FJurmanovic/acc-server-manager
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

steam 2fa for polling and security
All checks were successful
Release and Deploy / build (push) Successful in 6m8s
Details
Release and Deploy / deploy (push) Successful in 27s
Details

Browse Source
This commit is contained in:
Fran Jurmanović
2025-08-16 16:43:54 +02:00
parent 1683d5c2f1
commit aab5d2ad61
32 changed files with 2191 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/api/main.go
View File

@@ -17,7 +17,6 @@ import (
func main() { func main() {
configs.Init() configs.Init()
jwt.Init()
// Initialize new logging system // Initialize new logging system
if err := logging.InitializeLogging(); err != nil { if err := logging.InitializeLogging(); err != nil {
fmt.Printf("Failed to initialize logging system: %v\n", err) fmt.Printf("Failed to initialize logging system: %v\n", err)
@@ -37,6 +36,8 @@ func main() {
logging.InfoStartup("APPLICATION", "ACC Server Manager starting up") logging.InfoStartup("APPLICATION", "ACC Server Manager starting up")
di := dig.New() di := dig.New()
di.Provide(func() *jwt.JWTHandler { return jwt.NewJWTHandler(os.Getenv("JWT_SECRET")) })
di.Provide(func() *jwt.OpenJWTHandler { return jwt.NewOpenJWTHandler(os.Getenv("JWT_SECRET_OPEN")) })
cache.Start(di) cache.Start(di)
db.Start(di) db.Start(di)
server.Start(di) server.Start(di)

