rogueserver/api/account.go

package api

import (
	"bytes"
	"crypto/rand"
	"database/sql"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"net/http"
	"os"
	"regexp"
	"strconv"
	"time"

	"github.com/Flashfyre/pokerogue-server/db"
	"golang.org/x/crypto/argon2"
)

const (
	argonTime      = 1
	argonMemory    = 256 * 1024
	argonThreads   = 4
	argonKeyLength = 32
)

var isValidUsername = regexp.MustCompile(`^\w{1,16}$`).MatchString

type AccountInfoResponse struct {
	Username        string `json:"username"`
	LastSessionSlot int    `json:"lastSessionSlot"`
}

// /account/info - get account info
func (s *Server) handleAccountInfo(w http.ResponseWriter, r *http.Request) {
	username, err := getUsernameFromRequest(r)
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	uuid, err := getUuidFromRequest(r) // lazy
	if err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}

	var latestSaveTime time.Time
	latestSaveId := -1
	for id := range sessionSlotCount {
		fileName := "session"
		if id != 0 {
			fileName += strconv.Itoa(id)
		}

		stat, err := os.Stat(fmt.Sprintf("userdata/%x/%s.pzs", uuid, fileName))
		if err != nil {
			continue
		}

		if stat.ModTime().After(latestSaveTime) {
			latestSaveTime = stat.ModTime()
			latestSaveId = id
		}
	}

	response, err := json.Marshal(AccountInfoResponse{Username: username, LastSessionSlot: latestSaveId})
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to marshal response json: %s", err), http.StatusInternalServerError)
		return
	}

	w.Write(response)
}

type AccountRegisterRequest GenericAuthRequest

// /account/register - register account
func (s *Server) handleAccountRegister(w http.ResponseWriter, r *http.Request) {
	var request AccountRegisterRequest
	err := json.NewDecoder(r.Body).Decode(&request)
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to decode request body: %s", err), http.StatusBadRequest)
		return
	}

	if !isValidUsername(request.Username) {
		http.Error(w, "invalid username", http.StatusBadRequest)
		return
	}

	if len(request.Password) < 6 {
		http.Error(w, "invalid password", http.StatusBadRequest)
		return
	}

	uuid := make([]byte, 16)

	_, err = rand.Read(uuid)
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to generate uuid: %s", err), http.StatusInternalServerError)
		return
	}

	salt := make([]byte, 16)

	_, err = rand.Read(salt)
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to generate salt: %s", err), http.StatusInternalServerError)
		return
	}

	err = db.AddAccountRecord(uuid, request.Username, argon2.IDKey([]byte(request.Password), salt, argonTime, argonMemory, argonThreads, argonKeyLength), salt)
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to add account record: %s", err), http.StatusInternalServerError)
		return
	}

	w.WriteHeader(http.StatusOK)
}

type AccountLoginRequest GenericAuthRequest
type AccountLoginResponse GenericAuthResponse

// /account/login - log into account
func (s *Server) handleAccountLogin(w http.ResponseWriter, r *http.Request) {
	var request AccountLoginRequest
	err := json.NewDecoder(r.Body).Decode(&request)
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to decode request body: %s", err), http.StatusBadRequest)
		return
	}

	if !isValidUsername(request.Username) {
		http.Error(w, "invalid username", http.StatusBadRequest)
		return
	}

	if len(request.Password) < 6 {
		http.Error(w, "invalid password", http.StatusBadRequest)
		return
	}

	key, salt, err := db.FetchAccountKeySaltFromUsername(request.Username)
	if err != nil {
		if err == sql.ErrNoRows {
			http.Error(w, "account doesn't exist", http.StatusBadRequest)
			return
		}

		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	if !bytes.Equal(key, argon2.IDKey([]byte(request.Password), salt, argonTime, argonMemory, argonThreads, argonKeyLength)) {
		http.Error(w, "password doesn't match", http.StatusBadRequest)
		return
	}

	token := make([]byte, 32)

