
|
||||
*/
|
||||
private function onKeysFetched(?array $keys, string $issuer, ?array $errors) : void{
|
||||
$resolver = $this->resolver;
|
||||
if($resolver === null){
|
||||
throw new AssumptionFailedError("Not expecting this to be called without a resolver present");
|
||||
}
|
||||
if($errors !== null){
|
||||
$this->logger->error("The following errors occurred while fetching new keys:\n\t- " . implode("\n\t-", $errors));
|
||||
//we might've still succeeded in fetching keys even if there were errors, so don't return
|
||||
}
|
||||
|
||||
if($keys === null){
|
||||
$this->logger->critical("Failed to fetch authentication keys from Mojang's API. Xbox players may not be able to authenticate!");
|
||||
$resolver->reject();
|
||||
}else{
|
||||
$pemKeys = [];
|
||||
foreach($keys as $keyModel){
|
||||
if($keyModel->use !== "sig" || $keyModel->kty !== "RSA"){
|
||||
$this->logger->error("Key ID $keyModel->kid doesn't have the expected properties: expected use=sig, kty=RSA, got use=$keyModel->use, kty=$keyModel->kty");
|
||||
continue;
|
||||
}
|
||||
$derKey = JwtUtils::rsaPublicKeyModExpToDer($keyModel->n, $keyModel->e);
|
||||
|
||||
//make sure the key is valid
|
||||
try{
|
||||
JwtUtils::parseDerPublicKey($derKey);
|
||||
}catch(JwtException $e){
|
||||
$this->logger->error("Failed to parse RSA public key for key ID $keyModel->kid: " . $e->getMessage());
|
||||
$this->logger->logException($e);
|
||||
continue;
|
||||
}
|
||||
|
||||
//retain PEM keys instead of OpenSSLAsymmetricKey since these are easier and cheaper to copy between threads
|
||||
$pemKeys[$keyModel->kid] = $derKey;
|
||||
}
|
||||
|
||||
if(count($keys) === 0){
|
||||
$this->logger->critical("No valid authentication keys returned by Mojang's API. Xbox players may not be able to authenticate!");
|
||||
$resolver->reject();
|
||||
}else{
|
||||
$this->logger->info("Successfully fetched " . count($keys) . " new authentication keys from issuer $issuer, key IDs: " . implode(", ", array_keys($pemKeys)));
|
||||
$this->keyring = new AuthKeyring($issuer, $pemKeys);
|
||||
$this->lastFetch = time();
|
||||
$resolver->resolve($this->keyring);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @phpstan-return Promise<AuthKeyring>
|
||||
*/
|
||||
private function fetchKeys() : Promise{
|
||||
if($this->resolver !== null){
|
||||
$this->logger->debug("Key refresh was requested, but it's already in progress");
|
||||
return $this->resolver->getPromise();
|
||||
}
|
||||
|
||||
$this->logger->notice("Fetching new authentication keys");
|
||||
|
||||
/** @phpstan-var PromiseResolver<AuthKeyring> $resolver */
|
||||
$resolver = new PromiseResolver();
|
||||
$this->resolver = $resolver;
|
||||
//TODO: extract this so it can be polyfilled for unit testing
|
||||
$this->asyncPool->submitTask(new FetchAuthKeysTask($this->onKeysFetched(...)));
|
||||
return $this->resolver->getPromise();
|
||||
}
|
||||
}
|
||||
@ -1,45 +0,0 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
*
|
||||
* ____ _ _ __ __ _ __ __ ____
|
||||
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
|
||||
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
|
||||
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
|
||||
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* @author PocketMine Team
|
||||
* @link http://www.pocketmine.net/
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe\auth;
|
||||
|
||||
final class AuthKeyring{
|
||||
|
||||
/**
|
||||
* @param string[] $keys
|
||||
* @phpstan-param array<string, string> $keys
|
||||
*/
|
||||
public function __construct(
|
||||
private string $issuer,
|
||||
private array $keys
|
||||
){}
|
||||
|
||||
public function getIssuer() : string{ return $this->issuer; }
|
||||
|
||||
/**
|
||||
* Returns a (raw) DER public key associated with the given key ID
|
||||
*/
|
||||
public function getKey(string $keyId) : ?string{
|
||||
return $this->keys[$keyId] ?? null;
|
||||
}
|
||||
}
|
||||
@ -1,209 +0,0 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
*
|
||||
* ____ _ _ __ __ _ __ __ ____
|
||||
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
|
||||
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
|
||||
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
|
||||
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* @author PocketMine Team
|
||||
* @link http://www.pocketmine.net/
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe\auth;
|
||||
|
||||
use pocketmine\network\mcpe\protocol\ProtocolInfo;
|
||||
use pocketmine\network\mcpe\protocol\types\login\openid\api\AuthServiceKey;
|
||||
use pocketmine\network\mcpe\protocol\types\login\openid\api\AuthServiceOpenIdConfiguration;
|
||||
use pocketmine\network\mcpe\protocol\types\login\openid\api\MinecraftServicesDiscovery;
|
||||
use pocketmine\scheduler\AsyncTask;
|
||||
use pocketmine\thread\NonThreadSafeValue;
|
||||
use pocketmine\utils\Internet;
|
||||
use function gettype;
|
||||
use function is_array;
|
||||
use function is_object;
|
||||
use function json_decode;
|
||||
use const JSON_THROW_ON_ERROR;
|
||||
|
||||
class FetchAuthKeysTask extends AsyncTask{
|
||||
private const KEYS_ON_COMPLETION = "completion";
|
||||
|
||||
private const MINECRAFT_SERVICES_DISCOVERY_URL = "https://client.discovery.minecraft-services.net/api/v1.0/discovery/MinecraftPE/builds/" . ProtocolInfo::MINECRAFT_VERSION_NETWORK;
|
||||
private const AUTHORIZATION_SERVICE_URI_FALLBACK = "https://authorization.franchise.minecraft-services.net";
|
||||
private const AUTHORIZATION_SERVICE_OPENID_CONFIGURATION_PATH = "/.well-known/openid-configuration";
|
||||
private const AUTHORIZATION_SERVICE_KEYS_PATH = "/.well-known/keys";
|
||||
|
||||
/** @phpstan-var ?NonThreadSafeValue<array<string, AuthServiceKey>> */
|
||||
private ?NonThreadSafeValue $keys = null;
|
||||
private string $issuer;
|
||||
|
||||
/** @phpstan-var ?NonThreadSafeValue<non-empty-array<string>> */
|
||||
private ?NonThreadSafeValue $errors = null;
|
||||
|
||||
/**
|
||||
* @phpstan-param \Closure(?array<string, AuthServiceKey> $keys, string $issuer, ?string[] $errors) : void $onCompletion
|
||||
*/
|
||||
public function __construct(
|
||||
\Closure $onCompletion
|
||||
){
|
||||
$this->storeLocal(self::KEYS_ON_COMPLETION, $onCompletion);
|
||||
}
|
||||
|
||||
public function onRun() : void{
|
||||
/** @var string[] $errors */
|
||||
$errors = [];
|
||||
|
||||
try{
|
||||
$authServiceUri = $this->getAuthServiceURI();
