Implement host proof
This commit is contained in:
parent
b7126b0d07
commit
c162c4bdde
5 changed files with 221 additions and 22 deletions
|
|
@ -164,6 +164,7 @@ const runMigrations = () => {
|
|||
pin TEXT PRIMARY KEY,
|
||||
host_peer_id TEXT NOT NULL,
|
||||
host_secret TEXT NOT NULL,
|
||||
host_user_id TEXT,
|
||||
quiz_data TEXT NOT NULL,
|
||||
game_config TEXT NOT NULL,
|
||||
game_state TEXT NOT NULL DEFAULT 'LOBBY',
|
||||
|
|
@ -185,6 +186,12 @@ const runMigrations = () => {
|
|||
console.log("Migration: Added first_correct_player_id to game_sessions");
|
||||
}
|
||||
|
||||
const hasHostUserId = sessionTableInfo.some(col => col.name === "host_user_id");
|
||||
if (!hasHostUserId) {
|
||||
db.exec("ALTER TABLE game_sessions ADD COLUMN host_user_id TEXT");
|
||||
console.log("Migration: Added host_user_id to game_sessions");
|
||||
}
|
||||
|
||||
const hasColorScheme = userTableInfo2.some(col => col.name === "color_scheme");
|
||||
if (!hasColorScheme) {
|
||||
db.exec("ALTER TABLE users ADD COLUMN color_scheme TEXT DEFAULT 'blue'");
|
||||
|
|
|
|||
|
|
@ -58,6 +58,7 @@ CREATE TABLE IF NOT EXISTS game_sessions (
|
|||
pin TEXT PRIMARY KEY,
|
||||
host_peer_id TEXT NOT NULL,
|
||||
host_secret TEXT NOT NULL,
|
||||
host_user_id TEXT,
|
||||
quiz_data TEXT NOT NULL,
|
||||
game_config TEXT NOT NULL,
|
||||
game_state TEXT NOT NULL DEFAULT 'LOBBY',
|
||||
|
|
|
|||
|
|
@ -42,6 +42,53 @@ export interface AuthenticatedRequest extends Request {
|
|||
user?: AuthenticatedUser;
|
||||
}
|
||||
|
||||
export function optionalAuth(
|
||||
req: AuthenticatedRequest,
|
||||
res: Response,
|
||||
next: NextFunction
|
||||
): void {
|
||||
const authHeader = req.headers.authorization;
|
||||
|
||||
if (!authHeader?.startsWith('Bearer ')) {
|
||||
next();
|
||||
return;
|
||||
}
|
||||
|
||||
const token = authHeader.slice(7);
|
||||
|
||||
const verifyOptions: jwt.VerifyOptions = {
|
||||
issuer: OIDC_ISSUER,
|
||||
algorithms: ['RS256'],
|
||||
};
|
||||
if (OIDC_AUDIENCE) {
|
||||
verifyOptions.audience = OIDC_AUDIENCE;
|
||||
}
|
||||
|
||||
jwt.verify(
|
||||
token,
|
||||
getSigningKey,
|
||||
verifyOptions,
|
||||
(err, decoded) => {
|
||||
if (err) {
|
||||
console.error('Optional auth - token verification failed:', err.message);
|
||||
next();
|
||||
return;
|
||||
}
|
||||
|
||||
const payload = decoded as jwt.JwtPayload;
|
||||
req.user = {
|
||||
sub: payload.sub!,
|
||||
preferred_username: payload.preferred_username || payload.sub!,
|
||||
email: payload.email,
|
||||
name: payload.name,
|
||||
groups: payload.groups || [],
|
||||
};
|
||||
|
||||
next();
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
export function requireAuth(
|
||||
req: AuthenticatedRequest,
|
||||
res: Response,
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ import { Router, Request, Response } from 'express';
|
|||
import rateLimit from 'express-rate-limit';
|
||||
import { db } from '../db/connection.js';
|
||||
import { randomBytes } from 'crypto';
|
||||
import { optionalAuth, AuthenticatedRequest } from '../middleware/auth.js';
|
||||
|
||||
const router = Router();
|
||||
|
||||
|
|
@ -31,6 +32,7 @@ interface GameSession {
|
|||
pin: string;
|
||||
host_peer_id: string;
|
||||
host_secret: string;
|
||||
host_user_id: string | null;
|
||||
quiz_data: string;
|
||||
game_config: string;