	_, err = rand.Read(token)
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to generate token: %s", err), http.StatusInternalServerError)
		return
	}

	err = db.AddAccountSession(request.Username, token)
	if err != nil {
		http.Error(w, "failed to add account session", http.StatusInternalServerError)
		return
	}

	response, err := json.Marshal(AccountLoginResponse{Token: base64.StdEncoding.EncodeToString(token)})
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to marshal response json: %s", err), http.StatusInternalServerError)
		return
	}

	w.Write(response)
}

// /account/logout - log out of account
func (s *Server) handleAccountLogout(w http.ResponseWriter, r *http.Request) {
	token, err := base64.StdEncoding.DecodeString(r.Header.Get("Authorization"))
	if err != nil {
		http.Error(w, fmt.Sprintf("failed to decode token: %s", err), http.StatusBadRequest)
		return
	}

	if len(token) != 32 {
		http.Error(w, "invalid token", http.StatusBadRequest)
		return
	}

	err = db.RemoveSessionFromToken(token)
	if err != nil {
		if err == sql.ErrNoRows {
			http.Error(w, "token not found", http.StatusBadRequest)
			return
		}

		http.Error(w, "failed to remove account session", http.StatusInternalServerError)
		return
	}

	w.WriteHeader(http.StatusOK)
}
Add changes so far 10 months ago			`package api`

			`import (`
More changes 9 months ago			`"bytes"`
			`"crypto/rand"`
			`"database/sql"`
Add changes so far 10 months ago			`"encoding/base64"`
			`"encoding/json"`
			`"fmt"`
			`"net/http"`
Add hasGameSession to account info response 9 months ago			`"os"`
More changes 9 months ago			`"regexp"`
Add session save slots 6 months ago			`"strconv"`
			`"time"`
Add changes so far 10 months ago
			`"github.com/Flashfyre/pokerogue-server/db"`
More changes 9 months ago			`"golang.org/x/crypto/argon2"`
Add changes so far 10 months ago			`)`

More changes 9 months ago			`const (`
Add session save slots 6 months ago			`argonTime = 1`
			`argonMemory = 256 * 1024`
			`argonThreads = 4`
More changes 9 months ago			`argonKeyLength = 32`
			`)`

Fix minimum username length 9 months ago			var isValidUsername = regexp.MustCompile(`^\w{1,16}$`).MatchString
More changes 9 months ago
Add session save slots 6 months ago			`type AccountInfoResponse struct {`
			Username string `json:"username"`
			LastSessionSlot int `json:"lastSessionSlot"`
Add changes so far 10 months ago			`}`

Various changes 6 months ago			`// /account/info - get account info`
			`func (s Server) handleAccountInfo(w http.ResponseWriter, r http.Request) {`
			`username, err := getUsernameFromRequest(r)`
Add changes so far 10 months ago			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusBadRequest)`
			`return`
			`}`

Various changes 6 months ago			`uuid, err := getUuidFromRequest(r) // lazy`
Add hasGameSession to account info response 9 months ago			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusBadRequest)`
			`return`
			`}`

Add session save slots 6 months ago			`var latestSaveTime time.Time`
			`latestSaveId := -1`
			`for id := range sessionSlotCount {`
			`fileName := "session"`
			`if id != 0 {`
			`fileName += strconv.Itoa(id)`
			`}`

			`stat, err := os.Stat(fmt.Sprintf("userdata/%x/%s.pzs", uuid, fileName))`
			`if err != nil {`
			`continue`
			`}`

			`if stat.ModTime().After(latestSaveTime) {`
			`latestSaveTime = stat.ModTime()`
			`latestSaveId = id`
			`}`
			`}`
Add hasGameSession to account info response 9 months ago
Add session save slots 6 months ago			`response, err := json.Marshal(AccountInfoResponse{Username: username, LastSessionSlot: latestSaveId})`
Add changes so far 10 months ago			`if err != nil {`
			`http.Error(w, fmt.Sprintf("failed to marshal response json: %s", err), http.StatusInternalServerError)`
			`return`
			`}`

			`w.Write(response)`
			`}`

			`type AccountRegisterRequest GenericAuthRequest`

Various changes 6 months ago			`// /account/register - register account`
			`func (s Server) handleAccountRegister(w http.ResponseWriter, r http.Request) {`
Add changes so far 10 months ago			`var request AccountRegisterRequest`
			`err := json.NewDecoder(r.Body).Decode(&request)`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("failed to decode request body: %s", err), http.StatusBadRequest)`
			`return`
			`}`

Fix calls to isValidUsername 9 months ago			`if !isValidUsername(request.Username) {`
More changes 9 months ago			`http.Error(w, "invalid username", http.StatusBadRequest)`
			`return`
			`}`