|
||||
}catch(\RuntimeException $e){
|
||||
$errors[] = $e->getMessage();
|
||||
$authServiceUri = self::AUTHORIZATION_SERVICE_URI_FALLBACK;
|
||||
}
|
||||
|
||||
try {
|
||||
$openIdConfig = $this->getOpenIdConfiguration($authServiceUri);
|
||||
$jwksUri = $openIdConfig->jwks_uri;
|
||||
|
||||
$this->issuer = $openIdConfig->issuer;
|
||||
} catch (\RuntimeException $e) {
|
||||
$errors[] = $e->getMessage();
|
||||
$jwksUri = $authServiceUri . self::AUTHORIZATION_SERVICE_KEYS_PATH;
|
||||
|
||||
$this->issuer = $authServiceUri;
|
||||
}
|
||||
|
||||
try{
|
||||
$this->keys = new NonThreadSafeValue($this->getKeys($jwksUri));
|
||||
}catch(\RuntimeException $e){
|
||||
$errors[] = $e->getMessage();
|
||||
}
|
||||
|
||||
$this->errors = $errors === [] ? null : new NonThreadSafeValue($errors);
|
||||
}
|
||||
|
||||
private function getAuthServiceURI() : string{
|
||||
$result = Internet::getURL(self::MINECRAFT_SERVICES_DISCOVERY_URL);
|
||||
if($result === null || $result->getCode() !== 200){
|
||||
throw new \RuntimeException("Failed to fetch Minecraft services discovery document");
|
||||
}
|
||||
|
||||
try{
|
||||
$json = json_decode($result->getBody(), false, flags: JSON_THROW_ON_ERROR);
|
||||
}catch(\JsonException $e){
|
||||
throw new \RuntimeException($e->getMessage(), 0, $e);
|
||||
}
|
||||
if(!is_object($json)){
|
||||
throw new \RuntimeException("Unexpected root type of schema file " . gettype($json) . ", expected object");
|
||||
}
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnUndefinedProperty = false; //we only care about the properties we're using in this case
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
$mapper->bRemoveUndefinedAttributes = true;
|
||||
try{
|
||||
/** @var MinecraftServicesDiscovery $discovery */
|
||||
$discovery = $mapper->map($json, new MinecraftServicesDiscovery());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw new \RuntimeException("Invalid schema file: " . $e->getMessage(), 0, $e);
|
||||
}
|
||||
|
||||
return $discovery->result->serviceEnvironments->auth->prod->serviceUri;
|
||||
}
|
||||
|
||||
private function getOpenIdConfiguration(string $authServiceUri) : AuthServiceOpenIdConfiguration{
|
||||
$result = Internet::getURL($authServiceUri . self::AUTHORIZATION_SERVICE_OPENID_CONFIGURATION_PATH);
|
||||
if($result === null || $result->getCode() !== 200){
|
||||
throw new \RuntimeException("Failed to fetch OpenID configuration from authorization service");
|
||||
}
|
||||
|
||||
try{
|
||||
$json = json_decode($result->getBody(), false, flags: JSON_THROW_ON_ERROR);
|
||||
}catch(\JsonException $e){
|
||||
throw new \RuntimeException($e->getMessage(), 0, $e);
|
||||
}
|
||||
if(!is_object($json)){
|
||||
throw new \RuntimeException("Unexpected root type of schema file " . gettype($json) . ", expected object");
|
||||
}
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnUndefinedProperty = false; //we only care about the properties we're using in this case
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
$mapper->bRemoveUndefinedAttributes = true;
|
||||
try{
|
||||
/** @var AuthServiceOpenIdConfiguration $configuration */
|
||||
$configuration = $mapper->map($json, new AuthServiceOpenIdConfiguration());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw new \RuntimeException("Invalid schema file: " . $e->getMessage(), 0, $e);
|
||||
}
|
||||
|
||||
return $configuration;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, AuthServiceKey> keys indexed by key ID
|
||||
*/
|
||||
private function getKeys(string $jwksUri) : array{
|
||||
$result = Internet::getURL($jwksUri);
|
||||
if($result === null || $result->getCode() !== 200){
|
||||
return throw new \RuntimeException("Failed to fetch keys from authorization service");
|
||||
}
|
||||
|
||||
try{
|
||||
$json = json_decode($result->getBody(), true, flags: JSON_THROW_ON_ERROR);
|
||||
}catch(\JsonException $e){
|
||||
throw new \RuntimeException($e->getMessage(), 0, $e);
|
||||
}
|
||||
|
||||
if(!is_array($json) || !isset($json["keys"]) || !is_array($keysArray = $json["keys"])){
|
||||
throw new \RuntimeException("Unexpected root type of schema file " . gettype($json) . ", expected object");
|
||||
}
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnUndefinedProperty = true;
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
$mapper->bRemoveUndefinedAttributes = true;
|
||||
|
||||
$keys = [];
|
||||
foreach($keysArray as $keyJson){
|
||||
if(!is_array($keyJson)){
|
||||
throw new \RuntimeException("Unexpected key type in schema file: " . gettype($keyJson) . ", expected object");
|
||||
}
|
||||
|
||||
try{
|
||||
/** @var AuthServiceKey $key */
|
||||
$key = $mapper->map($keyJson, new AuthServiceKey());
|
||||
$keys[$key->kid] = $key;
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw new \RuntimeException("Invalid schema file: " . $e->getMessage(), 0, $e);
|
||||
}
|
||||
}
|
||||
|
||||
return $keys;
|
||||
}
|
||||
|
||||
public function onCompletion() : void{
|
||||
/**
|
||||
* @var \Closure $callback
|
||||
* @phpstan-var \Closure(?AuthServiceKey[] $keys, string $issuer, ?string[] $errors) : void $callback
|
||||
*/
|
||||
$callback = $this->fetchLocal(self::KEYS_ON_COMPLETION);
|
||||
$callback($this->keys?->deserialize(), $this->issuer, $this->errors?->deserialize());
|
||||
}
|
||||
}
|
||||
@ -1,121 +0,0 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
*
|
||||
* ____ _ _ __ __ _ __ __ ____
|
||||
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
|
||||
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
|
||||
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
|
||||
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* @author PocketMine Team
|
||||
* @link http://www.pocketmine.net/
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe\auth;
|
||||
|
||||
use pocketmine\lang\KnownTranslationFactory;
|
||||
use pocketmine\lang\Translatable;
|
||||
use pocketmine\scheduler\AsyncTask;
|
||||
use pocketmine\thread\NonThreadSafeValue;
|
||||
use pocketmine\utils\AssumptionFailedError;
|
||||
use function base64_decode;
|
||||
use function igbinary_serialize;
|
||||
use function igbinary_unserialize;
|
||||
|
||||
class ProcessLegacyLoginTask extends AsyncTask{
|
||||
private const TLS_KEY_ON_COMPLETION = "completion";
|
||||
|
||||
/**
|
||||
* New Mojang root auth key. Mojang notified third-party developers of this change prior to the release of 1.20.0.
