refactor checkToken

2023-07-28 09:26:18 +10:00 · 2023-07-28 09:26:18 +10:00 · f1f68c3d31
commit f1f68c3d31
parent 8a3989c297
8 changed files with 75 additions and 125 deletions
--- a/assets/openapi.json
+++ b/assets/openapi.json
--- a/assets/schemas.json
+++ b/assets/schemas.json
--- a/src/api/middlewares/Authentication.ts
+++ b/src/api/middlewares/Authentication.ts
@ -92,12 +92,7 @@ export async function Authentication(
 	Sentry.setUser({ id: req.user_id });
 	try {
-		const { jwtSecret } = Config.get().security;
+		const { decoded, user } = await checkToken(req.headers.authorization);
 		const { decoded, user } = await checkToken(
 			req.headers.authorization,
 			jwtSecret,
 		);
 		req.token = decoded;
 		req.user_id = decoded.id;
--- a/src/api/routes/auth/reset.ts
+++ b/src/api/routes/auth/reset.ts
@ -48,11 +48,9 @@ router.post(
 	async (req: Request, res: Response) => {
 		const { password, token } = req.body as PasswordResetSchema;
 		const { jwtSecret } = Config.get().security;
 		let user;
 		try {
-			const userTokenData = await checkToken(token, jwtSecret, true);
+			const userTokenData = await checkToken(token);
 			user = userTokenData.user;
 		} catch {
 			throw FieldErrors({
--- a/src/api/routes/auth/verify/index.ts
+++ b/src/api/routes/auth/verify/index.ts
@ -78,11 +78,10 @@ router.post(
 			}
 		}
 		const { jwtSecret } = Config.get().security;
 		let user;
 		try {
-			const userTokenData = await checkToken(token, jwtSecret, true);
+			const userTokenData = await checkToken(token);
 			user = userTokenData.user;
 		} catch {
 			throw FieldErrors({
--- a/src/gateway/opcodes/Identify.ts
+++ b/src/gateway/opcodes/Identify.ts
@ -30,7 +30,6 @@ import {
 	Intents,
 	Member,
 	ReadyEventData,
 	User,
 	Session,
 	EVENTEnum,
 	Config,
@ -60,17 +59,6 @@ import { check } from "./instanceOf";
 // TODO: user sharding
 // TODO: check privileged intents, if defined in the config
 const getUserFromToken = async (token: string): Promise<string | null> => {
 	try {
 		const { jwtSecret } = Config.get().security;
 		const { decoded } = await checkToken(token, jwtSecret);
 		return decoded.id;
 	} catch (e) {
 		console.error(`[Gateway] Invalid token`, e);
 		return null;
 	}
 };
 export async function onIdentify(this: WebSocket, data: Payload) {
 	if (this.user_id) {
 		// we've already identified
@ -85,12 +73,12 @@ export async function onIdentify(this: WebSocket, data: Payload) {
 	this.capabilities = new Capabilities(identify.capabilities || 0);
-	// Check auth
+	const { user } = await checkToken(identify.token, {
-	// TODO: the checkToken call will fetch user, and then we have to refetch with different select
+		relations: ["relationships", "relationships.to", "settings"],
-	// checkToken should be able to select what we want
+		select: [...PrivateUserProjection, "relationships"],
-	const user_id = await getUserFromToken(identify.token);
+	});
-	if (!user_id) return this.close(CLOSECODES.Authentication_failed);
+	if (!user) return this.close(CLOSECODES.Authentication_failed);
-	this.user_id = user_id;
+	this.user_id = user.id;
 	// Check intents
 	if (!identify.intents) identify.intents = 30064771071n; // TODO: what is this number?
@ -112,7 +100,7 @@ export async function onIdentify(this: WebSocket, data: Payload) {
 		) {
 			// TODO: why do we even care about this right now?
 			console.log(
-				`[Gateway] Invalid sharding from ${user_id}: ${identify.shard}`,
+				`[Gateway] Invalid sharding from ${user.id}: ${identify.shard}`,
 			);
 			return this.close(CLOSECODES.Invalid_shard);
 		}
@ -132,22 +120,14 @@ export async function onIdentify(this: WebSocket, data: Payload) {
 	});
 	// Get from database:
 	// * the current user,
 	// * the users read states
 	// * guild members for this user
 	// * recipients ( dm channels )
 	// * the bot application, if it exists
-	const [, user, application, read_states, members, recipients] =
+	const [, application, read_states, members, recipients] = await Promise.all(
-		await Promise.all([
+		[
 			session.save(),
 			// TODO: Refactor checkToken to allow us to skip this additional query
 			User.findOneOrFail({
 				where: { id: this.user_id },
 				relations: ["relationships", "relationships.to", "settings"],
 				select: [...PrivateUserProjection, "relationships"],
 			}),
 			Application.findOne({
 				where: { id: this.user_id },
 				select: ["id", "flags"],
@ -224,7 +204,8 @@ export async function onIdentify(this: WebSocket, data: Payload) {
 					},
 				},
 			}),
-		]);
+		],
 	);
 	// We forgot to migrate user settings from the JSON column of `users`
 	// to the `user_settings` table theyre in now,
@ -407,6 +388,17 @@ export async function onIdentify(this: WebSocket, data: Payload) {
 		merged_members: merged_members,
 		sessions: allSessions,
 		resume_gateway_url:
 			Config.get().gateway.endpointClient ||
 			Config.get().gateway.endpointPublic ||
 			"ws://127.0.0.1:3001",
 		// lol hack whatever
 		required_action:
 			Config.get().login.requireVerification && !user.verified
 				? "REQUIRE_VERIFIED_EMAIL"
 				: undefined,
