From 872f54688160d49bc0638d71636e00fac09ba34c Mon Sep 17 00:00:00 2001 From: Mat Sutcliffe Date: Sun, 23 Jan 2022 17:55:39 +0000 Subject: [PATCH] [FSD] Vatsim auth token webservice to avoid sending password as plaintext --- src/blackcore/fsd/fsdclient.cpp | 51 ++++++++++++++++++++++++++++++--- src/blackcore/fsd/fsdclient.h | 5 +++- 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/src/blackcore/fsd/fsdclient.cpp b/src/blackcore/fsd/fsdclient.cpp index 8941b27ab..389e49ed0 100644 --- a/src/blackcore/fsd/fsdclient.cpp +++ b/src/blackcore/fsd/fsdclient.cpp @@ -293,11 +293,11 @@ namespace BlackCore::Fsd this->clearState(); } - void CFSDClient::sendLogin() + void CFSDClient::sendLogin(const QString &token) { const CServer s = this->getServer(); const QString cid = s.getUser().getId(); - const QString password = s.getUser().getPassword(); + const QString password = token.isEmpty() ? s.getUser().getPassword() : token; const QString name = s.getUser().getRealNameAndHomeBase(); // m_server.getUser().getRealName(); const QString callsign = m_ownCallsign.asString(); @@ -976,11 +976,54 @@ namespace BlackCore::Fsd const QString cid = m_server.getUser().getId(); const ClientIdentification clientIdentification(getOwnCallsignAsString(), vatsim_auth_get_client_id(m_clientAuth), m_clientName, m_versionMajor, m_versionMinor, cid, sysuid.data(), fsdChallenge); this->sendQueudedMessage(clientIdentification); - this->sendLogin(); - this->updateConnectionStatus(CConnectionStatus::Connected); + + if (getServer().getEcosystem().isSystem(CEcosystem::VATSIM)) + { + this->getVatsimAuthToken(cid, m_server.getUser().getPassword(), + { + this, [this](const QString &token) + { + this->sendLogin(token); + this->updateConnectionStatus(CConnectionStatus::Connected); + } + }); + } + else + { + this->sendLogin(); + this->updateConnectionStatus(CConnectionStatus::Connected); + } increaseStatisticsValue(QStringLiteral("sendClientIdentification")); } + void CFSDClient::getVatsimAuthToken(const QString &cid, const QString &password, const BlackMisc::CSlot &callback) + { + QNetworkRequest nwRequest(QUrl("https://auth.vatsim.net/api/fsd-jwt")); + nwRequest.setHeader(QNetworkRequest::ContentTypeHeader, "application/json"); + const QJsonObject jsonRequest { { "cid", cid }, { "password", password } }; + + sApp->postToNetwork(nwRequest, CApplication::NoLogRequestId, QJsonDocument(jsonRequest).toJson(), + { + this, [ = ](QNetworkReply *nwReply) + { + nwReply->deleteLater(); + const QByteArray data = nwReply->readAll(); + const QJsonObject json = QJsonDocument::fromJson(data).object(); + + if (json.value("success").toBool()) + { + callback(json.value("token").toString()); + } + else + { + const QString error = json.value("error_msg").isString() ? json.value("error_msg").toString() : nwReply->errorString(); + CLogMessage(this).error(u"Vatsim auth token endpoint: %1") << error; + disconnectFromServer(); + } + } + }); + } + void CFSDClient::sendIncrementalAircraftConfig() { if (!m_unitTestMode && (!this->isConnected() || !this->getSetupForServer().sendAircraftParts())) { return; } diff --git a/src/blackcore/fsd/fsdclient.h b/src/blackcore/fsd/fsdclient.h index 85ff81de8..15b7936a4 100644 --- a/src/blackcore/fsd/fsdclient.h +++ b/src/blackcore/fsd/fsdclient.h @@ -257,7 +257,7 @@ namespace BlackCore::Fsd //! Convenience functions for sendClientQuery //! \remark really private, ONLY used by UNIT test, not CAirspaceMonitor //! @{ - void sendLogin(); + void sendLogin(const QString &token = {}); void sendDeletePilot(); void sendDeleteAtc(); void sendPilotDataUpdate(); @@ -456,6 +456,9 @@ namespace BlackCore::Fsd //! String withou colons static QString noColons(const QString &input); + //! Get a short-lived, one-time-use token from Vatsim web service, to avoid sending plaintext password to FSD + void getVatsimAuthToken(const QString &cid, const QString &password, const BlackMisc::CSlot &callback); + vatsim_auth *m_clientAuth = nullptr; vatsim_auth *m_serverAuth = nullptr; QString m_lastServerAuthChallenge;