|
||||
* Expectations were that this would be used starting a "couple of weeks" after the release, but as of 2023-07-01,
|
||||
* it has not yet been deployed.
|
||||
*/
|
||||
public const LEGACY_MOJANG_ROOT_PUBLIC_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAECRXueJeTDqNRRgJi/vlRufByu/2G0i2Ebt6YMar5QX/R0DIIyrJMcUpruK4QveTfJSTp3Shlq4Gk34cD/4GUWwkv0DVuzeuB+tXija7HBxii03NHDbPAD0AKnLr2wdAp";
|
||||
|
||||
private string $chain;
|
||||
|
||||
/**
|
||||
* Whether the keychain signatures were validated correctly. This will be set to an error message if any link in the
|
||||
* keychain is invalid for whatever reason (bad signature, not in nbf-exp window, etc). If this is non-null, the
|
||||
* keychain might have been tampered with. The player will always be disconnected if this is non-null.
|
||||
*
|
||||
* @phpstan-var NonThreadSafeValue<Translatable>|string|null
|
||||
*/
|
||||
private NonThreadSafeValue|string|null $error = "Unknown";
|
||||
/** Whether the player has a certificate chain link signed by the given root public key. */
|
||||
private bool $authenticated = false;
|
||||
private ?string $clientPublicKeyDer = null;
|
||||
|
||||
/**
|
||||
* @param string[] $chainJwts
|
||||
* @phpstan-param \Closure(bool $isAuthenticated, bool $authRequired, Translatable|string|null $error, ?string $clientPublicKey) : void $onCompletion
|
||||
*/
|
||||
public function __construct(
|
||||
array $chainJwts,
|
||||
private string $clientDataJwt,
|
||||
private ?string $rootAuthKeyDer,
|
||||
private bool $authRequired,
|
||||
\Closure $onCompletion
|
||||
){
|
||||
$this->storeLocal(self::TLS_KEY_ON_COMPLETION, $onCompletion);
|
||||
$this->chain = igbinary_serialize($chainJwts) ?? throw new AssumptionFailedError("This should never fail");
|
||||
}
|
||||
|
||||
public function onRun() : void{
|
||||
try{
|
||||
$this->clientPublicKeyDer = $this->validateChain();
|
||||
AuthJwtHelper::validateSelfSignedToken($this->clientDataJwt, $this->clientPublicKeyDer);
|
||||
$this->error = null;
|
||||
}catch(VerifyLoginException $e){
|
||||
$disconnectMessage = $e->getDisconnectMessage();
|
||||
$this->error = $disconnectMessage instanceof Translatable ? new NonThreadSafeValue($disconnectMessage) : $disconnectMessage;
|
||||
}
|
||||
}
|
||||
|
||||
private function validateChain() : string{
|
||||
/** @var string[] $chain */
|
||||
$chain = igbinary_unserialize($this->chain);
|
||||
|
||||
$identityPublicKeyDer = null;
|
||||
|
||||
foreach($chain as $jwt){
|
||||
$claims = AuthJwtHelper::validateLegacyAuthToken($jwt, $identityPublicKeyDer);
|
||||
if($this->rootAuthKeyDer !== null && $identityPublicKeyDer === $this->rootAuthKeyDer){
|
||||
$this->authenticated = true; //we're signed into xbox live, according to this root key
|
||||
}
|
||||
if(!isset($claims->identityPublicKey)){
|
||||
throw new VerifyLoginException("Missing identityPublicKey in chain link", KnownTranslationFactory::pocketmine_disconnect_invalidSession_missingKey());
|
||||
}
|
||||
$identityPublicKey = base64_decode($claims->identityPublicKey, true);
|
||||
if($identityPublicKey === false){
|
||||
throw new VerifyLoginException("Invalid identityPublicKey: base64 error decoding");
|
||||
}
|
||||
$identityPublicKeyDer = $identityPublicKey;
|
||||
}
|
||||
|
||||
if($identityPublicKeyDer === null){
|
||||
throw new VerifyLoginException("No authentication chain links provided");
|
||||
}
|
||||
|
||||
return $identityPublicKeyDer;
|
||||
}
|
||||
|
||||
public function onCompletion() : void{
|
||||
/**
|
||||
* @var \Closure $callback
|
||||
* @phpstan-var \Closure(bool, bool, Translatable|string|null, ?string) : void $callback
|
||||
*/
|
||||
$callback = $this->fetchLocal(self::TLS_KEY_ON_COMPLETION);
|
||||
$callback($this->authenticated, $this->authRequired, $this->error instanceof NonThreadSafeValue ? $this->error->deserialize() : $this->error, $this->clientPublicKeyDer);
|
||||
}
|
||||
}
|
||||
213
src/network/mcpe/auth/ProcessLoginTask.php
Normal file
213
src/network/mcpe/auth/ProcessLoginTask.php
Normal file
@ -0,0 +1,213 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
*
|
||||
* ____ _ _ __ __ _ __ __ ____
|
||||
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
|
||||
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
|
||||
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
|
||||
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* @author PocketMine Team
|
||||
* @link http://www.pocketmine.net/
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe\auth;
|
||||
|
||||
use pocketmine\lang\KnownTranslationFactory;
|
||||
use pocketmine\lang\Translatable;
|
||||
use pocketmine\network\mcpe\JwtException;
|
||||
use pocketmine\network\mcpe\JwtUtils;
|
||||
use pocketmine\network\mcpe\protocol\types\login\JwtChainLinkBody;
|
||||
use pocketmine\network\mcpe\protocol\types\login\JwtHeader;
|
||||
use pocketmine\scheduler\AsyncTask;
|
||||
use pocketmine\thread\NonThreadSafeValue;
|
||||
use function base64_decode;
|
||||
use function igbinary_serialize;
|
||||
use function igbinary_unserialize;
|
||||
use function time;
|
||||
|
||||
class ProcessLoginTask extends AsyncTask{
|
||||
private const TLS_KEY_ON_COMPLETION = "completion";
|
||||
|
||||
/**
|
||||
* New Mojang root auth key. Mojang notified third-party developers of this change prior to the release of 1.20.0.
