Exemple #1
0
// Valid valides a token
func (d *DefaultCSRFGenerator) Valid(token, actionID string) bool {
	userUniqueId, ok := d.Session.Get(CsrfSessionKey).(string)
	if !ok {
		return false
	}
	return xsrftoken.Valid(token, d.Secret, userUniqueId, actionID)
}
Exemple #2
0
func verifyToken(r *http.Request, method string) error {
	token := r.Form.Get("xsrf-token")
	if token == "" {
		return errors.New("No XSRF token present in form")
	}

	session, _ := controllerhelpers.GetSessionHTTP(r)
	admin, _ := models.GetPlayerBySteamID(session.Values["steam_id"].(string))

	valid := xsrftoken.Valid(token, config.Constants.CookieStoreSecret, admin.SteamID, method)

	if !valid {
		return errors.New("XSRF token is invalid")
	}

	return nil
}
Exemple #3
0
func ChangeRole(w http.ResponseWriter, r *http.Request) {
	err := r.ParseForm()
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	values := r.Form
	steamid := values.Get("steamid")
	remove := values.Get("remove")
	token := values.Get("xsrf-token")
	if !xsrftoken.Valid(token, config.Constants.CookieStoreSecret, "admin", "POST") {
		http.Error(w, "invalid xsrf token", http.StatusBadRequest)
		return
	}

	role, ok := map[string]authority.AuthRole{
		"admin": helpers.RoleAdmin,
		"mod":   helpers.RoleMod,
	}[values.Get("role")]
	if !ok {
		http.Error(w, "invalid role", http.StatusBadRequest)
		return
	}

	player, err := player.GetPlayerBySteamID(steamid)
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	if remove == "true" {
		player.Role = 0
		player.Save()
		fmt.Fprintf(w, "Player %s (%s) has been removed as %s", player.Name, player.SteamID, helpers.RoleNames[role])
		return
	}

	player.Role = role
	player.Save()
	fmt.Fprintf(w, "Player %s (%s) has been made a %s", player.Name, player.SteamID, helpers.RoleNames[role])
	return
}
Exemple #4
0
func RemoveServer(w http.ResponseWriter, r *http.Request) {
	r.ParseForm()
	values := r.Form

	token := values.Get("xsrf-token")
	if !xsrftoken.Valid(token, config.Constants.CookieStoreSecret, "admin", "POST") {
		http.Error(w, "invalid xsrf token", http.StatusBadRequest)
		return
	}

	addr := values.Get("address")
	if addr == "" {
		http.Error(w, "Empty address not allowed", http.StatusBadRequest)
		return
	}

	gameserver.RemoveStoredServer(addr)
	fmt.Fprintf(w, "Server successfully deleted.")
}
Exemple #5
0
func GetBanLogs(w http.ResponseWriter, r *http.Request) {
	values := r.URL.Query()
	if !xsrftoken.Valid(values.Get("xsrf-token"), config.Constants.CookieStoreSecret, "admin", "POST") {
		http.Error(w, "invalid xsrf token", http.StatusBadRequest)
		return
	}

	var bans []*player.PlayerBan

	all := values.Get("all")

	steamid := values.Get("steamid")
	if steamid == "" {
		if all == "" {
			bans = player.GetAllActiveBans()
		} else {
			bans = player.GetAllBans()
		}

	} else {
		player, err := player.GetPlayerBySteamID(steamid)
		if err != nil {
			http.Error(w, err.Error(), http.StatusNotFound)
			return
		}

		if all == "" {
			bans, _ = player.GetActiveBans()
		} else {
			bans, _ = player.GetAllBans()
		}

	}

	err := banlogsTempl.Execute(w, bans)
	if err != nil {
		logrus.Error(err)
	}
}
Exemple #6
0
func AddServer(w http.ResponseWriter, r *http.Request) {
	r.ParseForm()
	values := r.Form

	token := values.Get("xsrf-token")
	if !xsrftoken.Valid(token, config.Constants.CookieStoreSecret, "admin", "POST") {
		http.Error(w, "invalid xsrf token", http.StatusBadRequest)
		return
	}

	name := values.Get("name")
	if name == "" {
		http.Error(w, "Empty name not allowed", http.StatusBadRequest)
		return
	}

	addr := values.Get("address")
	if addr == "" {
		http.Error(w, "Empty address not allowed", http.StatusBadRequest)
		return
	}

	passwd := values.Get("password")
	if passwd == "" {
		http.Error(w, "Empty password not allowed", http.StatusBadRequest)
		return
	}