|
||||
game_state: string;
|
||||
|
|
@ -55,7 +57,7 @@ const cleanupExpiredSessions = () => {
|
|||
|
||||
setInterval(cleanupExpiredSessions, 60 * 1000);
|
||||
|
||||
router.post('/', gameCreationLimiter, (req: Request, res: Response) => {
|
||||
router.post('/', gameCreationLimiter, optionalAuth, (req: AuthenticatedRequest, res: Response) => {
|
||||
try {
|
||||
const { pin, hostPeerId, quiz, gameConfig } = req.body;
|
||||
|
||||
|
|
@ -65,11 +67,12 @@ router.post('/', gameCreationLimiter, (req: Request, res: Response) => {
|
|||
}
|
||||
|
||||
const hostSecret = randomBytes(32).toString('hex');
|
||||
const hostUserId = req.user?.sub || null;
|
||||
|
||||
db.prepare(`
|
||||
INSERT INTO game_sessions (pin, host_peer_id, host_secret, quiz_data, game_config, game_state, players_data)
|
||||
VALUES (?, ?, ?, ?, ?, 'LOBBY', '[]')
|
||||
`).run(pin, hostPeerId, hostSecret, JSON.stringify(quiz), JSON.stringify(gameConfig));
|
||||
INSERT INTO game_sessions (pin, host_peer_id, host_secret, host_user_id, quiz_data, game_config, game_state, players_data)
|
||||
VALUES (?, ?, ?, ?, ?, ?, 'LOBBY', '[]')
|
||||
`).run(pin, hostPeerId, hostSecret, hostUserId, JSON.stringify(quiz), JSON.stringify(gameConfig));
|
||||
|
||||
res.status(201).json({ success: true, hostSecret });
|
||||
} catch (err: any) {
|
||||
|
|
@ -111,20 +114,29 @@ router.get('/:pin', gameLookupLimiter, (req: Request, res: Response) => {
|
|||
}
|
||||
});
|
||||
|
||||
router.get('/:pin/host', (req: Request, res: Response) => {
|
||||
router.get('/:pin/host', optionalAuth, (req: AuthenticatedRequest, res: Response) => {
|
||||
try {
|
||||
const { pin } = req.params;
|
||||
const hostSecret = req.headers['x-host-secret'] as string;
|
||||
const hostUserId = req.user?.sub;
|
||||
|
||||
if (!hostSecret) {
|
||||
res.status(401).json({ error: 'Host secret required' });
|
||||
if (!hostSecret && !hostUserId) {
|
||||
res.status(401).json({ error: 'Host authentication required (X-Host-Secret header or Authorization token)' });
|
||||
return;
|
||||
}
|
||||
|
||||
const session = db.prepare('SELECT * FROM game_sessions WHERE pin = ? AND host_secret = ?').get(pin, hostSecret) as GameSession | undefined;
|
||||
const session = db.prepare('SELECT * FROM game_sessions WHERE pin = ?').get(pin) as GameSession | undefined;
|
||||
|
||||
if (!session) {
|
||||
res.status(404).json({ error: 'Game not found or invalid secret' });
|
||||
res.status(404).json({ error: 'Game not found' });
|
||||
return;
|
||||
}
|
||||
|
||||
const isValidSecret = hostSecret && session.host_secret === hostSecret;
|
||||
const isValidUser = hostUserId && session.host_user_id === hostUserId;
|
||||
|
||||
if (!isValidSecret && !isValidUser) {
|
||||
res.status(404).json({ error: 'Game not found or invalid credentials' });
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -144,21 +156,30 @@ router.get('/:pin/host', (req: Request, res: Response) => {
|
|||
}
|
||||
});
|
||||
|
||||
router.patch('/:pin', (req: Request, res: Response) => {
|
||||
router.patch('/:pin', optionalAuth, (req: AuthenticatedRequest, res: Response) => {
|
||||
try {
|
||||
const { pin } = req.params;
|
||||
const hostSecret = req.headers['x-host-secret'] as string;
|
||||
const hostUserId = req.user?.sub;
|
||||
const { hostPeerId, gameState, currentQuestionIndex, players, firstCorrectPlayerId } = req.body;