243
docs/STEAM_2FA_IMPLEMENTATION.md Normal file
View File

@@ -0,0 +1,243 @@
# Steam 2FA Implementation Documentation
## Overview
This document describes the implementation of Steam Two-Factor Authentication (2FA) support for the ACC Server Manager. When SteamCMD requires 2FA confirmation during server installation or updates, the system now signals the frontend and waits for user confirmation before proceeding.
## Architecture
The 2FA implementation consists of several interconnected components:
### Backend Components
1. **Steam2FAManager** (`local/model/steam_2fa.go`)
- Thread-safe management of 2FA requests
- Request lifecycle tracking (pending → complete/error)
- Channel-based waiting mechanism for synchronization
2. **InteractiveCommandExecutor** (`local/utl/command/interactive_executor.go`)
- Monitors SteamCMD output for 2FA prompts
- Creates 2FA requests when prompts are detected
- Waits for user confirmation before proceeding
3. **Steam2FAController** (`local/controller/steam_2fa.go`)
- REST API endpoints for 2FA management
- Handles frontend requests to complete/cancel 2FA
4. **Updated SteamService** (`local/service/steam_service.go`)
- Uses InteractiveCommandExecutor for SteamCMD operations
- Passes server context to 2FA requests
### Frontend Components
1. **Steam2FA Store** (`src/stores/steam2fa.ts`)
- Svelte store for managing 2FA state
- Automatic polling for pending requests
- API communication methods
2. **Steam2FANotification Component** (`src/components/Steam2FANotification.svelte`)
- Modal UI for 2FA confirmation
- Automatic display when requests are pending
- User interaction handling
3. **Type Definitions** (`src/models/steam2fa.ts`)
- TypeScript interfaces for 2FA data structures
## API Endpoints
### GET /v1/steam2fa/pending
Returns all pending 2FA requests.
**Response:**
```json
[
{
"id": "uuid-string",
"status": "pending",
"message": "Steam Guard prompt message",
"requestTime": "2024-01-01T12:00:00Z",
"serverId": "server-uuid"
}
]
```
### GET /v1/steam2fa/{id}
Returns a specific 2FA request by ID.
### POST /v1/steam2fa/{id}/complete
Marks a 2FA request as completed, allowing SteamCMD to proceed.
### POST /v1/steam2fa/{id}/cancel
Cancels a 2FA request, causing the SteamCMD operation to fail.
## Flow Diagram
```
SteamCMD Operation
InteractiveCommandExecutor monitors output
2FA prompt detected
Steam2FARequest created
Frontend polls and detects request
Modal appears for user
User confirms in Steam Mobile App
User clicks "I've Confirmed"
API call to complete request
SteamCMD operation continues
```
## Configuration
### Backend Configuration
The system uses existing configuration patterns. No additional environment variables are required.
### Frontend Configuration
The API base URL is automatically configured as `/v1` to match the backend prefix.
Polling interval is set to 5 seconds by default and can be modified in `steam2fa.ts`:
```typescript
const POLLING_INTERVAL = 5000; // milliseconds
```
## Security Considerations
1. **Authentication Required**: All 2FA endpoints require user authentication
2. **Permission-Based Access**: Uses existing `ServerView` and `ServerUpdate` permissions
3. **Request Cleanup**: Automatic cleanup of old requests (30 minutes) prevents memory leaks
4. **No Sensitive Data**: No Steam credentials are exposed through the 2FA system
## Error Handling
### Backend Error Handling
- Timeouts after 5 minutes if no user response
- Proper error propagation to calling services
- Comprehensive logging for debugging
### Frontend Error Handling
- Network error handling with user feedback
- Automatic retry mechanisms
- Graceful degradation when API is unavailable
## Usage Instructions
### For Developers
1. **Adding New 2FA Prompts**: Extend the `is2FAPrompt` function in `interactive_executor.go`
2. **Customizing Timeouts**: Modify the timeout duration in `handle2FAPrompt`
3. **UI Customization**: Modify the `Steam2FANotification.svelte` component
### For Users
1. When creating or updating a server, watch for the 2FA notification
2. Check your Steam Mobile App when prompted
3. Confirm the login request in the Steam app
4. Click "I've Confirmed" in the web interface
5. The server operation will continue automatically
## Monitoring and Debugging
### Backend Logs
The system logs important events:
- 2FA prompt detection
- Request creation and completion
- Timeout events
- Error conditions
Search for log entries containing:
- `2FA prompt detected`
- `Created 2FA request`
- `2FA completed successfully`
- `2FA completion failed`
### Frontend Debugging
The Steam2FA store provides debugging information:
- `$steam2fa.error` - Current error state
- `$steam2fa.isLoading` - Loading state
- `$steam2fa.lastChecked` - Last polling timestamp
## Performance Considerations
1. **Polling Frequency**: 5-second polling provides good responsiveness without excessive load
2. **Request Cleanup**: Automatic cleanup prevents memory accumulation
3. **Efficient UI Updates**: Reactive Svelte stores minimize unnecessary re-renders
## Limitations
1. **Single User Sessions**: Currently designed for single-user scenarios
2. **Steam Mobile App Required**: Users must have Steam Mobile App installed
3. **Manual Confirmation**: No automatic 2FA code input support
## Future Enhancements
1. **WebSocket Support**: Real-time communication instead of polling
2. **Multiple User Support**: Handle multiple simultaneous 2FA requests
3. **Enhanced Prompt Detection**: More sophisticated Steam output parsing
4. **Notification System**: Browser notifications for 2FA requests
## Testing
### Manual Testing
1. Create a new server to trigger SteamCMD
2. Ensure Steam account has 2FA enabled
3. Verify modal appears when 2FA is required
4. Test both "confirm" and "cancel" workflows
### Automated Testing
The system includes comprehensive error handling but manual testing is recommended for 2FA workflows due to the interactive nature.
## Troubleshooting
### Common Issues
1. **Modal doesn't appear**
- Check browser console for errors
- Verify API connectivity
- Ensure user has proper permissions
2. **SteamCMD hangs**
- Check if 2FA request was created (backend logs)
- Verify Steam Mobile App connectivity
- Check for timeout errors
3. **API errors**
- Verify user authentication
- Check server permissions
- Review backend error logs
### Debug Commands
```bash
# Check backend logs for 2FA events
grep -i "2fa" logs/app.log
# Monitor API requests
tail -f logs/app.log | grep "steam2fa"
```
## Version History
- **v1.0.0**: Initial implementation with polling-based frontend and REST API
- Added comprehensive error handling and logging
- Implemented automatic request cleanup
- Added responsive UI components
## Contributing
When contributing to the 2FA system:
1. Follow existing error handling patterns
2. Add comprehensive logging for new features
3. Update this documentation for any API changes
4. Test with actual Steam 2FA scenarios
5. Consider security implications of any changes

1
local/api/api.go
View File

@@ -31,6 +31,7 @@ func Init(di *dig.Container, app *fiber.App) {
StateHistory: serverIdGroup.Group("/state-history"), StateHistory: serverIdGroup.Group("/state-history"),
Membership: groups.Group("/membership"), Membership: groups.Group("/membership"),
System: groups.Group("/system"), System: groups.Group("/system"),
Steam2FA: groups.Group("/steam2fa"),
} }
accessKeyMiddleware := middleware.NewAccessKeyMiddleware() accessKeyMiddleware := middleware.NewAccessKeyMiddleware()

5
local/controller/controller.go
View File

@@ -54,4 +54,9 @@ func InitializeControllers(c *dig.Container) {
if err != nil { if err != nil {
logging.Panic("unable to initialize membership controller") logging.Panic("unable to initialize membership controller")
} }
err = c.Invoke(NewSteam2FAController)
if err != nil {
logging.Panic("unable to initialize steam 2fa controller")
}
} }

