Fix bug allowing unauthorized access to a client

Additionally token authentication is now used whenever the client is online
2020-10-22 23:05:51 +02:00
parent b2c3cf62c8
commit 44d3082958
9 changed files with 179 additions and 57 deletions
--- a/client/src/main/java/envoy/client/data/LocalDB.java
+++ b/client/src/main/java/envoy/client/data/LocalDB.java
@ -44,6 +44,7 @@ public final class LocalDB implements EventListener {
 	private IDGenerator				idGenerator;
 	private CacheMap				cacheMap	= new CacheMap();
 	private String					authToken;
+	private boolean					saveToken;
 	private boolean					contactsChanged;

 	// Auto save timer
@ -260,7 +261,7 @@ public final class LocalDB implements EventListener {
 						Context.getInstance().getClient().isOnline() ? Instant.now() : lastSync);

 			// Save last login information
-			if (authToken != null)
+			if (saveToken && authToken != null)
 				SerializationUtils.write(lastLoginFile, user, authToken);

 			// Save ID generator
@ -488,4 +489,10 @@ public final class LocalDB implements EventListener {
 	 * @since Envoy Client v0.2-beta
 	 */
 	public String getAuthToken() { return authToken; }
+
+	/**
+	 * @param saveToken whether the token will be persisted or deleted on shutdown
+	 * @since Envoy Client v0.3-beta
+	 */
+	public void setSaveToken(boolean saveToken) { this.saveToken = saveToken; }
 }
--- a/client/src/main/java/envoy/client/net/Client.java
+++ b/client/src/main/java/envoy/client/net/Client.java
@ -151,7 +151,11 @@ public final class Client implements EventListener, Closeable {
 		checkOnline();
 		logger.log(Level.FINE, "Sending " + obj);
 		try {
-			SerializationUtils.writeBytesWithLength(obj, socket.getOutputStream());
+			SerializationUtils.writeBytesWithLength(
+				new AuthenticatedRequest<>(obj,
+					Context.getInstance().getLocalDB().getUser().getID(),
+					Context.getInstance().getLocalDB().getAuthToken()),
+				socket.getOutputStream());
 		} catch (final IOException e) {
 			throw new RuntimeException(e);
 		}
--- a/client/src/main/java/envoy/client/ui/controller/LoginScene.java
+++ b/client/src/main/java/envoy/client/ui/controller/LoginScene.java
@ -16,7 +16,7 @@ import envoy.data.LoginCredentials;
 import envoy.event.HandshakeRejection;
 import envoy.util.*;

-import envoy.client.data.ClientConfig;
+import envoy.client.data.*;
 import envoy.client.ui.Startup;
 import envoy.client.util.IconUtil;

@ -79,9 +79,11 @@ public final class LoginScene implements EventListener {

 	@FXML
 	private void loginButtonPressed() {
-		final String	user			= userTextField.getText(), pass = passwordField.getText(),
+		final String user = userTextField.getText(), pass = passwordField.getText(),
 			repeatPass = repeatPasswordField.getText();
-		final boolean	requestToken	= cbStaySignedIn.isSelected();
+
+		// Choose whether to persist the token or not
+		Context.getInstance().getLocalDB().setSaveToken(cbStaySignedIn.isSelected());

 		// Prevent registration with unequal passwords
 		if (registration && !pass.equals(repeatPass)) {
@ -96,8 +98,8 @@ public final class LoginScene implements EventListener {
 		} else {
 			Instant lastSync = Startup.loadLastSync(userTextField.getText());
 			Startup.performHandshake(registration
-				? LoginCredentials.registration(user, pass, requestToken, Startup.VERSION, lastSync)
-				: LoginCredentials.login(user, pass, requestToken, Startup.VERSION, lastSync));
+				? LoginCredentials.registration(user, pass, Startup.VERSION, lastSync)
+				: LoginCredentials.login(user, pass, Startup.VERSION, lastSync));
 		}
 	}