Merge pull request from GHSA-8q42-63xx-75pf

LBPUnion · Jun 25, 2024 · 7fbfd61 · 7fbfd61
1 parent 0fd76f1
commit 7fbfd61
Show file tree

Hide file tree

Showing 6 changed files with 687 additions and 7 deletions.
diff --git a/ProjectLighthouse.Servers.GameServer/Startup/TokenAuthHandler.cs b/ProjectLighthouse.Servers.GameServer/Startup/TokenAuthHandler.cs
@@ -1,6 +1,8 @@
-using System.Security.Claims;
+using System.Net;
+using System.Security.Claims;
 using System.Text.Encodings.Web;
 using LBPUnion.ProjectLighthouse.Database;
+using LBPUnion.ProjectLighthouse.Helpers;
 using LBPUnion.ProjectLighthouse.Types.Entities.Token;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.Logging.Abstractions;
@@ -36,10 +38,17 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
         GameTokenEntity? gameToken = await this.database.GameTokenFromRequest(this.Request);
         if (gameToken == null) return AuthenticateResult.Fail("No game token");
 
+        IPAddress? remoteIpAddress = this.Context.Connection.RemoteIpAddress;
+        if (remoteIpAddress == null) return AuthenticateResult.Fail("Failed to determine IP address");
+
+        if (CryptoHelper.Sha256Hash(remoteIpAddress.ToString()) != gameToken.LocationHash)
+            return AuthenticateResult.Fail("IP address change detected");
+
         this.Context.Items["Token"] = gameToken;
-        Claim[] claims = {
-            new("userId", gameToken.UserId.ToString()),
-        };
+        Claim[] claims =
+        [
+            new Claim("userId", gameToken.UserId.ToString()),
+        ];
         ClaimsIdentity identity = new(claims, this.Scheme.Name);
         ClaimsPrincipal principal = new(identity);
         AuthenticationTicket ticket = new(principal, this.Scheme.Name);

diff --git a/ProjectLighthouse/Database/DatabaseContext.Utils.cs b/ProjectLighthouse/Database/DatabaseContext.Utils.cs
@@ -70,6 +70,7 @@ public async Task<int> UserIdFromUsername(string? username)
             GameVersion = npTicket.GameVersion,
             Platform = npTicket.Platform,
             TicketHash = npTicket.TicketHash,
+            LocationHash = CryptoHelper.Sha256Hash(userLocation),
             // we can get away with a low expiry here since LBP will just get a new token everytime it gets 403'd
             ExpiresAt = DateTime.UtcNow + TimeSpan.FromHours(1),
         };