Uplandustries/WebConsole-2.4-PLUS
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improved security

Browse Source
This commit is contained in:
Carlos
2020-12-05 13:26:04 +01:00
parent d2696df7bc
commit dd9003190a
9 changed files with 181 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/es/mesacarlos/webconsole/websocket/WSServer.java
View File

@ -13,6 +13,7 @@ import org.java_websocket.server.WebSocketServer;
import es.mesacarlos.webconsole.auth.LoginManager;
import es.mesacarlos.webconsole.util.DateTimeUtils;
import es.mesacarlos.webconsole.util.Internationalization;
import es.mesacarlos.webconsole.util.JsonUtils;
import es.mesacarlos.webconsole.websocket.command.WSCommandFactory;
import es.mesacarlos.webconsole.websocket.command.WSCommand;
import es.mesacarlos.webconsole.websocket.response.ConsoleOutput;
@ -30,7 +31,7 @@ public class WSServer extends WebSocketServer {
@Override
public void onOpen(WebSocket conn, ClientHandshake handshake) {
if (LoginManager.getInstance().isLoggedIn(conn.getRemoteSocketAddress())) {
if (LoginManager.getInstance().isSocketConnected(conn.getRemoteSocketAddress())) {
sendToClient(conn, new LoggedIn(Internationalization.getPhrase("connection-resumed-message")));
Bukkit.getLogger().info(Internationalization.getPhrase("connection-resumed-console", conn.getRemoteSocketAddress()));
} else {
@ -41,11 +42,15 @@ public class WSServer extends WebSocketServer {
@Override
public void onMessage(WebSocket conn, String message) {
if(!JsonUtils.containsStringProperty(message, "command") //Contains a command
|| ( !JsonUtils.containsStringProperty(message, "token") && !JsonUtils.getStringProperty(message, JsonUtils.COMMAND_PROPERTY).equals("LOGIN")) //Contains a token or it is a login command
)
return;
// Get command and params
String wsCommand = message.split(" ")[0];
String wsCommandParams = "";
if (message.contains(" "))
wsCommandParams = message.split(" ", 2)[1];
String wsCommand = JsonUtils.getStringProperty(message, JsonUtils.COMMAND_PROPERTY);
String wsToken = JsonUtils.getStringProperty(message, JsonUtils.TOKEN_PROPERTY);
String wsCommandParams = JsonUtils.getStringProperty(message, JsonUtils.PARAMS_PROPERTY);
// Run command
WSCommand cmd = commands.get(wsCommand);
@ -54,8 +59,8 @@ public class WSServer extends WebSocketServer {
// Command does not exist
sendToClient(conn, new UnknownCommand(Internationalization.getPhrase("unknown-command-message"), message));
Bukkit.getLogger().info(Internationalization.getPhrase("unknown-command-console", message));
} else if (!LoginManager.getInstance().isLoggedIn(conn.getRemoteSocketAddress())
&& !wsCommand.equals("LOGIN")) {
} else if (!wsCommand.equals("LOGIN")
&& !LoginManager.getInstance().isLoggedIn(conn.getRemoteSocketAddress(), wsToken)) {
// User is not authorised. DO NOTHING, IMPORTANT!
sendToClient(conn, new LoginRequired(Internationalization.getPhrase("forbidden-message")));
Bukkit.getLogger().warning(Internationalization.getPhrase("forbidden-console", conn.getRemoteSocketAddress(), message));
@ -86,7 +91,7 @@ public class WSServer extends WebSocketServer {
public void onNewConsoleLinePrinted(String line) {
Collection<WebSocket> connections = getConnections();
for (WebSocket connection : connections) {
if (LoginManager.getInstance().isLoggedIn(connection.getRemoteSocketAddress()))
if (LoginManager.getInstance().isSocketConnected(connection.getRemoteSocketAddress()))
sendToClient(connection, new ConsoleOutput(line, DateTimeUtils.getTimeAsString()));
}
}

8
src/es/mesacarlos/webconsole/websocket/command/LogInCommand.java
View File

@ -1,5 +1,7 @@
package es.mesacarlos.webconsole.websocket.command;
import java.util.UUID;
import org.bukkit.Bukkit;
import org.java_websocket.WebSocket;
@ -17,16 +19,16 @@ public class LogInCommand implements WSCommand {
@Override
public void execute(WSServer wsServer, WebSocket conn, String password) {
// If user is logged in, then return.
if (LoginManager.getInstance().isLoggedIn(conn.getRemoteSocketAddress()))
if (LoginManager.getInstance().isSocketConnected(conn.getRemoteSocketAddress()))
return;
//Check if user exists
for(UserData ud : ConfigManager.getInstance().getAllUsers()) {
if(ud.getPassword().equals(password)) {
ConnectedUser user = new ConnectedUser(conn.getRemoteSocketAddress(), ud.getUsername(), ud.getUserType());
ConnectedUser user = new ConnectedUser(conn.getRemoteSocketAddress(), ud.getUsername(), UUID.randomUUID().toString(), ud.getUserType());
LoginManager.getInstance().logIn(user);
wsServer.sendToClient(conn, new LoggedIn(Internationalization.getPhrase("login-sucessful-message"), "LOGIN ********", user.getUsername(), user.getUserType()));
wsServer.sendToClient(conn, new LoggedIn(Internationalization.getPhrase("login-sucessful-message"), "LOGIN ********", user.getUsername(), user.getUserType(), user.getToken()));
Bukkit.getLogger().info(Internationalization.getPhrase("login-sucessful-console", user.toString()));
return;
}

11
src/es/mesacarlos/webconsole/websocket/response/LoggedIn.java
View File

@ -9,16 +9,18 @@ public class LoggedIn implements JSONOutput{
private String respondsTo;
private String username;
private UserType as;
private String token;
public LoggedIn(String message) {
this.message = message;
}
public LoggedIn(String message, String respondsTo, String username, UserType as) {
public LoggedIn(String message, String respondsTo, String username, UserType as, String token) {
this.message = message;
this.respondsTo = respondsTo;
this.username = username;
this.as = as;
this.token = token;
}
@Override
@ -52,7 +54,11 @@ public class LoggedIn implements JSONOutput{
return "VIEWER"; //This is not a security hole bc its just informative...
}
}
private String getToken() {
return token;
}
@Override
public String toJSON() {
JsonObject object = new JsonObject();
@ -61,6 +67,7 @@ public class LoggedIn implements JSONOutput{
object.addProperty("respondsTo", getRespondsTo());
object.addProperty("username", getUsername());
object.addProperty("as", getAs());
object.addProperty("token", getToken());
object.addProperty("message", getMessage());
return object.toString();
}