	server, err := gameserver.NewStoredServer(name, addr, passwd)
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	w.WriteHeader(http.StatusOK)
	fmt.Fprintf(w, "Server successfully added (ID: #%d)", server.ID)
}
Exemple #7
0
func TwitchAuthHandler(w http.ResponseWriter, r *http.Request) {
	token, err := controllerhelpers.GetToken(r)
	if err == http.ErrNoCookie {
		http.Error(w, "You are not logged in.", http.StatusUnauthorized)
		return
	} else if err != nil {
		http.Error(w, "Invalid jwt", http.StatusBadRequest)
		return
	}

	id := token.Claims.(*controllerhelpers.TF2StadiumClaims).PlayerID
	player, _ := player.GetPlayerByID(id)

	values := r.URL.Query()
	code := values.Get("code")
	if code == "" {
		http.Error(w, "No code given", http.StatusBadRequest)
		return
	}

	state := values.Get("state")
	if state == "" || !xsrftoken.Valid(state, config.Constants.CookieStoreSecret, player.SteamID, "GET") {
		http.Error(w, "Missing or Invalid XSRF token", http.StatusBadRequest)
		return
	}

	twitchRedirectURL, _ := url.Parse(config.Constants.PublicAddress)
	twitchRedirectURL.Path = "twitchAuth"

	// successful login, try getting access token now
	tokenURL := url.URL{
		Scheme: "https",
		Host:   "api.twitch.tv",
		Path:   "kraken/oauth2/token",
	}
	values = tokenURL.Query()
	values.Set("client_id", config.Constants.TwitchClientID)
	values.Set("client_secret", config.Constants.TwitchClientSecret)
	values.Set("grant_type", "authorization_code")
	values.Set("redirect_uri", twitchRedirectURL.String())
	values.Set("code", code)
	values.Set("state", state)

	req, err := http.NewRequest("POST", tokenURL.String(), strings.NewReader(values.Encode()))
	if err != nil {
		logrus.Error(err)
		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
		return
	}

	resp, err := helpers.HTTPClient.Do(req)
	if err != nil {
		logrus.Error(err)
		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
		return
	}

	reply := reply{}

	dec := json.NewDecoder(resp.Body)
	err = dec.Decode(&reply)
	if err != nil {
		logrus.Error(err)
		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
		return
	}

	info, err := getUserInfo(reply.AccessToken)
	if err != nil {
		logrus.Error(err)
		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
		return
	}

	player.TwitchName = info.Name
	player.TwitchAccessToken = reply.AccessToken
	player.Save()

	http.Redirect(w, r, config.Constants.LoginRedirectPath, http.StatusTemporaryRedirect)
}
Exemple #8
0
func BanPlayer(w http.ResponseWriter, r *http.Request) {
	err := r.ParseForm()
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
	}

	values := r.Form
	steamid := values.Get("steamid")
	reason := values.Get("reason")
	banType := values.Get("type")
	remove := values.Get("remove")
	token := values.Get("xsrf-token")
	if !xsrftoken.Valid(token, config.Constants.CookieStoreSecret, "admin", "POST") {
		http.Error(w, "invalid xsrf token", http.StatusBadRequest)
		return
	}

	ban, ok := map[string]player.BanType{
		"joinLobby":       player.BanJoin,
		"joinMumbleLobby": player.BanJoinMumble,
		"createLobby":     player.BanCreate,
		"chat":            player.BanChat,
		"full":            player.BanFull,
	}[banType]
	if !ok {
		http.Error(w, "Invalid ban type", http.StatusBadRequest)
		return
	}

	player, err := player.GetPlayerBySteamID(steamid)
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	if remove == "true" {
		err := player.Unban(ban)
		if err != nil {
			http.Error(w, err.Error(), http.StatusBadRequest)
		} else {
			fmt.Fprintf(w, "Player %s (%s) has been unbanned (%s)", player.Name, player.SteamID, ban.String())
		}
		return
	}

	until, err := time.Parse("2006-01-02 15:04", values.Get("date")+" "+values.Get("time"))
	if err != nil {
		http.Error(w, "invalid time format", http.StatusBadRequest)
		return
	} else if until.Sub(time.Now()) < 0 {
		http.Error(w, "invalid time", http.StatusBadRequest)
		return
	}

	jwt, _ := chelpers.GetToken(r)
	bannedByPlayer := chelpers.GetPlayer(jwt)

	err = player.BanUntil(until, ban, reason, bannedByPlayer.ID)
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	fmt.Fprintf(w, "Player %s (%s) has been banned (%s) till %v", player.Name, player.SteamID, ban.String(), until)
}