|
||||
* Expectations were that this would be used starting a "couple of weeks" after the release, but as of 2023-07-01,
|
||||
* it has not yet been deployed.
|
||||
*/
|
||||
public const MOJANG_ROOT_PUBLIC_KEY = "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAECRXueJeTDqNRRgJi/vlRufByu/2G0i2Ebt6YMar5QX/R0DIIyrJMcUpruK4QveTfJSTp3Shlq4Gk34cD/4GUWwkv0DVuzeuB+tXija7HBxii03NHDbPAD0AKnLr2wdAp";
|
||||
|
||||
private const CLOCK_DRIFT_MAX = 60;
|
||||
|
||||
private string $chain;
|
||||
|
||||
/**
|
||||
* Whether the keychain signatures were validated correctly. This will be set to an error message if any link in the
|
||||
* keychain is invalid for whatever reason (bad signature, not in nbf-exp window, etc). If this is non-null, the
|
||||
* keychain might have been tampered with. The player will always be disconnected if this is non-null.
|
||||
*
|
||||
* @phpstan-var NonThreadSafeValue<Translatable>|string|null
|
||||
*/
|
||||
private NonThreadSafeValue|string|null $error = "Unknown";
|
||||
/**
|
||||
* Whether the player is logged into Xbox Live. This is true if any link in the keychain is signed with the Mojang
|
||||
* root public key.
|
||||
*/
|
||||
private bool $authenticated = false;
|
||||
private ?string $clientPublicKey = null;
|
||||
|
||||
/**
|
||||
* @param string[] $chainJwts
|
||||
* @phpstan-param \Closure(bool $isAuthenticated, bool $authRequired, Translatable|string|null $error, ?string $clientPublicKey) : void $onCompletion
|
||||
*/
|
||||
public function __construct(
|
||||
array $chainJwts,
|
||||
private string $clientDataJwt,
|
||||
private bool $authRequired,
|
||||
\Closure $onCompletion
|
||||
){
|
||||
$this->storeLocal(self::TLS_KEY_ON_COMPLETION, $onCompletion);
|
||||
$this->chain = igbinary_serialize($chainJwts);
|
||||
}
|
||||
|
||||
public function onRun() : void{
|
||||
try{
|
||||
$this->clientPublicKey = $this->validateChain();
|
||||
$this->error = null;
|
||||
}catch(VerifyLoginException $e){
|
||||
$disconnectMessage = $e->getDisconnectMessage();
|
||||
$this->error = $disconnectMessage instanceof Translatable ? new NonThreadSafeValue($disconnectMessage) : $disconnectMessage;
|
||||
}
|
||||
}
|
||||
|
||||
private function validateChain() : string{
|
||||
/** @var string[] $chain */
|
||||
$chain = igbinary_unserialize($this->chain);
|
||||
|
||||
$currentKey = null;
|
||||
$first = true;
|
||||
|
||||
foreach($chain as $jwt){
|
||||
$this->validateToken($jwt, $currentKey, $first);
|
||||
if($first){
|
||||
$first = false;
|
||||
}
|
||||
}
|
||||
|
||||
/** @var string $clientKey */
|
||||
$clientKey = $currentKey;
|
||||
|
||||
$this->validateToken($this->clientDataJwt, $currentKey);
|
||||
|
||||
return $clientKey;
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws VerifyLoginException if errors are encountered
|
||||
*/
|
||||
private function validateToken(string $jwt, ?string &$currentPublicKey, bool $first = false) : void{
|
||||
try{
|
||||
[$headersArray, $claimsArray, ] = JwtUtils::parse($jwt);
|
||||
}catch(JwtException $e){
|
||||
throw new VerifyLoginException("Failed to parse JWT: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bExceptionOnUndefinedProperty = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
|
||||
try{
|
||||
/** @var JwtHeader $headers */
|
||||
$headers = $mapper->map($headersArray, new JwtHeader());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw new VerifyLoginException("Invalid JWT header: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
$headerDerKey = base64_decode($headers->x5u, true);
|
||||
if($headerDerKey === false){
|
||||
throw new VerifyLoginException("Invalid JWT public key: base64 decoding error decoding x5u");
|
||||
}
|
||||
|
||||
if($currentPublicKey === null){
|
||||
if(!$first){
|
||||
throw new VerifyLoginException("Missing JWT public key", KnownTranslationFactory::pocketmine_disconnect_invalidSession_missingKey());
|
||||
}
|
||||
}elseif($headerDerKey !== $currentPublicKey){
|
||||
//Fast path: if the header key doesn't match what we expected, the signature isn't going to validate anyway
|
||||
throw new VerifyLoginException("Invalid JWT signature", KnownTranslationFactory::pocketmine_disconnect_invalidSession_badSignature());
|
||||
}
|
||||
|
||||
try{
|
||||
$signingKeyOpenSSL = JwtUtils::parseDerPublicKey($headerDerKey);
|
||||
}catch(JwtException $e){
|
||||