21
local/controller/membership.go
View File

@@ -34,6 +34,7 @@ func NewMembershipController(service *service.MembershipService, auth *middlewar
} }
routeGroups.Auth.Post("/login", mc.Login) routeGroups.Auth.Post("/login", mc.Login)
routeGroups.Auth.Post("/open-token", mc.GenerateOpenToken)
usersGroup := routeGroups.Membership usersGroup := routeGroups.Membership
usersGroup.Use(mc.auth.Authenticate) usersGroup.Use(mc.auth.Authenticate)
@@ -82,6 +83,26 @@ func (c *MembershipController) Login(ctx *fiber.Ctx) error {
return ctx.JSON(fiber.Map{"token": token}) return ctx.JSON(fiber.Map{"token": token})
} }
// GenerateOpenToken generates an open token for a user.
// @Summary Generate an open token
// @Description Generate an open token for a user
// @Tags Authentication
// @Accept json
// @Produce json
// @Success 200 {object} object{token=string} "JWT token"
// @Failure 400 {object} error_handler.ErrorResponse "Invalid request body"
// @Failure 401 {object} error_handler.ErrorResponse "Invalid credentials"
// @Failure 500 {object} error_handler.ErrorResponse "Internal server error"
// @Router /auth/open-token [post]
func (c *MembershipController) GenerateOpenToken(ctx *fiber.Ctx) error {
token, err := c.service.GenerateOpenToken(ctx.UserContext(), ctx.Locals("userId").(string))
if err != nil {
return c.errorHandler.HandleAuthError(ctx, err)
}
return ctx.JSON(fiber.Map{"token": token})
}
// CreateUser creates a new user. // CreateUser creates a new user.
// @Summary Create a new user // @Summary Create a new user
// @Description Create a new user account with specified role // @Description Create a new user account with specified role

139
local/controller/steam_2fa.go Normal file
View File

@@ -0,0 +1,139 @@
package controller
import (
"acc-server-manager/local/middleware"
"acc-server-manager/local/model"
"acc-server-manager/local/utl/common"
"acc-server-manager/local/utl/error_handler"
"acc-server-manager/local/utl/jwt"
"github.com/gofiber/fiber/v2"
)
type Steam2FAController struct {
tfaManager *model.Steam2FAManager
errorHandler *error_handler.ControllerErrorHandler
jwtHandler *jwt.OpenJWTHandler
}
func NewSteam2FAController(tfaManager *model.Steam2FAManager, routeGroups *common.RouteGroups, auth *middleware.AuthMiddleware, jwtHandler *jwt.OpenJWTHandler) *Steam2FAController {
controller := &Steam2FAController{
tfaManager: tfaManager,
errorHandler: error_handler.NewControllerErrorHandler(),
jwtHandler: jwtHandler,
}
steam2faRoutes := routeGroups.Steam2FA
steam2faRoutes.Use(auth.AuthenticateOpen)
// Define routes
steam2faRoutes.Get("/pending", auth.HasPermission(model.ServerView), controller.GetPendingRequests)
steam2faRoutes.Get("/:id", auth.HasPermission(model.ServerView), controller.GetRequest)
steam2faRoutes.Post("/:id/complete", auth.HasPermission(model.ServerUpdate), controller.CompleteRequest)
steam2faRoutes.Post("/:id/cancel", auth.HasPermission(model.ServerUpdate), controller.CancelRequest)
return controller
}
// GetPendingRequests gets all pending 2FA requests
//
// @Summary Get pending 2FA requests
// @Description Get all pending Steam 2FA authentication requests
// @Tags Steam 2FA
// @Accept json
// @Produce json
// @Success 200 {array} model.Steam2FARequest
// @Failure 500 {object} error_handler.ErrorResponse
// @Router /steam2fa/pending [get]
func (c *Steam2FAController) GetPendingRequests(ctx *fiber.Ctx) error {
requests := c.tfaManager.GetPendingRequests()
return ctx.JSON(requests)
}
// GetRequest gets a specific 2FA request by ID
//
// @Summary Get 2FA request
// @Description Get a specific Steam 2FA authentication request by ID
// @Tags Steam 2FA
// @Accept json
// @Produce json
// @Param id path string true "2FA Request ID"
// @Success 200 {object} model.Steam2FARequest
// @Failure 404 {object} error_handler.ErrorResponse
// @Failure 500 {object} error_handler.ErrorResponse
// @Router /steam2fa/{id} [get]
func (c *Steam2FAController) GetRequest(ctx *fiber.Ctx) error {
id := ctx.Params("id")
if id == "" {
return c.errorHandler.HandleError(ctx, fiber.ErrBadRequest, fiber.StatusBadRequest)
}
request, exists := c.tfaManager.GetRequest(id)
if !exists {
return c.errorHandler.HandleNotFoundError(ctx, "2FA request")
}
return ctx.JSON(request)
}
// CompleteRequest marks a 2FA request as completed
//
// @Summary Complete 2FA request
// @Description Mark a Steam 2FA authentication request as completed
// @Tags Steam 2FA
// @Accept json
// @Produce json
// @Param id path string true "2FA Request ID"
// @Success 200 {object} model.Steam2FARequest
// @Failure 400 {object} error_handler.ErrorResponse
// @Failure 404 {object} error_handler.ErrorResponse
// @Failure 500 {object} error_handler.ErrorResponse
// @Router /steam2fa/{id}/complete [post]
func (c *Steam2FAController) CompleteRequest(ctx *fiber.Ctx) error {
id := ctx.Params("id")
if id == "" {
return c.errorHandler.HandleError(ctx, fiber.ErrBadRequest, fiber.StatusBadRequest)
}
if err := c.tfaManager.CompleteRequest(id); err != nil {
return c.errorHandler.HandleError(ctx, err, fiber.StatusBadRequest)
}
request, exists := c.tfaManager.GetRequest(id)
if !exists {
return c.errorHandler.HandleNotFoundError(ctx, "2FA request")
}
return ctx.JSON(request)
}
// CancelRequest cancels a 2FA request
//
// @Summary Cancel 2FA request
// @Description Cancel a Steam 2FA authentication request
// @Tags Steam 2FA
// @Accept json
// @Produce json
// @Param id path string true "2FA Request ID"
// @Success 200 {object} model.Steam2FARequest
// @Failure 400 {object} error_handler.ErrorResponse
// @Failure 404 {object} error_handler.ErrorResponse
// @Failure 500 {object} error_handler.ErrorResponse
// @Router /steam2fa/{id}/cancel [post]
func (c *Steam2FAController) CancelRequest(ctx *fiber.Ctx) error {
id := ctx.Params("id")
if id == "" {
return c.errorHandler.HandleError(ctx, fiber.ErrBadRequest, fiber.StatusBadRequest)
}
if err := c.tfaManager.ErrorRequest(id, "cancelled by user"); err != nil {
return c.errorHandler.HandleError(ctx, err, fiber.StatusBadRequest)
}
request, exists := c.tfaManager.GetRequest(id)
if !exists {
return c.errorHandler.HandleNotFoundError(ctx, "2FA request")
}
return ctx.JSON(request)
}