|
||||
|
||||
if (!hostSecret) {
|
||||
res.status(401).json({ error: 'Host secret required' });
|
||||
if (!hostSecret && !hostUserId) {
|
||||
res.status(401).json({ error: 'Host authentication required (X-Host-Secret header or Authorization token)' });
|
||||
return;
|
||||
}
|
||||
|
||||
const session = db.prepare('SELECT pin FROM game_sessions WHERE pin = ? AND host_secret = ?').get(pin, hostSecret);
|
||||
const session = db.prepare('SELECT pin, host_secret, host_user_id FROM game_sessions WHERE pin = ?').get(pin) as GameSession | undefined;
|
||||
|
||||
if (!session) {
|
||||
res.status(404).json({ error: 'Game not found or invalid secret' });
|
||||
res.status(404).json({ error: 'Game not found' });
|
||||
return;
|
||||
}
|
||||
|
||||
const isValidSecret = hostSecret && session.host_secret === hostSecret;
|
||||
const isValidUser = hostUserId && session.host_user_id === hostUserId;
|
||||
|
||||
if (!isValidSecret && !isValidUser) {
|
||||
res.status(404).json({ error: 'Game not found or invalid credentials' });
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -192,12 +213,12 @@ router.patch('/:pin', (req: Request, res: Response) => {
|
|||
}
|
||||
|
||||
updates.push('updated_at = CURRENT_TIMESTAMP');
|
||||
values.push(pin, hostSecret);
|
||||
values.push(pin);
|
||||
|
||||
db.prepare(`
|
||||
UPDATE game_sessions
|
||||
SET ${updates.join(', ')}
|
||||
WHERE pin = ? AND host_secret = ?
|
||||
WHERE pin = ?
|
||||
`).run(...values);
|
||||
|
||||
res.json({ success: true });
|
||||
|
|
@ -207,23 +228,34 @@ router.patch('/:pin', (req: Request, res: Response) => {
|
|||
}
|
||||
});
|
||||
|
||||
router.delete('/:pin', (req: Request, res: Response) => {
|
||||
router.delete('/:pin', optionalAuth, (req: AuthenticatedRequest, res: Response) => {
|
||||
try {
|
||||
const { pin } = req.params;
|
||||
const hostSecret = req.headers['x-host-secret'] as string;
|
||||
const hostUserId = req.user?.sub;
|
||||
|
||||
if (!hostSecret) {
|
||||
res.status(401).json({ error: 'Host secret required' });
|
||||
if (!hostSecret && !hostUserId) {
|
||||
res.status(401).json({ error: 'Host authentication required (X-Host-Secret header or Authorization token)' });
|
||||
return;
|
||||
}
|
||||
|
||||
const result = db.prepare('DELETE FROM game_sessions WHERE pin = ? AND host_secret = ?').run(pin, hostSecret);
|
||||
const session = db.prepare('SELECT pin, host_secret, host_user_id FROM game_sessions WHERE pin = ?').get(pin) as GameSession | undefined;
|
||||
|
||||
if (result.changes === 0) {
|
||||
res.status(404).json({ error: 'Game not found or invalid secret' });
|
||||
if (!session) {
|
||||
res.status(404).json({ error: 'Game not found' });
|
||||
return;
|
||||
}
|
||||
|
||||
const isValidSecret = hostSecret && session.host_secret === hostSecret;
|
||||
const isValidUser = hostUserId && session.host_user_id === hostUserId;
|
||||
|
||||
if (!isValidSecret && !isValidUser) {
|
||||
res.status(404).json({ error: 'Game not found or invalid credentials' });
|
||||
return;
|
||||
}
|
||||
|
||||
db.prepare('DELETE FROM game_sessions WHERE pin = ?').run(pin);
|
||||
|
||||
res.json({ success: true });
|
||||
} catch (err) {
|
||||
console.error('Error deleting game session:', err);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue