Skip to content

Commit

Permalink
Force finished registration to access authenticated endpoints
Browse files Browse the repository at this point in the history
  • Loading branch information
turecross321 committed Sep 30, 2024
1 parent 1428f6d commit 855796a
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 9 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
namespace SoundShapesServer.Attributes;

public class AllowedWhenBannedAttribute: Attribute
public class AllowWhenBannedAttribute: Attribute
{

}
4 changes: 2 additions & 2 deletions SoundShapesServer/Database/GameDatabaseContext.Users.cs
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ public partial class GameDatabaseContext
return this.Users.FirstOrDefault(u => u.Name == name);
}

public DbUser? GetUserWithEmail(string name)
public DbUser? GetRegisteredUserWithEmail(string name)
{
return this.Users.FirstOrDefault(u => u.EmailAddress == name);
return this.Users.FirstOrDefault(u => u.EmailAddress == name && u.FinishedRegistration);
}

public DbUser CreateUser(string name)
Expand Down
4 changes: 2 additions & 2 deletions SoundShapesServer/Endpoints/Api/ApiAuthenticationEndpoints.cs
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ public ApiResponse<ApiFullUserResponse> VerifyEmail(RequestContext context, Game
public ApiOkResponse SendPasswordResetMail(RequestContext context, GameDatabaseContext database,
EmailService email, ServerConfig config, ApiSendPasswordResetMailRequest body)
{
DbUser? user = database.GetUserWithEmail(body.Email);
DbUser? user = database.GetRegisteredUserWithEmail(body.Email);
if (user == null)
{
// Don't respond with an error to avoid email lookup security vulnerability
Expand Down Expand Up @@ -238,7 +238,7 @@ public ApiResponse<ApiLoginResponse> LogIn(RequestContext context, GameDatabaseC
if (!CommonPatterns.Sha512Regex().IsMatch(body.PasswordSha512))
return ApiBadRequestError.PasswordIsNotHashed;

DbUser? user = database.GetUserWithEmail(body.Email);
DbUser? user = database.GetRegisteredUserWithEmail(body.Email);
if (user == null)
{
// Do the work of checking the password if there was no user found to avoid timing attacks.
Expand Down
10 changes: 6 additions & 4 deletions SoundShapesServer/GameAuthenticationProvider.cs
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ public class GameAuthenticationProvider: IAuthenticationProvider<DbToken>
string uriPath = request.Uri.AbsolutePath;

if (uriPath.StartsWith(GameEndpointAttribute.RoutePrefix)
&& token.TokenType == TokenType.GameAccess)
&& token is { TokenType: TokenType.GameAccess, User.FinishedRegistration: true })
{
return token;
}
Expand All @@ -49,11 +49,13 @@ public class GameAuthenticationProvider: IAuthenticationProvider<DbToken>
return token;
}

if (uriPath.StartsWith(ApiEndpointAttribute.RoutePrefix) && token.TokenType == TokenType.ApiAccess)
if (uriPath.StartsWith(ApiEndpointAttribute.RoutePrefix) && token is
{ TokenType: TokenType.ApiAccess, User.FinishedRegistration: true })
{
return token;
}

}


return null;
}
}

0 comments on commit 855796a

Please sign in to comment.