Improved jwt handling for node access tokens. Switched to di plugin system

2025-02-24 21:03:23 +01:00
parent 67efe71247
commit a8d867c3c7
11 changed files with 101 additions and 48 deletions
--- a/MoonlightServers.Daemon/Helpers/AccessTokenHelper.cs
+++ b/MoonlightServers.Daemon/Helpers/AccessTokenHelper.cs
@@ -1,4 +1,8 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
 using System.Text.Json;
+using Microsoft.IdentityModel.Tokens;
 using MoonCore.Attributes;
 using MoonCore.Extended.Helpers;
 using MoonlightServers.Daemon.Configuration;
@@ -15,8 +19,33 @@ public class AccessTokenHelper
        Configuration = configuration;
    }

-    public bool Process(string accessToken, out Dictionary<string, JsonElement> data)
+// TODO: Improve
+    public bool Process(string accessToken, out Claim[] claims)
    {
-        return JwtHelper.TryVerifyAndDecodePayload(Configuration.Security.Token, accessToken, out data);
+        var jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
+
+        try
+        {
+            var data = jwtSecurityTokenHandler.ValidateToken(accessToken, new()
+            {
+                ClockSkew = TimeSpan.Zero,
+                ValidateLifetime = true,
+                ValidateAudience = false,
+                ValidateIssuer = false,
+                ValidateActor = false,
+                IssuerSigningKey = new SymmetricSecurityKey(
+                    Encoding.UTF8.GetBytes(Configuration.Security.Token)
+                )
+            }, out var _);
+
+            claims = data.Claims.ToArray();
+
+            return true;
+        }
+        catch (Exception e)
+        {
+            claims = [];
+            return false;
+        }
    }
 }
--- a/MoonlightServers.Daemon/Helpers/ServerWebSocketConnection.cs
+++ b/MoonlightServers.Daemon/Helpers/ServerWebSocketConnection.cs
@@ -50,7 +50,7 @@ public class ServerWebSocketConnection
        }

        // Validate access token data
-        if (!accessData.ContainsKey("type") || !accessData.ContainsKey("serverId"))
+        if (accessData.All(x => x.Type != "type") || accessData.All(x => x.Type != "serverId"))
        {
            Logger.LogDebug("Received invalid access token: Required parameters are missing");
            
@@ -63,7 +63,7 @@ public class ServerWebSocketConnection
        }

        // Validate access token type
-        var type = accessData["type"].GetString()!;
+        var type = accessData.First(x => x.Type == "type").Value;

        if (type != "websocket")
        {
@@ -77,7 +77,7 @@ public class ServerWebSocketConnection
            return;
        }

-        var serverId = accessData["serverId"].GetInt32();
+        var serverId = int.Parse(accessData.First(x => x.Type == "serverId").Value);
        
        // Check that the access token isn't for another server
        if (ServerId != -1 && ServerId == serverId)