17
local/middleware/auth.go
View File

@@ -30,14 +30,18 @@ type AuthMiddleware struct {
membershipService *service.MembershipService membershipService *service.MembershipService
cache *cache.InMemoryCache cache *cache.InMemoryCache
securityMW *security.SecurityMiddleware securityMW *security.SecurityMiddleware
jwtHandler *jwt.JWTHandler
openJWTHandler *jwt.OpenJWTHandler
} }
// NewAuthMiddleware creates a new AuthMiddleware. // NewAuthMiddleware creates a new AuthMiddleware.
func NewAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache) *AuthMiddleware { func NewAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache, jwtHandler *jwt.JWTHandler, openJWTHandler *jwt.OpenJWTHandler) *AuthMiddleware {
auth := &AuthMiddleware{ auth := &AuthMiddleware{
membershipService: ms, membershipService: ms,
cache: cache, cache: cache,
securityMW: security.NewSecurityMiddleware(), securityMW: security.NewSecurityMiddleware(),
jwtHandler: jwtHandler,
openJWTHandler: openJWTHandler,
} }
// Set up bidirectional relationship for cache invalidation // Set up bidirectional relationship for cache invalidation
@@ -46,8 +50,17 @@ func NewAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache
return auth return auth
} }
// Authenticate is a middleware for JWT authentication with enhanced security.
func (m *AuthMiddleware) AuthenticateOpen(ctx *fiber.Ctx) error {
return m.AuthenticateWithHandler(m.openJWTHandler.JWTHandler, ctx)
}
// Authenticate is a middleware for JWT authentication with enhanced security. // Authenticate is a middleware for JWT authentication with enhanced security.
func (m *AuthMiddleware) Authenticate(ctx *fiber.Ctx) error { func (m *AuthMiddleware) Authenticate(ctx *fiber.Ctx) error {
return m.AuthenticateWithHandler(m.jwtHandler, ctx)
}
func (m *AuthMiddleware) AuthenticateWithHandler(jwtHandler *jwt.JWTHandler, ctx *fiber.Ctx) error {
// Log authentication attempt // Log authentication attempt
ip := ctx.IP() ip := ctx.IP()
userAgent := ctx.Get("User-Agent") userAgent := ctx.Get("User-Agent")
@@ -77,7 +90,7 @@ func (m *AuthMiddleware) Authenticate(ctx *fiber.Ctx) error {
}) })
} }
claims, err := jwt.ValidateToken(token) claims, err := jwtHandler.ValidateToken(token)
if err != nil { if err != nil {
logging.Error("Authentication failed: invalid token from IP %s, User-Agent: %s, Error: %v", ip, userAgent, err) logging.Error("Authentication failed: invalid token from IP %s, User-Agent: %s, Error: %v", ip, userAgent, err)
return ctx.Status(fiber.StatusUnauthorized).JSON(fiber.Map{ return ctx.Status(fiber.StatusUnauthorized).JSON(fiber.Map{

72
local/middleware/security/security.go
View File

@@ -1,6 +1,7 @@
package security package security
import ( import (
"acc-server-manager/local/utl/graceful"
"context" "context"
"fmt" "fmt"
"strings" "strings"
@@ -22,22 +23,28 @@ func NewRateLimiter() *RateLimiter {
requests: make(map[string][]time.Time), requests: make(map[string][]time.Time),
} }
// Clean up old entries every 5 minutes // Use graceful shutdown for cleanup goroutine
go rl.cleanup() shutdownManager := graceful.GetManager()
shutdownManager.RunGoroutine(func(ctx context.Context) {
rl.cleanupWithContext(ctx)
})
return rl return rl
} }
// cleanup removes old entries from the rate limiter // cleanup removes old entries from the rate limiter
func (rl *RateLimiter) cleanup() { func (rl *RateLimiter) cleanupWithContext(ctx context.Context) {
ticker := time.NewTicker(5 * time.Minute) ticker := time.NewTicker(5 * time.Minute)
defer ticker.Stop() defer ticker.Stop()
for range ticker.C { for {
select {
case <-ctx.Done():
return
case <-ticker.C:
rl.mutex.Lock() rl.mutex.Lock()
now := time.Now() now := time.Now()
for key, times := range rl.requests { for key, times := range rl.requests {
// Remove entries older than 1 hour
filtered := make([]time.Time, 0, len(times)) filtered := make([]time.Time, 0, len(times))
for _, t := range times { for _, t := range times {
if now.Sub(t) < time.Hour { if now.Sub(t) < time.Hour {
@@ -52,6 +59,7 @@ func (rl *RateLimiter) cleanup() {
} }
rl.mutex.Unlock() rl.mutex.Unlock()
} }
}
} }
// SecurityMiddleware provides comprehensive security middleware // SecurityMiddleware provides comprehensive security middleware
@@ -189,13 +197,13 @@ func (sm *SecurityMiddleware) InputSanitization() fiber.Handler {
// sanitizeInput removes potentially dangerous patterns from input // sanitizeInput removes potentially dangerous patterns from input
func sanitizeInput(input string) string { func sanitizeInput(input string) string {
// Remove common XSS patterns
dangerous := []string{ dangerous := []string{
"<script", "<script",
"</script>", "</script>",
"javascript:", "javascript:",
"vbscript:", "vbscript:",
"data:text/html", "data:text/html",
"data:application",
"onload=", "onload=",
"onerror=", "onerror=",
"onclick=", "onclick=",
@@ -204,25 +212,46 @@ func sanitizeInput(input string) string {
"onblur=", "onblur=",
"onchange=", "onchange=",
"onsubmit=", "onsubmit=",
"onkeydown=",
"onkeyup=",
"<iframe", "<iframe",
"<object", "<object",
"<embed", "<embed",
"<link", "<link",
"<meta", "<meta",
"<style", "<style",
"<form",
"<input",
"<button",
"<svg",
"<math",
"expression(",
"@import",
"url(",
"\\x",
"\\u",
"&#x",
"&#",
} }
result := strings.ToLower(input) result := input
lowerInput := strings.ToLower(input)
for _, pattern := range dangerous { for _, pattern := range dangerous {
result = strings.ReplaceAll(result, pattern, "") if strings.Contains(lowerInput, pattern) {
return ""
}
} }
// If the sanitized version is very different, it might be malicious if strings.Contains(result, "\x00") {
if len(result) < len(input)/2 {
return "" return ""
} }
return input if len(strings.TrimSpace(result)) == 0 && len(input) > 0 {
return ""
}
return result
} }
// ValidateContentType ensures only expected content types are accepted // ValidateContentType ensures only expected content types are accepted
@@ -349,3 +378,24 @@ func (sm *SecurityMiddleware) TimeoutMiddleware(timeout time.Duration) fiber.Han
return c.Next() return c.Next()
} }
} }
func (sm *SecurityMiddleware) RequestContextTimeout(timeout time.Duration) fiber.Handler {
return func(c *fiber.Ctx) error {
ctx, cancel := context.WithTimeout(c.UserContext(), timeout)
defer cancel()
done := make(chan error, 1)
go func() {
done <- c.Next()
}()
select {
case err := <-done:
return err
case <-ctx.Done():
return c.Status(fiber.StatusRequestTimeout).JSON(fiber.Map{
"error": "Request timeout",
})
}
}
}

168
local/model/steam_2fa.go Normal file
View File

@@ -0,0 +1,168 @@
package model
import (
"fmt"
"sync"
"time"
"github.com/google/uuid"
)
type Steam2FAStatus string
const (
Steam2FAStatusIdle Steam2FAStatus = "idle"
Steam2FAStatusPending Steam2FAStatus = "pending"
Steam2FAStatusComplete Steam2FAStatus = "complete"
Steam2FAStatusError Steam2FAStatus = "error"
)
type Steam2FARequest struct {
ID string `json:"id"`
Status Steam2FAStatus `json:"status"`
Message string `json:"message"`
RequestTime time.Time `json:"requestTime"`
CompletedAt *time.Time `json:"completedAt,omitempty"`
ErrorMsg string `json:"errorMsg,omitempty"`
ServerID *uuid.UUID `json:"serverId,omitempty"`
}
// Steam2FAManager manages 2FA requests and responses
type Steam2FAManager struct {
mu sync.RWMutex
requests map[string]*Steam2FARequest
channels map[string]chan bool
}
func NewSteam2FAManager() *Steam2FAManager {
return &Steam2FAManager{
requests: make(map[string]*Steam2FARequest),
channels: make(map[string]chan bool),
}
}
func (m *Steam2FAManager) CreateRequest(message string, serverID *uuid.UUID) *Steam2FARequest {
m.mu.Lock()
defer m.mu.Unlock()
id := uuid.New().String()
request := &Steam2FARequest{
ID: id,
Status: Steam2FAStatusPending,
Message: message,
RequestTime: time.Now(),
ServerID: serverID,
}
m.requests[id] = request
m.channels[id] = make(chan bool, 1)
return request
}
func (m *Steam2FAManager) GetRequest(id string) (*Steam2FARequest, bool) {
m.mu.RLock()
defer m.mu.RUnlock()
req, exists := m.requests[id]
return req, exists
}
func (m *Steam2FAManager) GetPendingRequests() []*Steam2FARequest {
m.mu.RLock()
defer m.mu.RUnlock()
var pending []*Steam2FARequest
for _, req := range m.requests {
if req.Status == Steam2FAStatusPending {
pending = append(pending, req)
}
}
return pending
}
func (m *Steam2FAManager) CompleteRequest(id string) error {
m.mu.Lock()
defer m.mu.Unlock()
req, exists := m.requests[id]
if !exists {
return fmt.Errorf("request %s not found", id)
}
if req.Status != Steam2FAStatusPending {
return fmt.Errorf("request %s is not pending", id)
}
now := time.Now()
req.Status = Steam2FAStatusComplete
req.CompletedAt = &now
// Signal the waiting goroutine
if ch, exists := m.channels[id]; exists {
select {
case ch <- true:
default:
}
}
return nil
}
func (m *Steam2FAManager) ErrorRequest(id string, errorMsg string) error {
m.mu.Lock()
defer m.mu.Unlock()
req, exists := m.requests[id]
if !exists {
return fmt.Errorf("request %s not found", id)
}
req.Status = Steam2FAStatusError
req.ErrorMsg = errorMsg
// Signal the waiting goroutine with error
if ch, exists := m.channels[id]; exists {
select {
case ch <- false:
default:
}
}
return nil
}
func (m *Steam2FAManager) WaitForCompletion(id string, timeout time.Duration) (bool, error) {
m.mu.RLock()
ch, exists := m.channels[id]
m.mu.RUnlock()
if !exists {
return false, fmt.Errorf("request %s not found", id)
}
select {
case success := <-ch:
return success, nil
case <-time.After(timeout):
// Timeout - mark as error
m.ErrorRequest(id, "timeout waiting for 2FA confirmation")
return false, fmt.Errorf("timeout waiting for 2FA confirmation")
}
}
func (m *Steam2FAManager) CleanupOldRequests(maxAge time.Duration) {
m.mu.Lock()
defer m.mu.Unlock()
cutoff := time.Now().Add(-maxAge)
for id, req := range m.requests {
if req.RequestTime.Before(cutoff) {
delete(m.requests, id)
if ch, exists := m.channels[id]; exists {
close(ch)
delete(m.channels, id)
}
}
}
}

31
local/repository/repository.go
View File

@@ -1,6 +1,12 @@
package repository package repository
import ( import (
"acc-server-manager/local/model"
"acc-server-manager/local/utl/graceful"
"acc-server-manager/local/utl/logging"
"context"
"time"
"go.uber.org/dig" "go.uber.org/dig"
) )
@@ -17,4 +23,29 @@ func InitializeRepositories(c *dig.Container) {
c.Provide(NewLookupRepository) c.Provide(NewLookupRepository)
c.Provide(NewSteamCredentialsRepository) c.Provide(NewSteamCredentialsRepository)
c.Provide(NewMembershipRepository) c.Provide(NewMembershipRepository)
// Provide the Steam2FAManager as a singleton
if err := c.Provide(func() *model.Steam2FAManager {
manager := model.NewSteam2FAManager()
// Use graceful shutdown manager for cleanup goroutine
shutdownManager := graceful.GetManager()
shutdownManager.RunGoroutine(func(ctx context.Context) {
ticker := time.NewTicker(15 * time.Minute)
defer ticker.Stop()
for {
select {
case <-ctx.Done():
return
case <-ticker.C:
manager.CleanupOldRequests(30 * time.Minute)
}
}
})
return manager
}); err != nil {
logging.Panic("unable to initialize steam 2fa manager")
}
} }

33
local/service/membership.go
View File

@@ -22,13 +22,17 @@ type CacheInvalidator interface {
type MembershipService struct { type MembershipService struct {
repo *repository.MembershipRepository repo *repository.MembershipRepository
cacheInvalidator CacheInvalidator cacheInvalidator CacheInvalidator
jwtHandler *jwt.JWTHandler
openJwtHandler *jwt.OpenJWTHandler
} }
// NewMembershipService creates a new MembershipService. // NewMembershipService creates a new MembershipService.
func NewMembershipService(repo *repository.MembershipRepository) *MembershipService { func NewMembershipService(repo *repository.MembershipRepository, jwtHandler *jwt.JWTHandler, openJwtHandler *jwt.OpenJWTHandler) *MembershipService {
return &MembershipService{ return &MembershipService{
repo: repo, repo: repo,
cacheInvalidator: nil, // Will be set later via SetCacheInvalidator cacheInvalidator: nil, // Will be set later via SetCacheInvalidator
jwtHandler: jwtHandler,
openJwtHandler: openJwtHandler,
} }
} }
@@ -38,18 +42,37 @@ func (s *MembershipService) SetCacheInvalidator(invalidator CacheInvalidator) {
} }
// Login authenticates a user and returns a JWT. // Login authenticates a user and returns a JWT.
func (s *MembershipService) Login(ctx context.Context, username, password string) (string, error) { func (s *MembershipService) HandleLogin(ctx context.Context, username, password string) (*model.User, error) {
user, err := s.repo.FindUserByUsername(ctx, username) user, err := s.repo.FindUserByUsername(ctx, username)
if err != nil { if err != nil {
return "", errors.New("invalid credentials") return nil, errors.New("invalid credentials")
} }
// Use secure password verification with constant-time comparison // Use secure password verification with constant-time comparison
if err := user.VerifyPassword(password); err != nil { if err := user.VerifyPassword(password); err != nil {
return "", errors.New("invalid credentials") return nil, errors.New("invalid credentials")
} }
return jwt.GenerateToken(user) return user, nil
}
// Login authenticates a user and returns a JWT.
func (s *MembershipService) Login(ctx context.Context, username, password string) (string, error) {
user, err := s.HandleLogin(ctx, username, password)
if err != nil {
return "", err
}
return s.jwtHandler.GenerateToken(user)
}
func (s *MembershipService) GenerateOpenToken(ctx context.Context, userId string) (string, error) {
user, err := s.repo.GetByID(ctx, userId)
if err != nil {
return "", err
}
return s.openJwtHandler.GenerateToken(user)
} }
// CreateUser creates a new user. // CreateUser creates a new user.

