// Valid valides a token
func (d *DefaultCSRFGenerator) Valid(token, actionID string) bool {
userUniqueId, ok := d.Session.Get(CsrfSessionKey).(string)
if !ok {
return false
}
return xsrftoken.Valid(token, d.Secret, userUniqueId, actionID)
}
func verifyToken(r *http.Request, method string) error {
token := r.Form.Get("xsrf-token")
if token == "" {
return errors.New("No XSRF token present in form")
}
session, _ := controllerhelpers.GetSessionHTTP(r)
admin, _ := models.GetPlayerBySteamID(session.Values["steam_id"].(string))
valid := xsrftoken.Valid(token, config.Constants.CookieStoreSecret, admin.SteamID, method)
if !valid {
return errors.New("XSRF token is invalid")
}
return nil
}
func ChangeRole(w http.ResponseWriter, r *http.Request) {
err := r.ParseForm()
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
values := r.Form
steamid := values.Get("steamid")
remove := values.Get("remove")
token := values.Get("xsrf-token")
if !xsrftoken.Valid(token, config.Constants.CookieStoreSecret, "admin", "POST") {
http.Error(w, "invalid xsrf token", http.StatusBadRequest)
return
}
role, ok := map[string]authority.AuthRole{
"admin": helpers.RoleAdmin,
"mod": helpers.RoleMod,
}[values.Get("role")]
if !ok {
http.Error(w, "invalid role", http.StatusBadRequest)
return
}
player, err := player.GetPlayerBySteamID(steamid)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if remove == "true" {
player.Role = 0
player.Save()
fmt.Fprintf(w, "Player %s (%s) has been removed as %s", player.Name, player.SteamID, helpers.RoleNames[role])
return
}
player.Role = role
player.Save()
fmt.Fprintf(w, "Player %s (%s) has been made a %s", player.Name, player.SteamID, helpers.RoleNames[role])
return
}
func RemoveServer(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
values := r.Form
token := values.Get("xsrf-token")
if !xsrftoken.Valid(token, config.Constants.CookieStoreSecret, "admin", "POST") {
http.Error(w, "invalid xsrf token", http.StatusBadRequest)
return
}
addr := values.Get("address")
if addr == "" {
http.Error(w, "Empty address not allowed", http.StatusBadRequest)
return
}
gameserver.RemoveStoredServer(addr)
fmt.Fprintf(w, "Server successfully deleted.")
}
func GetBanLogs(w http.ResponseWriter, r *http.Request) {
values := r.URL.Query()
if !xsrftoken.Valid(values.Get("xsrf-token"), config.Constants.CookieStoreSecret, "admin", "POST") {
http.Error(w, "invalid xsrf token", http.StatusBadRequest)
return
}
var bans []*player.PlayerBan
all := values.Get("all")
steamid := values.Get("steamid")
if steamid == "" {
if all == "" {
bans = player.GetAllActiveBans()
} else {
bans = player.GetAllBans()
}
} else {
player, err := player.GetPlayerBySteamID(steamid)
if err != nil {
http.Error(w, err.Error(), http.StatusNotFound)
return
}
if all == "" {
bans, _ = player.GetActiveBans()
} else {
bans, _ = player.GetAllBans()
}
}
err := banlogsTempl.Execute(w, bans)
if err != nil {
logrus.Error(err)
}
}
func AddServer(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
values := r.Form
token := values.Get("xsrf-token")
if !xsrftoken.Valid(token, config.Constants.CookieStoreSecret, "admin", "POST") {
http.Error(w, "invalid xsrf token", http.StatusBadRequest)
return
}
name := values.Get("name")
if name == "" {
http.Error(w, "Empty name not allowed", http.StatusBadRequest)
return
}
addr := values.Get("address")
if addr == "" {
http.Error(w, "Empty address not allowed", http.StatusBadRequest)
return
}
passwd := values.Get("password")
if passwd == "" {
http.Error(w, "Empty password not allowed", http.StatusBadRequest)
return
}
server, err := gameserver.NewStoredServer(name, addr, passwd)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, "Server successfully added (ID: #%d)", server.ID)