throw new VerifyLoginException("Invalid JWT public key: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
try{
|
||||
if(!JwtUtils::verify($jwt, $signingKeyOpenSSL)){
|
||||
throw new VerifyLoginException("Invalid JWT signature", KnownTranslationFactory::pocketmine_disconnect_invalidSession_badSignature());
|
||||
}
|
||||
}catch(JwtException $e){
|
||||
throw new VerifyLoginException($e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
if($headers->x5u === self::MOJANG_ROOT_PUBLIC_KEY){
|
||||
$this->authenticated = true; //we're signed into xbox live
|
||||
}
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnUndefinedProperty = false; //we only care about the properties we're using in this case
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
$mapper->bRemoveUndefinedAttributes = true;
|
||||
try{
|
||||
/** @var JwtChainLinkBody $claims */
|
||||
$claims = $mapper->map($claimsArray, new JwtChainLinkBody());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw new VerifyLoginException("Invalid chain link body: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
|
||||
$time = time();
|
||||
if(isset($claims->nbf) && $claims->nbf > $time + self::CLOCK_DRIFT_MAX){
|
||||
throw new VerifyLoginException("JWT not yet valid", KnownTranslationFactory::pocketmine_disconnect_invalidSession_tooEarly());
|
||||
}
|
||||
|
||||
if(isset($claims->exp) && $claims->exp < $time - self::CLOCK_DRIFT_MAX){
|
||||
throw new VerifyLoginException("JWT expired", KnownTranslationFactory::pocketmine_disconnect_invalidSession_tooLate());
|
||||
}
|
||||
|
||||
if(isset($claims->identityPublicKey)){
|
||||
$identityPublicKey = base64_decode($claims->identityPublicKey, true);
|
||||
if($identityPublicKey === false){
|
||||
throw new VerifyLoginException("Invalid identityPublicKey: base64 error decoding");
|
||||
}
|
||||
try{
|
||||
//verify key format and parameters
|
||||
JwtUtils::parseDerPublicKey($identityPublicKey);
|
||||
}catch(JwtException $e){
|
||||
throw new VerifyLoginException("Invalid identityPublicKey: " . $e->getMessage(), null, 0, $e);
|
||||
}
|
||||
$currentPublicKey = $identityPublicKey; //if there are further links, the next link should be signed with this
|
||||
}
|
||||
}
|
||||
|
||||
public function onCompletion() : void{
|
||||
/**
|
||||
* @var \Closure $callback
|
||||
* @phpstan-var \Closure(bool, bool, Translatable|string|null, ?string) : void $callback
|
||||
*/
|
||||
$callback = $this->fetchLocal(self::TLS_KEY_ON_COMPLETION);
|
||||
$callback($this->authenticated, $this->authRequired, $this->error instanceof NonThreadSafeValue ? $this->error->deserialize() : $this->error, $this->clientPublicKey);
|
||||
}
|
||||
}
|
||||
@ -1,98 +0,0 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
*
|
||||
* ____ _ _ __ __ _ __ __ ____
|
||||
* | _ \ ___ ___| | _____| |_| \/ (_)_ __ ___ | \/ | _ \
|
||||
* | |_) / _ \ / __| |/ / _ \ __| |\/| | | '_ \ / _ \_____| |\/| | |_) |
|
||||
* | __/ (_) | (__| < __/ |_| | | | | | | | __/_____| | | | __/
|
||||
* |_| \___/ \___|_|\_\___|\__|_| |_|_|_| |_|\___| |_| |_|_|
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Lesser General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* @author PocketMine Team
|
||||
* @link http://www.pocketmine.net/
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace pocketmine\network\mcpe\auth;
|
||||
|
||||
use pocketmine\lang\Translatable;
|
||||
use pocketmine\scheduler\AsyncTask;
|
||||
use pocketmine\thread\NonThreadSafeValue;
|
||||
use function base64_decode;
|
||||
|
||||
class ProcessOpenIdLoginTask extends AsyncTask{
|
||||
private const TLS_KEY_ON_COMPLETION = "completion";
|
||||
|
||||
public const MOJANG_AUDIENCE = "api://auth-minecraft-services/multiplayer";
|
||||
|
||||
/**
|
||||
* Whether the keychain signatures were validated correctly. This will be set to an error message if any link in the
|
||||
* keychain is invalid for whatever reason (bad signature, not in nbf-exp window, etc). If this is non-null, the
|
||||
* keychain might have been tampered with. The player will always be disconnected if this is non-null.
|
||||
*
|
||||
* @phpstan-var NonThreadSafeValue<Translatable>|string|null
|
||||
*/
|
||||
private NonThreadSafeValue|string|null $error = "Unknown";
|
||||
/**
|
||||
* Whether the player is logged into Xbox Live. This is true if any link in the keychain is signed with the Mojang
|
||||
* root public key.