			`if len(request.Password) < 6 {`
			`http.Error(w, "invalid password", http.StatusBadRequest)`
			`return`
			`}`

			`uuid := make([]byte, 16)`

			`_, err = rand.Read(uuid)`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("failed to generate uuid: %s", err), http.StatusInternalServerError)`
			`return`
			`}`

			`salt := make([]byte, 16)`

			`_, err = rand.Read(salt)`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("failed to generate salt: %s", err), http.StatusInternalServerError)`
			`return`
			`}`

			`err = db.AddAccountRecord(uuid, request.Username, argon2.IDKey([]byte(request.Password), salt, argonTime, argonMemory, argonThreads, argonKeyLength), salt)`
			`if err != nil {`
More verbose error response in register endpoint 9 months ago			`http.Error(w, fmt.Sprintf("failed to add account record: %s", err), http.StatusInternalServerError)`
More changes 9 months ago			`return`
			`}`

			`w.WriteHeader(http.StatusOK)`
Add changes so far 10 months ago			`}`

			`type AccountLoginRequest GenericAuthRequest`
			`type AccountLoginResponse GenericAuthResponse`

Various changes 6 months ago			`// /account/login - log into account`
			`func (s Server) handleAccountLogin(w http.ResponseWriter, r http.Request) {`
More changes 9 months ago			`var request AccountLoginRequest`
			`err := json.NewDecoder(r.Body).Decode(&request)`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("failed to decode request body: %s", err), http.StatusBadRequest)`
			`return`
			`}`

Fix calls to isValidUsername 9 months ago			`if !isValidUsername(request.Username) {`
More changes 9 months ago			`http.Error(w, "invalid username", http.StatusBadRequest)`
			`return`
			`}`

			`if len(request.Password) < 6 {`
			`http.Error(w, "invalid password", http.StatusBadRequest)`
			`return`
			`}`

Update random daily seed logic 6 months ago			`key, salt, err := db.FetchAccountKeySaltFromUsername(request.Username)`
More changes 9 months ago			`if err != nil {`
			`if err == sql.ErrNoRows {`
			`http.Error(w, "account doesn't exist", http.StatusBadRequest)`
			`return`
			`}`

			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

			`if !bytes.Equal(key, argon2.IDKey([]byte(request.Password), salt, argonTime, argonMemory, argonThreads, argonKeyLength)) {`
			`http.Error(w, "password doesn't match", http.StatusBadRequest)`
			`return`
			`}`

Fix generated token size 9 months ago			`token := make([]byte, 32)`
More changes 9 months ago
			`_, err = rand.Read(token)`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("failed to generate token: %s", err), http.StatusInternalServerError)`
			`return`
			`}`
Add changes so far 10 months ago
More changes 9 months ago			`err = db.AddAccountSession(request.Username, token)`
			`if err != nil {`
			`http.Error(w, "failed to add account session", http.StatusInternalServerError)`
			`return`
			`}`

			`response, err := json.Marshal(AccountLoginResponse{Token: base64.StdEncoding.EncodeToString(token)})`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("failed to marshal response json: %s", err), http.StatusInternalServerError)`
			`return`
			`}`

			`w.Write(response)`
Add changes so far 10 months ago			`}`

Update endpoint comments 9 months ago			`// /account/logout - log out of account`
Various changes 6 months ago			`func (s Server) handleAccountLogout(w http.ResponseWriter, r http.Request) {`
More changes 9 months ago			`token, err := base64.StdEncoding.DecodeString(r.Header.Get("Authorization"))`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("failed to decode token: %s", err), http.StatusBadRequest)`
			`return`
			`}`

			`if len(token) != 32 {`
			`http.Error(w, "invalid token", http.StatusBadRequest)`
			`return`
			`}`

			`err = db.RemoveSessionFromToken(token)`
			`if err != nil {`
			`if err == sql.ErrNoRows {`
			`http.Error(w, "token not found", http.StatusBadRequest)`
			`return`
			`}`

			`http.Error(w, "failed to remove account session", http.StatusInternalServerError)`
			`return`
			`}`
Add changes so far 10 months ago
More changes 9 months ago			`w.WriteHeader(http.StatusOK)`
Add changes so far 10 months ago			`}`