Fix unnecessary authentication token being sent in requests

server/src/main/java/envoy/server/net/ObjectMessageProcessor.java

@@ -6,12 +6,11 @@ import java.util.Set;
 import java.util.logging.*;
 
 import com.jenkov.nioserver.*;
-import com.jenkov.nioserver.Message;
 
 import envoy.data.AuthenticatedRequest;
 import envoy.util.EnvoyLog;
 
-import envoy.server.data.*;
+import envoy.server.data.PersistenceManager;
 import envoy.server.processors.ObjectProcessor;
 
 /**
@@ -49,32 +48,25 @@ public final class ObjectMessageProcessor implements IMessageProcessor {
 
 			// authenticate requests if necessary
 			boolean authenticated = false;
+			if (obj instanceof AuthenticatedRequest)
+				try {
+					authenticated = PersistenceManager
+						.getInstance().getUserByID(((AuthenticatedRequest<?>) obj).getUserID())
+						.getID() == ConnectionManager.getInstance()
+							.getUserIDBySocketID(message.socketId);
 
-			if (obj instanceof AuthenticatedRequest) {
-				Contact contact = PersistenceManager.getInstance()
-					.getContactByID(((AuthenticatedRequest<?>) obj).getUserID());
-
-				// Validating the authenticity of the request
-				if (contact == null || contact instanceof Group
-					|| !((AuthenticatedRequest<?>) obj).getAuthentication()
-						.equals(((User) contact).getAuthToken())) {
-
-					// Invalid request
-					logger.log(Level.INFO,
-						"A user tried to perform an authenticated request but could not identify himself. Discarding request.");
-					return;
+					// Class cast exception and NullPointerException are valid here and signify a
+					// failed authentication
+				} catch (ClassCastException | NullPointerException e) {} finally {
+					obj = ((AuthenticatedRequest<?>) obj).getRequest();
 				}
-
-				// Valid request
-				logger.log(Level.INFO, "A user successfully authenticated a request for " + obj);
-				authenticated	= true;
-				obj				= ((AuthenticatedRequest<?>) obj).getRequest();
-			} else
-				logger.log(Level.FINE, "Received unauthenticated " + obj);
+			logger.log(Level.INFO,
+				"Received " + (authenticated ? "" : "un") + "authenticated " + obj);
 
 			refer(message.socketId, writeProxy, obj, authenticated);
 		} catch (IOException | ClassNotFoundException e) {
-			e.printStackTrace();
+			logger.log(Level.WARNING,
+				"An exception occurred when reading in an object: " + e);
 		}
 	}
 

server/src/main/java/envoy/server/processors/LoginCredentialProcessor.java

@@ -124,22 +124,23 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred
 		UserStatusChangeProcessor.updateUserStatus(user, ONLINE);
 
 		// Process token request
-		String token;
-		if (user.getAuthToken() != null && user.getAuthTokenExpiration().isAfter(Instant.now()))
+		if (credentials.requestToken()) {
+			String token;
+			if (user.getAuthToken() != null && user.getAuthTokenExpiration().isAfter(Instant.now()))
 
-			// Reuse existing token and delay expiration date
-			token = user.getAuthToken();
-		else {
+				// Reuse existing token and delay expiration date
+				token = user.getAuthToken();
+			else {
 
-			// Generate new token
-			token = AuthTokenGenerator.nextToken();
-			user.setAuthToken(token);
+				// Generate new token
+				token = AuthTokenGenerator.nextToken();
+				user.setAuthToken(token);
+			}
+			user.setAuthTokenExpiration(Instant.now().plus(
+				ServerConfig.getInstance().getAuthTokenExpiration().longValue(), ChronoUnit.DAYS));
+			persistenceManager.updateContact(user);
+			writeProxy.write(socketID, new NewAuthToken(token));
 		}
-		user.setAuthTokenExpiration(Instant.now().plus(
-			ServerConfig.getInstance().getAuthTokenExpiration().longValue(), ChronoUnit.DAYS));
-		persistenceManager.updateContact(user);
-		writeProxy.write(socketID, new NewAuthToken(token));
-
 		final var pendingMessages =
 			PersistenceManager.getInstance().getPendingMessages(user, credentials.getLastSync());
 		pendingMessages.removeIf(GroupMessage.class::isInstance);