|
||||
*/
|
||||
private bool $authenticated = false;
|
||||
private ?string $clientPublicKeyDer = null;
|
||||
|
||||
/**
|
||||
* @phpstan-param \Closure(bool $isAuthenticated, bool $authRequired, Translatable|string|null $error, ?string $clientPublicKey) : void $onCompletion
|
||||
*/
|
||||
public function __construct(
|
||||
private string $jwt,
|
||||
private string $issuer,
|
||||
private string $mojangPublicKeyDer,
|
||||
private string $clientDataJwt,
|
||||
private bool $authRequired,
|
||||
\Closure $onCompletion
|
||||
){
|
||||
$this->storeLocal(self::TLS_KEY_ON_COMPLETION, $onCompletion);
|
||||
}
|
||||
|
||||
public function onRun() : void{
|
||||
try{
|
||||
$this->clientPublicKeyDer = $this->validateChain();
|
||||
$this->error = null;
|
||||
}catch(VerifyLoginException $e){
|
||||
$disconnectMessage = $e->getDisconnectMessage();
|
||||
$this->error = $disconnectMessage instanceof Translatable ? new NonThreadSafeValue($disconnectMessage) : $disconnectMessage;
|
||||
}
|
||||
}
|
||||
|
||||
private function validateChain() : string{
|
||||
$claims = AuthJwtHelper::validateOpenIdAuthToken($this->jwt, $this->mojangPublicKeyDer, issuer: $this->issuer, audience: self::MOJANG_AUDIENCE);
|
||||
//validateToken will throw if the JWT is not valid
|
||||
$this->authenticated = true;
|
||||
|
||||
$clientDerKey = base64_decode($claims->cpk, strict: true);
|
||||
if($clientDerKey === false){
|
||||
throw new VerifyLoginException("Invalid client public key: base64 error decoding");
|
||||
}
|
||||
//no further validation needed - OpenSSL will bail if the key is invalid
|
||||
AuthJwtHelper::validateSelfSignedToken($this->clientDataJwt, $clientDerKey);
|
||||
|
||||
return $clientDerKey;
|
||||
}
|
||||
|
||||
public function onCompletion() : void{
|
||||
/**
|
||||
* @var \Closure $callback
|
||||
* @phpstan-var \Closure(bool, bool, Translatable|string|null, ?string) : void $callback
|
||||
*/
|
||||
$callback = $this->fetchLocal(self::TLS_KEY_ON_COMPLETION);
|
||||
$callback($this->authenticated, $this->authRequired, $this->error instanceof NonThreadSafeValue ? $this->error->deserialize() : $this->error, $this->clientPublicKeyDer);
|
||||
}
|
||||
}
|
||||
@ -27,35 +27,27 @@ use pocketmine\entity\InvalidSkinException;
|
||||
use pocketmine\event\player\PlayerPreLoginEvent;
|
||||
use pocketmine\lang\KnownTranslationFactory;
|
||||
use pocketmine\lang\Translatable;
|
||||
use pocketmine\network\mcpe\auth\ProcessLegacyLoginTask;
|
||||
use pocketmine\network\mcpe\auth\ProcessOpenIdLoginTask;
|
||||
use pocketmine\network\mcpe\auth\ProcessLoginTask;
|
||||
use pocketmine\network\mcpe\JwtException;
|
||||
use pocketmine\network\mcpe\JwtUtils;
|
||||
use pocketmine\network\mcpe\NetworkSession;
|
||||
use pocketmine\network\mcpe\protocol\LoginPacket;
|
||||
use pocketmine\network\mcpe\protocol\types\login\AuthenticationData;
|
||||
use pocketmine\network\mcpe\protocol\types\login\AuthenticationInfo;
|
||||
use pocketmine\network\mcpe\protocol\types\login\AuthenticationType;
|
||||
use pocketmine\network\mcpe\protocol\types\login\clientdata\ClientData;
|
||||
use pocketmine\network\mcpe\protocol\types\login\clientdata\ClientDataToSkinDataHelper;
|
||||
use pocketmine\network\mcpe\protocol\types\login\legacy\LegacyAuthChain;
|
||||
use pocketmine\network\mcpe\protocol\types\login\legacy\LegacyAuthIdentityData;
|
||||
use pocketmine\network\mcpe\protocol\types\login\openid\XboxAuthJwtBody;
|
||||
use pocketmine\network\mcpe\protocol\types\login\openid\XboxAuthJwtHeader;
|
||||
use pocketmine\network\mcpe\protocol\types\login\ClientData;
|
||||
use pocketmine\network\mcpe\protocol\types\login\ClientDataToSkinDataHelper;
|
||||
use pocketmine\network\mcpe\protocol\types\login\JwtChain;
|
||||
use pocketmine\network\PacketHandlingException;
|
||||
use pocketmine\player\Player;
|
||||
use pocketmine\player\PlayerInfo;
|
||||
use pocketmine\player\XboxLivePlayerInfo;
|
||||
use pocketmine\Server;
|
||||
use Ramsey\Uuid\Uuid;
|
||||
use Ramsey\Uuid\UuidInterface;
|
||||
use function chr;
|
||||
use function count;
|
||||
use function gettype;
|
||||
use function is_array;
|
||||
use function is_object;
|
||||
use function json_decode;
|
||||
use function md5;
|
||||
use function ord;
|
||||
use const JSON_THROW_ON_ERROR;
|
||||
|
||||
/**
|
||||
@ -73,95 +65,15 @@ class LoginPacketHandler extends PacketHandler{
|
||||
private \Closure $authCallback
|
||||
){}
|
||||
|
||||
private static function calculateUuidFromXuid(string $xuid) : UuidInterface{
|
||||
$hash = md5("pocket-auth-1-xuid:" . $xuid, binary: true);
|
||||
$hash[6] = chr((ord($hash[6]) & 0x0f) | 0x30); // set version to 3
|
||||
$hash[8] = chr((ord($hash[8]) & 0x3f) | 0x80); // set variant to RFC 4122
|
||||
|
||||
return Uuid::fromBytes($hash);
|
||||
}
|
||||
|
||||
public function handleLogin(LoginPacket $packet) : bool{
|
||||
$authInfo = $this->parseAuthInfo($packet->authInfoJson);
|
||||
$jwtChain = $this->parseJwtChain($authInfo->Certificate);
|
||||
$extraData = $this->fetchAuthData($jwtChain);
|
||||
|
||||
if($authInfo->AuthenticationType === AuthenticationType::FULL->value){
|
||||
try{
|
||||
[$headerArray, $claimsArray,] = JwtUtils::parse($authInfo->Token);
|
||||
}catch(JwtException $e){
|
||||
throw PacketHandlingException::wrap($e, "Error parsing authentication token");
|
||||
}
|
||||
$header = $this->mapXboxTokenHeader($headerArray);
|
||||
$claims = $this->mapXboxTokenBody($claimsArray);
|
||||
|
||||
$legacyUuid = self::calculateUuidFromXuid($claims->xid);
|
||||
$username = $claims->xname;
|
||||
$xuid = $claims->xid;
|
||||
|
||||
$authRequired = $this->processLoginCommon($packet, $username, $legacyUuid, $xuid);
|
||||
if($authRequired === null){
|
||||
//plugin cancelled
|
||||
return true;
|
||||
}
|
||||
$this->processOpenIdLogin($authInfo->Token, $header->kid, $packet->clientDataJwt, $authRequired);
|
||||
|
||||
}elseif($authInfo->AuthenticationType === AuthenticationType::SELF_SIGNED->value){
|
||||