}
func TwitchAuthHandler(w http.ResponseWriter, r *http.Request) {
token, err := controllerhelpers.GetToken(r)
if err == http.ErrNoCookie {
http.Error(w, "You are not logged in.", http.StatusUnauthorized)
return
} else if err != nil {
http.Error(w, "Invalid jwt", http.StatusBadRequest)
return
}
id := token.Claims.(*controllerhelpers.TF2StadiumClaims).PlayerID
player, _ := player.GetPlayerByID(id)
values := r.URL.Query()
code := values.Get("code")
if code == "" {
http.Error(w, "No code given", http.StatusBadRequest)
return
}
state := values.Get("state")
if state == "" || !xsrftoken.Valid(state, config.Constants.CookieStoreSecret, player.SteamID, "GET") {
http.Error(w, "Missing or Invalid XSRF token", http.StatusBadRequest)
return
}
twitchRedirectURL, _ := url.Parse(config.Constants.PublicAddress)
twitchRedirectURL.Path = "twitchAuth"
// successful login, try getting access token now
tokenURL := url.URL{
Scheme: "https",
Host: "api.twitch.tv",
Path: "kraken/oauth2/token",
}
values = tokenURL.Query()
values.Set("client_id", config.Constants.TwitchClientID)
values.Set("client_secret", config.Constants.TwitchClientSecret)
values.Set("grant_type", "authorization_code")
values.Set("redirect_uri", twitchRedirectURL.String())
values.Set("code", code)
values.Set("state", state)
req, err := http.NewRequest("POST", tokenURL.String(), strings.NewReader(values.Encode()))
if err != nil {
logrus.Error(err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
resp, err := helpers.HTTPClient.Do(req)
if err != nil {
logrus.Error(err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
reply := reply{}
dec := json.NewDecoder(resp.Body)
err = dec.Decode(&reply)
if err != nil {
logrus.Error(err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
info, err := getUserInfo(reply.AccessToken)
if err != nil {
logrus.Error(err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
player.TwitchName = info.Name
player.TwitchAccessToken = reply.AccessToken
player.Save()
http.Redirect(w, r, config.Constants.LoginRedirectPath, http.StatusTemporaryRedirect)
}
func BanPlayer(w http.ResponseWriter, r *http.Request) {
err := r.ParseForm()
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
}
values := r.Form
steamid := values.Get("steamid")
reason := values.Get("reason")
banType := values.Get("type")
remove := values.Get("remove")
token := values.Get("xsrf-token")
if !xsrftoken.Valid(token, config.Constants.CookieStoreSecret, "admin", "POST") {
http.Error(w, "invalid xsrf token", http.StatusBadRequest)
return
}
ban, ok := map[string]player.BanType{
"joinLobby": player.BanJoin,
"joinMumbleLobby": player.BanJoinMumble,
"createLobby": player.BanCreate,
"chat": player.BanChat,
"full": player.BanFull,
}[banType]
if !ok {
http.Error(w, "Invalid ban type", http.StatusBadRequest)
return
}
player, err := player.GetPlayerBySteamID(steamid)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if remove == "true" {
err := player.Unban(ban)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
} else {
fmt.Fprintf(w, "Player %s (%s) has been unbanned (%s)", player.Name, player.SteamID, ban.String())
}
return
}
until, err := time.Parse("2006-01-02 15:04", values.Get("date")+" "+values.Get("time"))
if err != nil {
http.Error(w, "invalid time format", http.StatusBadRequest)
return
} else if until.Sub(time.Now()) < 0 {
http.Error(w, "invalid time", http.StatusBadRequest)
return
}
jwt, _ := chelpers.GetToken(r)
bannedByPlayer := chelpers.GetPlayer(jwt)
err = player.BanUntil(until, ban, reason, bannedByPlayer.ID)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
fmt.Fprintf(w, "Player %s (%s) has been banned (%s) till %v", player.Name, player.SteamID, ban.String(), until)
}
