1.26.10 & auth (#2261)

Author: PetteriM1

.gitignore

@@ -268,6 +268,8 @@ data/*
 material_tags.txt
 item_types.txt
 block_types.txt
+discovery-cache.json
+openid-cache.json
 
 run/
 

gradle/libs.versions.toml

@@ -16,7 +16,7 @@ snakeyaml = { group = "org.yaml", name = "snakeyaml", version = "1.33" }
 leveldb = { group = "org.iq80.leveldb", name = "leveldb", version = "0.11.1-SNAPSHOT" }
 leveldbjni = { group = "net.daporkchop", name = "leveldb-mcpe-jni", version = "0.0.10-SNAPSHOT" }
 snappy = { group = "org.xerial.snappy", name = "snappy-java", version = "1.1.10.8" }
-jwt = { group = "com.nimbusds", name = "nimbus-jose-jwt", version = "10.3.1" }
+jwt = { group = "org.bitbucket.b_c", name = "jose4j", version = "0.9.6" }
 jopt-simple = { group = "net.sf.jopt-simple", name = "jopt-simple", version = "5.0.4" }
 blockstateupdater = { group = "org.cloudburstmc", name = "block-state-updater", version = "1.21.40-SNAPSHOT" }
 lmbda = { group = "org.lanternpowered", name = "lmbda", version = "2.0.0" }

src/main/java/cn/nukkit/Player.java

@@ -141,8 +141,6 @@ public class Player extends EntityHuman implements CommandSender, InventoryHolde
     private boolean loginPacketReceived;
     protected boolean networkSettingsRequested;
     public int gamemode;
-    protected long randomClientId;
-    private String unverifiedUsername = "";
 
     protected final BiMap<Inventory, Integer> windows = HashBiMap.create();
     protected final BiMap<Integer, Inventory> windowIndex = windows.inverse();
@@ -430,7 +428,7 @@ public String getClientSecret() {
      */
     @Deprecated
     public Long getClientId() {
-        return randomClientId;
+        return loginChainData.getClientId();
     }
 
     @Override
@@ -2945,7 +2943,7 @@ public void handleDataPacket(DataPacket packet) {
                 this.networkSettingsRequested = true;
 
                 if (this.getNetworkSession().getCompression() != CompressionProvider.NONE) {
-                    this.getServer().getLogger().debug((this.username == null ? this.unverifiedUsername : this.username) +
+                    this.getServer().getLogger().debug(this.username +
                             ": got a RequestNetworkSettingsPacket but compression is already set");
                     return;
                 }
@@ -2978,7 +2976,6 @@ public void handleDataPacket(DataPacket packet) {
                 this.loginPacketReceived = true;
 
                 LoginPacket loginPacket = (LoginPacket) packet;
-                this.unverifiedUsername = TextFormat.clean(loginPacket.username);
 
                 if (!this.networkSettingsRequested) {
                     this.close("", "Invalid login sequence: login packet before network settings");
@@ -2997,50 +2994,33 @@ public void handleDataPacket(DataPacket packet) {
                     return;
                 }
 
-                if (loginPacket.skin == null) {
-                    this.close("", "disconnectionScreen.invalidSkin");
-                    return;
-                }
-
-                if (this.server.getOnlinePlayersCount() >= this.server.getMaxPlayers() && this.kick(PlayerKickEvent.Reason.SERVER_FULL, "disconnectionScreen.serverFull", false)) {
-                    return;
-                }
-
                 try {
-                    // TODO: Why do we read this separately?
                     this.loginChainData = ClientChainData.read(loginPacket);
                 } catch (ClientChainData.TooBigSkinException ex) {
                     this.close("", "disconnectionScreen.invalidSkin");
                     return;
+                } catch (Exception ex) {
+                    getServer().getLogger().logException(ex);
+                    this.close("", "disconnectionScreen.noReason");
+                    return;
                 }
 
-                server.getLogger().debug("Name: " + this.unverifiedUsername + " Protocol: " + loginPacket.getProtocol() + " Version: " + loginChainData.getGameVersion());
+                server.getLogger().debug("Name: " + loginChainData.getUsername() + " Version: " + loginChainData.getGameVersion());
 
                 if (!loginChainData.isXboxAuthed() && server.xboxAuth) {
                     this.close("", "disconnectionScreen.notAuthenticated");
                     return;
                 }
 
-                // Do not set username before the user is authenticated
-                this.username = this.unverifiedUsername;
-                this.unverifiedUsername = null;
-                this.displayName = this.username;
-                this.iusername = this.username.toLowerCase(Locale.ROOT);
-                this.setDataProperty(new StringEntityData(DATA_NAMETAG, this.username), false);
-
-                this.randomClientId = loginPacket.clientId;
-                this.uuid = loginPacket.clientUUID;
-                this.rawUUID = Binary.writeUUID(this.uuid);
-
                 boolean valid = true;
-                int len = loginPacket.username.length();
-                if (len > 16 || len < 3 || loginPacket.username.trim().isEmpty()) {
+                int len = loginChainData.getUsername().length();
+                if (len > 16 || len < 3 || loginChainData.getUsername().trim().isEmpty()) {
                     valid = false;
                 }
 
                 if (valid) {
                     for (int i = 0; i < len; i++) {
-                        char c = loginPacket.username.charAt(i);
+                        char c = loginChainData.getUsername().charAt(i);
                         if ((c >= 'a' && c <= 'z') ||
                                 (c >= 'A' && c <= 'Z') ||
                                 (c >= '0' && c <= '9') ||
@@ -3054,13 +3034,27 @@ public void handleDataPacket(DataPacket packet) {
                     }
                 }
 
-                if (!valid || Objects.equals(this.iusername, "rcon") || Objects.equals(this.iusername, "console")) {
+                String lowerCaseName = loginChainData.getUsername().toLowerCase(Locale.ROOT);
+                if (!valid || Objects.equals(lowerCaseName, "rcon") || Objects.equals(lowerCaseName, "console")) {
                     this.close("", "disconnectionScreen.invalidName");
                     return;
                 }
 
-                Skin skin = loginPacket.skin;
-                if (!skin.isValid()) {
+                // Do not set username before the user is authenticated
+                this.username = loginChainData.getUsername();
+                this.displayName = this.username;
+                this.iusername = lowerCaseName;
+                this.setDataProperty(new StringEntityData(DATA_NAMETAG, this.username), false);
+
+                this.uuid = loginChainData.getClientUUID();
+                this.rawUUID = Binary.writeUUID(this.uuid);
+
+                if (this.server.getOnlinePlayersCount() >= this.server.getMaxPlayers() && this.kick(PlayerKickEvent.Reason.SERVER_FULL, "disconnectionScreen.serverFull", false)) {
+                    return;
+                }
+
+                Skin skin = loginChainData.getSkin();
+                if (skin == null || !skin.isValid()) {
                     this.close("", "disconnectionScreen.invalidSkin");
                     return;
                 }
@@ -5416,7 +5410,7 @@ public void close(TextContainer message, String reason, boolean notify) {
             this.server.getPluginManager().unsubscribeFromPermission(Server.BROADCAST_CHANNEL_USERS, this);
             this.spawned = false;
             this.server.getLogger().info(this.getServer().getLanguage().translateString("nukkit.player.logOut",
-                    TextFormat.AQUA + (this.username == null ? this.unverifiedUsername : this.username) + TextFormat.WHITE,
+                    TextFormat.AQUA + this.username + TextFormat.WHITE,
                     this.getAddress(),
                     String.valueOf(this.getPort()),
                     this.getServer().getLanguage().translateString(reason)));
@@ -5444,7 +5438,7 @@ public void close(TextContainer message, String reason, boolean notify) {
         this.server.removePlayer(this);
 
         if (this.loggedIn) {
-            this.server.getLogger().warning("Player is still logged in: " + (this.username == null ? this.unverifiedUsername : this.username));
+            this.server.getLogger().warning("Player is still logged in: " + this.username);
             this.interfaz.close(this, notify ? reason : "");
             this.server.removeOnlinePlayer(this);
             this.loggedIn = false;

src/main/java/cn/nukkit/Server.java

@@ -54,6 +54,7 @@
 import cn.nukkit.network.Network;
 import cn.nukkit.network.RakNetInterface;
 import cn.nukkit.network.SourceInterface;
+import cn.nukkit.network.encryption.EncryptionUtils;
 import cn.nukkit.network.protocol.*;
 import cn.nukkit.network.query.QueryHandler;
 import cn.nukkit.network.rcon.RCON;
@@ -432,6 +433,10 @@ public Level remove(Object key) {
         log.info(this.getLanguage().translateString("language.selected", new String[]{getLanguage().getName(), getLanguage().getLang()}));
         log.info(getLanguage().translateString("nukkit.server.start", TextFormat.AQUA + this.getVersion() + TextFormat.RESET));
 
+        log.debug("Setting up auth environment...");
+        //noinspection ResultOfMethodCallIgnored
+        EncryptionUtils.getMojangPublicKey();
+
         Object poolSize = this.getConfig("settings.async-workers", "auto");
         if (!(poolSize instanceof Integer)) {
             try {

src/main/java/cn/nukkit/inventory/transaction/data/UseItemData.java

@@ -23,4 +23,5 @@ public class UseItemData implements TransactionData {
     public Vector3f clickPos;
     public int blockRuntimeId;
     public int clientInteractPrediction;
+    public int clientCooldownState;
 }

src/main/java/cn/nukkit/network/Network.java

@@ -159,7 +159,7 @@ public void processBatch(byte[] payload, Collection<DataPacket> packets, Compres
             try {
                 pk.decode();
 
-                if (Nukkit.DEBUG > 1 && pk.offset < pk.getRawBuffer().length) {
+                if (Nukkit.DEBUG > 1 && packetId != ProtocolInfo.LOGIN_PACKET && pk.offset < pk.getRawBuffer().length) {
                     log.debug(pk.getClass().getSimpleName() + " still has " + (pk.getRawBuffer().length - pk.offset) + " bytes to read!");
                 }
             } catch (Exception e) {

src/main/java/cn/nukkit/network/auth/AuthPayload.java

@@ -0,0 +1,11 @@
+package cn.nukkit.network.auth;
+
+public interface AuthPayload {
+
+    /**
+     * Returns the authentication type of the player.
+     *
+     * @return the authentication type
+     */
+    AuthType getAuthType();
+}

src/main/java/cn/nukkit/network/auth/AuthType.java

@@ -0,0 +1,20 @@
+package cn.nukkit.network.auth;
+
+public enum AuthType {
+    /**
+     * Player auth status is unknown. This is the default value for legacy clients.
+     */
+    UNKNOWN,
+    /**
+     * Player is authenticated directly to Mojang auth servers.
+     */
+    FULL,
+    /**
+     * Split screen player using the host's authentication token.
+     */
+    GUEST,
+    /**
+     * This player is not authenticated with Mojang auth servers.
+     */
+    SELF_SIGNED
+}

src/main/java/cn/nukkit/network/auth/CertificateChainPayload.java

@@ -0,0 +1,27 @@
+package cn.nukkit.network.auth;
+
+import lombok.Getter;
+
+import java.util.List;
+import java.util.Objects;
+
+public class CertificateChainPayload implements AuthPayload {
+
+    @Getter
+    private final List<String> chain;
+    private final AuthType type;
+
+    public CertificateChainPayload(List<String> chain) {
+        this(chain, AuthType.UNKNOWN);
+    }
+
+    public CertificateChainPayload(List<String> chain, AuthType type) {
+        this.chain = chain;
+        this.type = Objects.requireNonNull(type);
+    }
+
+    @Override
+    public AuthType getAuthType() {
+        return type;
+    }
+}

src/main/java/cn/nukkit/network/auth/TokenPayload.java

@@ -0,0 +1,26 @@
+package cn.nukkit.network.auth;
+
+import lombok.Getter;
+
+import java.util.Objects;
+
+public class TokenPayload implements AuthPayload {
+
+    @Getter
+    private final String token;
+    private final AuthType type;
+
+    public TokenPayload(String token, AuthType type) {
+        if (type == AuthType.UNKNOWN) {
+            throw new IllegalArgumentException("TokenPayload cannot be of type UNKNOWN");
+        }
+
+        this.token = token;
+        this.type = Objects.requireNonNull(type);
+    }
+
+    @Override
+    public AuthType getAuthType() {
+        return type;
+    }
+}