try{
|
||||
$chainData = json_decode($authInfo->Certificate, flags: JSON_THROW_ON_ERROR);
|
||||
}catch(\JsonException $e){
|
||||
throw PacketHandlingException::wrap($e, "Error parsing self-signed certificate chain");
|
||||
}
|
||||
if(!is_object($chainData)){
|
||||
throw new PacketHandlingException("Unexpected type for self-signed certificate chain: " . gettype($chainData) . ", expected object");
|
||||
}
|
||||
try{
|
||||
$chain = $this->defaultJsonMapper()->map($chainData, new LegacyAuthChain());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw PacketHandlingException::wrap($e, "Error mapping self-signed certificate chain");
|
||||
}
|
||||
if(count($chain->chain) > 1 || !isset($chain->chain[0])){
|
||||
throw new PacketHandlingException("Expected exactly one certificate in self-signed certificate chain, got " . count($chain->chain));
|
||||
}
|
||||
|
||||
try{
|
||||
[, $claimsArray, ] = JwtUtils::parse($chain->chain[0]);
|
||||
}catch(JwtException $e){
|
||||
throw PacketHandlingException::wrap($e, "Error parsing self-signed certificate");
|
||||
}
|
||||
if(!isset($claimsArray["extraData"]) || !is_array($claimsArray["extraData"])){
|
||||
throw new PacketHandlingException("Expected \"extraData\" to be present in self-signed certificate");
|
||||
}
|
||||
|
||||
try{
|
||||
$claims = $this->defaultJsonMapper()->map($claimsArray["extraData"], new LegacyAuthIdentityData());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw PacketHandlingException::wrap($e, "Error mapping self-signed certificate extraData");
|
||||
}
|
||||
|
||||
if(!Uuid::isValid($claims->identity)){
|
||||
throw new PacketHandlingException("Invalid UUID string in self-signed certificate: " . $claims->identity);
|
||||
}
|
||||
$legacyUuid = Uuid::fromString($claims->identity);
|
||||
$username = $claims->displayName;
|
||||
$xuid = "";
|
||||
|
||||
$authRequired = $this->processLoginCommon($packet, $username, $legacyUuid, $xuid);
|
||||
if($authRequired === null){
|
||||
//plugin cancelled
|
||||
return true;
|
||||
}
|
||||
$this->processSelfSignedLogin($chain->chain, $packet->clientDataJwt, $authRequired);
|
||||
}else{
|
||||
throw new PacketHandlingException("Unsupported authentication type: $authInfo->AuthenticationType");
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
private function processLoginCommon(LoginPacket $packet, string $username, UuidInterface $legacyUuid, string $xuid) : ?bool{
|
||||
if(!Player::isValidUserName($username)){
|
||||
if(!Player::isValidUserName($extraData->displayName)){
|
||||
$this->session->disconnectWithError(KnownTranslationFactory::disconnectionScreen_invalidName());
|
||||
|
||||
return null;
|
||||
return true;
|
||||
}
|
||||
|
||||
$clientData = $this->parseClientData($packet->clientDataJwt);
|
||||
@ -174,25 +86,32 @@ class LoginPacketHandler extends PacketHandler{
|
||||
disconnectScreenMessage: KnownTranslationFactory::disconnectionScreen_invalidSkin()
|
||||
);
|
||||
|
||||
return null;
|
||||
return true;
|
||||
}
|
||||
|
||||
if($xuid !== ""){
|
||||
if(!Uuid::isValid($extraData->identity)){
|
||||
throw new PacketHandlingException("Invalid login UUID");
|
||||
}
|
||||
$uuid = Uuid::fromString($extraData->identity);
|
||||
$arrClientData = (array) $clientData;
|
||||
$arrClientData["TitleID"] = $extraData->titleId;
|
||||
|
||||
if($extraData->XUID !== ""){
|
||||
$playerInfo = new XboxLivePlayerInfo(
|
||||
$xuid,
|
||||
$username,
|
||||
$legacyUuid,
|
||||
$extraData->XUID,
|
||||
$extraData->displayName,
|
||||
$uuid,
|
||||
$skin,
|
||||
$clientData->LanguageCode,
|
||||
(array) $clientData
|
||||
$arrClientData
|
||||
);
|
||||
}else{
|
||||
$playerInfo = new PlayerInfo(
|
||||
$username,
|
||||
$legacyUuid,
|
||||
$extraData->displayName,
|
||||
$uuid,
|
||||
$skin,
|
||||
$clientData->LanguageCode,
|
||||
(array) $clientData
|
||||
$arrClientData
|
||||
);
|
||||
}
|
||||
($this->playerInfoConsumer)($playerInfo);
|
||||
@ -225,10 +144,12 @@ class LoginPacketHandler extends PacketHandler{
|
||||
$ev->call();
|
||||
if(!$ev->isAllowed()){
|
||||
$this->session->disconnect($ev->getFinalDisconnectReason(), $ev->getFinalDisconnectScreenMessage());
|
||||
return null;
|
||||
return true;
|
||||
}
|
||||
|
||||
return $ev->isAuthRequired();
|
||||
$this->processLogin($authInfo->Token, AuthenticationType::from($authInfo->AuthenticationType), $jwtChain->chain, $packet->clientDataJwt, $ev->isAuthRequired());
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -241,10 +162,13 @@ class LoginPacketHandler extends PacketHandler{
|
||||
throw PacketHandlingException::wrap($e);
|
||||
}
|
||||
if(!is_object($authInfoJson)){
|
||||
throw new PacketHandlingException("Unexpected type for auth info data: " . gettype($authInfoJson) . ", expected object");
|
||||
throw new \RuntimeException("Unexpected type for auth info data: " . gettype($authInfoJson) . ", expected object");
|
||||
}
|
||||
|
||||
$mapper = $this->defaultJsonMapper();
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bExceptionOnUndefinedProperty = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
try{
|
||||
$clientData = $mapper->map($authInfoJson, new AuthenticationInfo());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
@ -254,31 +178,68 @@ class LoginPacketHandler extends PacketHandler{
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $headerArray
|
||||
* @throws PacketHandlingException
|
||||
*/
|
||||
protected function mapXboxTokenHeader(array $headerArray) : XboxAuthJwtHeader{
|
||||
$mapper = $this->defaultJsonMapper();
|
||||
protected function parseJwtChain(string $chainDataJwt) : JwtChain{
|
||||
try{
|
||||
$header = $mapper->map($headerArray, new XboxAuthJwtHeader());
|
||||
$jwtChainJson = json_decode($chainDataJwt, associative: false, flags: JSON_THROW_ON_ERROR);
|
||||
}catch(\JsonException $e){
|
||||
throw PacketHandlingException::wrap($e);
|
||||
}
|
||||
if(!is_object($jwtChainJson)){
|
||||
