From 7b0872aeccc2be460e8af5cd4a14b0660a83c1ed Mon Sep 17 00:00:00 2001 From: Ethan Jones Date: Thu, 23 Sep 2021 14:09:52 -0600 Subject: BungeeGuard style proxy security and OnlyAllowBungee config (#5291) --- src/ClientHandle.cpp | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) (limited to 'src/ClientHandle.cpp') diff --git a/src/ClientHandle.cpp b/src/ClientHandle.cpp index cf70f870e..bbf018587 100644 --- a/src/ClientHandle.cpp +++ b/src/ClientHandle.cpp @@ -222,6 +222,28 @@ bool cClientHandle::IsUUIDOnline(const cUUID & a_UUID) +void cClientHandle::ProxyInit(const AString & a_IPString, const cUUID & a_UUID) +{ + this->SetIPString(a_IPString); + this->SetUUID(a_UUID); + + this->m_ProxyConnection = true; +} + + + + + +void cClientHandle::ProxyInit(const AString & a_IPString, const cUUID & a_UUID, const Json::Value & a_Properties) +{ + this->SetProperties(a_Properties); + this->ProxyInit(a_IPString, a_UUID); +} + + + + + void cClientHandle::ProcessProtocolOut() { decltype(m_OutgoingData) OutgoingData; @@ -264,6 +286,54 @@ void cClientHandle::Kick(const AString & a_Reason) +bool cClientHandle::BungeeAuthenticate() +{ + if (!m_ProxyConnection && cRoot::Get()->GetServer()->OnlyAllowBungeeCord()) + { + Kick("You can only connect to this server using a Proxy."); + + return false; + } + + cServer * Server = cRoot::Get()->GetServer(); + + // Proxy Shared Secret Check (BungeeGuard) + const AString & ForwardSecret = Server->GetProxySharedSecret(); + const bool AllowBungee = Server->ShouldAllowBungeeCord(); + const bool RequireForwardSecret = AllowBungee && !ForwardSecret.empty(); + + if (RequireForwardSecret) + { + for (auto & Node : GetProperties()) + { + if (Node.get("name", "").asString() == "bungeeguard-token") + { + AString SentToken = Node.get("value", "").asString(); + + if (ForwardSecret.compare(SentToken) == 0) + { + return true; + } + + break; + } + } + + Kick("Unable to authenticate."); + return false; + } + else if (m_ProxyConnection) + { + LOG("A player connected through a proxy without requiring a forwarding secret. If open to the internet, this is very insecure!"); + } + + return true; +} + + + + + void cClientHandle::Authenticate(const AString & a_Name, const cUUID & a_UUID, const Json::Value & a_Properties) { { @@ -281,6 +351,11 @@ void cClientHandle::Authenticate(const AString & a_Name, const cUUID & a_UUID, c ASSERT(m_Player == nullptr); + if (!BungeeAuthenticate()) + { + return; + } + m_Username = a_Name; // Only assign UUID and properties if not already pre-assigned (BungeeCord sends those in the Handshake packet): -- cgit v1.2.3