 		consents: {
 			personalization: {
 				consented: false, // TODO
@ -421,18 +413,8 @@ export async function onIdentify(this: WebSocket, data: Payload) {
 		friend_suggestion_count: 0,
 		analytics_token: "",
 		tutorial: null,
 		resume_gateway_url:
 			Config.get().gateway.endpointClient ||
 			Config.get().gateway.endpointPublic ||
 			"ws://127.0.0.1:3001",
 		session_type: "normal", // TODO
 		auth_session_id_hash: "", // TODO
 		// lol hack whatever
 		required_action:
 			Config.get().login.requireVerification && !user.verified
 				? "REQUIRE_VERIFIED_EMAIL"
 				: undefined,
 	};
 	// Send READY
--- a/src/util/schemas/RegisterSchema.ts
+++ b/src/util/schemas/RegisterSchema.ts
@ -42,4 +42,8 @@ export interface RegisterSchema {
 	captcha_key?: string;
 	promotional_email_opt_in?: boolean;
 	// part of pomelo
 	unique_username_registration?: boolean;
 	global_name?: string;
 }
--- a/src/util/util/Token.ts
+++ b/src/util/util/Token.ts
@ -19,94 +19,66 @@
 import jwt, { VerifyOptions } from "jsonwebtoken";
 import { Config } from "./Config";
 import { User } from "../entities";
 // TODO: dont use deprecated APIs lol
 import {
 	FindOptionsRelationByString,
 	FindOptionsSelectByString,
 } from "typeorm";
 export const JWTOptions: VerifyOptions = { algorithms: ["HS256"] };
 export type UserTokenData = {
 	user: User;
-	decoded: { id: string; iat: number };
+	decoded: { id: string; iat: number; email?: string };
 };
-async function checkEmailToken(
+export const checkToken = (
 	decoded: jwt.JwtPayload,
 ): Promise<UserTokenData> {
 	// eslint-disable-next-line no-async-promise-executor
 	return new Promise(async (res, rej) => {
 		if (!decoded.iat) return rej("Invalid Token"); // will never happen, just for typings.
 		const user = await User.findOne({
 			where: {
 				email: decoded.email,
 			},
 			select: [
 				"email",
 				"id",
 				"verified",
 				"deleted",
 				"disabled",
 				"username",
 				"data",
 			],
 		});
 		if (!user) return rej("Invalid Token");
 		if (new Date().getTime() > decoded.iat * 1000 + 86400 * 1000)
 			return rej("Invalid Token");
 		// Using as here because we assert `id` and `iat` are in decoded.
 		// TS just doesn't want to assume its there, though.
 		return res({ decoded, user } as UserTokenData);
 	});
 }
 export function checkToken(
 	token: string,
-	jwtSecret: string,
+	opts?: {
-	isEmailVerification = false,
+		select?: FindOptionsSelectByString<User>;
-): Promise<UserTokenData> {
+		relations?: FindOptionsRelationByString;
-	return new Promise((res, rej) => {
+	},
-		token = token.replace("Bot ", "");
+): Promise<UserTokenData> =>
-		token = token.replace("Bearer ", "");
+	new Promise((resolve, reject) => {
-		/**
+		jwt.verify(
-		in spacebar, even with instances that have bot distinction; we won't enforce "Bot" prefix,
+			token,
-		as we don't really have separate pathways for bots 
+			Config.get().security.jwtSecret,
-		**/
+			JWTOptions,
 			async (err, out) => {
 				const decoded = out as UserTokenData["decoded"];
 				if (err || !decoded) return reject("Invalid Token");
-		jwt.verify(token, jwtSecret, JWTOptions, async (err, decoded) => {
+				const user = await User.findOne({
-			if (err || !decoded) return rej("Invalid Token");
+					where: decoded.email
-			if (
+						? { email: decoded.email }
-				typeof decoded == "string" ||
+						: { id: decoded.id },
-				!("id" in decoded) ||
+					select: [
-				!decoded.iat
+						...(opts?.select || []),
-			)
+						"bot",
-				return rej("Invalid Token"); // will never happen, just for typings.
+						"disabled",
 						"deleted",
 						"rights",
 						"data",
 					],
 					relations: opts?.relations,
 				});
-			if (isEmailVerification) return res(checkEmailToken(decoded));
+				if (!user) return reject("User not found");
-			const user = await User.findOne({
+				// we need to round it to seconds as it saved as seconds in jwt iat and valid_tokens_since is stored in milliseconds
-				where: { id: decoded.id },
+				if (
-				select: ["data", "bot", "disabled", "deleted", "rights"],
+					decoded.iat * 1000 <
-			});
+					new Date(user.data.valid_tokens_since).setSeconds(0, 0)
 				)
 					return reject("Invalid Token");
-			if (!user) return rej("Invalid Token");
+				if (user.disabled) return reject("User disabled");
 				if (user.deleted) return reject("User not found");
-			// we need to round it to seconds as it saved as seconds in jwt iat and valid_tokens_since is stored in milliseconds
+				return resolve({ decoded, user });
-			if (
+			},
-				decoded.iat * 1000 <
+		);
 				new Date(user.data.valid_tokens_since).setSeconds(0, 0)
 			)
 				return rej("Invalid Token");
 			if (user.disabled) return rej("User disabled");
 			if (user.deleted) return rej("User not found");
 			// Using as here because we assert `id` and `iat` are in decoded.
 			// TS just doesn't want to assume its there, though.
 			return res({ decoded, user } as UserTokenData);
 		});
 	});
 }
 export async function generateToken(id: string, email?: string) {
 	const iat = Math.floor(Date.now() / 1000);