throw new \RuntimeException("Unexpected type for JWT chain data: " . gettype($jwtChainJson) . ", expected object");
|
||||
}
|
||||
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bExceptionOnUndefinedProperty = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
try{
|
||||
$clientData = $mapper->map($jwtChainJson, new JwtChain());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw PacketHandlingException::wrap($e);
|
||||
}
|
||||
return $header;
|
||||
return $clientData;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $bodyArray
|
||||
* @throws PacketHandlingException
|
||||
*/
|
||||
protected function mapXboxTokenBody(array $bodyArray) : XboxAuthJwtBody{
|
||||
$mapper = $this->defaultJsonMapper();
|
||||
try{
|
||||
$header = $mapper->map($bodyArray, new XboxAuthJwtBody());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw PacketHandlingException::wrap($e);
|
||||
protected function fetchAuthData(JwtChain $chain) : AuthenticationData{
|
||||
/** @var AuthenticationData|null $extraData */
|
||||
$extraData = null;
|
||||
foreach($chain->chain as $jwt){
|
||||
//validate every chain element
|
||||
try{
|
||||
[, $claims, ] = JwtUtils::parse($jwt);
|
||||
}catch(JwtException $e){
|
||||
throw PacketHandlingException::wrap($e);
|
||||
}
|
||||
if(isset($claims["extraData"])){
|
||||
if($extraData !== null){
|
||||
throw new PacketHandlingException("Found 'extraData' more than once in chainData");
|
||||
}
|
||||
|
||||
if(!is_array($claims["extraData"])){
|
||||
throw new PacketHandlingException("'extraData' key should be an array");
|
||||
}
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bEnforceMapType = false; //TODO: we don't really need this as an array, but right now we don't have enough models
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bExceptionOnUndefinedProperty = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
try{
|
||||
/** @var AuthenticationData $extraData */
|
||||
$extraData = $mapper->map($claims["extraData"], new AuthenticationData());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
throw PacketHandlingException::wrap($e);
|
||||
}
|
||||
}
|
||||
}
|
||||
return $header;
|
||||
if($extraData === null){
|
||||
throw new PacketHandlingException("'extraData' not found in chain data");
|
||||
}
|
||||
return $extraData;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -291,7 +252,11 @@ class LoginPacketHandler extends PacketHandler{
|
||||
throw PacketHandlingException::wrap($e);
|
||||
}
|
||||
|
||||
$mapper = $this->defaultJsonMapper();
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bEnforceMapType = false; //TODO: we don't really need this as an array, but right now we don't have enough models
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bExceptionOnUndefinedProperty = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
try{
|
||||
$clientData = $mapper->map($clientDataClaims, new ClientData());
|
||||
}catch(\JsonMapper_Exception $e){
|
||||
@ -304,37 +269,15 @@ class LoginPacketHandler extends PacketHandler{
|
||||
* TODO: This is separated for the purposes of allowing plugins (like Specter) to hack it and bypass authentication.
|
||||
* In the future this won't be necessary.
|
||||
*
|
||||
* @param null|string[] $legacyCertificate
|
||||
*
|
||||
* @throws \InvalidArgumentException
|
||||
*/
|
||||
protected function processOpenIdLogin(string $token, string $keyId, string $clientData, bool $authRequired) : void{
|
||||
protected function processLogin(string $token, AuthenticationType $authType, ?array $legacyCertificate, string $clientData, bool $authRequired) : void{
|
||||
if($legacyCertificate === null){
|
||||
throw new PacketHandlingException("Legacy certificate cannot be null");
|
||||
}
|
||||
$this->server->getAsyncPool()->submitTask(new ProcessLoginTask($legacyCertificate, $clientData, $authRequired, $this->authCallback));
|
||||
$this->session->setHandler(null); //drop packets received during login verification
|
||||
|
||||
$authKeyProvider = $this->server->getAuthKeyProvider();
|
||||
|
||||
$authKeyProvider->getKey($keyId)->onCompletion(
|
||||
function(array $issuerAndKey) use ($token, $clientData, $authRequired) : void{
|
||||
[$issuer, $mojangPublicKeyPem] = $issuerAndKey;
|
||||
$this->server->getAsyncPool()->submitTask(new ProcessOpenIdLoginTask($token, $issuer, $mojangPublicKeyPem, $clientData, $authRequired, $this->authCallback));
|
||||
},
|
||||
fn() => ($this->authCallback)(false, $authRequired, "Unrecognized authentication key ID: $keyId", null)
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string[] $legacyCertificate
|
||||
*/
|
||||
protected function processSelfSignedLogin(array $legacyCertificate, string $clientDataJwt, bool $authRequired) : void{
|
||||
$this->session->setHandler(null); //drop packets received during login verification
|
||||
|
||||
$this->server->getAsyncPool()->submitTask(new ProcessLegacyLoginTask($legacyCertificate, $clientDataJwt, rootAuthKeyDer: null, authRequired: $authRequired, onCompletion: $this->authCallback));
|
||||
}
|
||||
|
||||
private function defaultJsonMapper() : \JsonMapper{
|
||||
$mapper = new \JsonMapper();
|
||||
$mapper->bExceptionOnMissingData = true;
|
||||
$mapper->bExceptionOnUndefinedProperty = true;
|
||||
$mapper->bStrictObjectTypeChecking = true;
|
||||
$mapper->bEnforceMapType = false;
|
||||
return $mapper;
|
||||
}
|
||||
}
|
||||
|
||||
@ -870,6 +870,12 @@ parameters:
|
||||
count: 1
|
||||
path: ../../../src/network/mcpe/NetworkSession.php
|
||||
|
||||
-
|
||||
message: '#^Property pocketmine\\network\\mcpe\\auth\\ProcessLoginTask\:\:\$chain \(string\) does not accept string\|null\.$#'
|
||||
identifier: assign.propertyType
|
||||
count: 1
|
||||
path: ../../../src/network/mcpe/auth/ProcessLoginTask.php
|
||||
|
||||
-
|
||||
message: '#^Parameter \#1 \$result of method pocketmine\\network\\mcpe\\compression\\CompressBatchPromise\:\:resolve\(\) expects string, mixed given\.$#'
|
||||
identifier: argument.type
|
||||
|
||||
Reference in New Issue
Block a user