4
local/service/server.go
View File

@@ -337,7 +337,7 @@ func (s *ServerService) CreateServer(ctx *fiber.Ctx, server *model.Server) error
} }
// Install server using SteamCMD // Install server using SteamCMD
if err := s.steamService.InstallServer(ctx.UserContext(), server.GetServerPath()); err != nil { if err := s.steamService.InstallServer(ctx.UserContext(), server.GetServerPath(), &server.ID); err != nil {
return fmt.Errorf("failed to install server: %v", err) return fmt.Errorf("failed to install server: %v", err)
} }
@@ -450,7 +450,7 @@ func (s *ServerService) UpdateServer(ctx *fiber.Ctx, server *model.Server) error
// Update server files if path changed // Update server files if path changed
if existingServer.Path != server.Path { if existingServer.Path != server.Path {
if err := s.steamService.InstallServer(ctx.UserContext(), server.Path); err != nil { if err := s.steamService.InstallServer(ctx.UserContext(), server.Path, &server.ID); err != nil {
return fmt.Errorf("failed to install server to new location: %v", err) return fmt.Errorf("failed to install server to new location: %v", err)
} }
// Clean up old installation // Clean up old installation

2
local/service/service.go
View File

@@ -18,12 +18,12 @@ func InitializeServices(c *dig.Container) {
logging.Debug("Registering services") logging.Debug("Registering services")
// Provide services // Provide services
c.Provide(NewSteamService)
c.Provide(NewServerService) c.Provide(NewServerService)
c.Provide(NewStateHistoryService) c.Provide(NewStateHistoryService)
c.Provide(NewServiceControlService) c.Provide(NewServiceControlService)
c.Provide(NewConfigService) c.Provide(NewConfigService)
c.Provide(NewLookupService) c.Provide(NewLookupService)
c.Provide(NewSteamService)
c.Provide(NewWindowsService) c.Provide(NewWindowsService)
c.Provide(NewFirewallService) c.Provide(NewFirewallService)
c.Provide(NewMembershipService) c.Provide(NewMembershipService)

52
local/service/steam_service.go
View File

@@ -6,10 +6,14 @@ import (
"acc-server-manager/local/utl/command" "acc-server-manager/local/utl/command"
"acc-server-manager/local/utl/env" "acc-server-manager/local/utl/env"
"acc-server-manager/local/utl/logging" "acc-server-manager/local/utl/logging"
"acc-server-manager/local/utl/security"
"context" "context"
"fmt" "fmt"
"os" "os"
"path/filepath" "path/filepath"
"time"
"github.com/google/uuid"
) )
const ( const (
@@ -18,16 +22,26 @@ const (
type SteamService struct { type SteamService struct {
executor *command.CommandExecutor executor *command.CommandExecutor
interactiveExecutor *command.InteractiveCommandExecutor
repository *repository.SteamCredentialsRepository repository *repository.SteamCredentialsRepository
tfaManager *model.Steam2FAManager
pathValidator *security.PathValidator
downloadVerifier *security.DownloadVerifier
} }
func NewSteamService(repository *repository.SteamCredentialsRepository) *SteamService { func NewSteamService(repository *repository.SteamCredentialsRepository, tfaManager *model.Steam2FAManager) *SteamService {
return &SteamService{ baseExecutor := &command.CommandExecutor{
executor: &command.CommandExecutor{
ExePath: "powershell", ExePath: "powershell",
LogOutput: true, LogOutput: true,
}, }
return &SteamService{
executor: baseExecutor,
interactiveExecutor: command.NewInteractiveCommandExecutor(baseExecutor, tfaManager),
repository: repository, repository: repository,
tfaManager: tfaManager,
pathValidator: security.NewPathValidator(),
downloadVerifier: security.NewDownloadVerifier(),
} }
} }
@@ -42,7 +56,7 @@ func (s *SteamService) SaveCredentials(ctx context.Context, creds *model.SteamCr
return s.repository.Save(ctx, creds) return s.repository.Save(ctx, creds)
} }
func (s *SteamService) ensureSteamCMD(ctx context.Context) error { func (s *SteamService) ensureSteamCMD(_ context.Context) error {
// Get SteamCMD path from environment variable // Get SteamCMD path from environment variable
steamCMDPath := env.GetSteamCMDPath() steamCMDPath := env.GetSteamCMDPath()
steamCMDDir := filepath.Dir(steamCMDPath) steamCMDDir := filepath.Dir(steamCMDPath)
@@ -57,10 +71,13 @@ func (s *SteamService) ensureSteamCMD(ctx context.Context) error {
return fmt.Errorf("failed to create SteamCMD directory: %v", err) return fmt.Errorf("failed to create SteamCMD directory: %v", err)
} }
// Download and install SteamCMD // Download and install SteamCMD securely
logging.Info("Downloading SteamCMD...") logging.Info("Downloading SteamCMD...")
if err := s.executor.Execute("-Command", steamCMDZip := filepath.Join(steamCMDDir, "steamcmd.zip")
"Invoke-WebRequest -Uri 'https://steamcdn-a.akamaihd.net/client/installer/steamcmd.zip' -OutFile 'steamcmd.zip'"); err != nil { if err := s.downloadVerifier.VerifyAndDownload(
"https://steamcdn-a.akamaihd.net/client/installer/steamcmd.zip",
steamCMDZip,
""); err != nil {
return fmt.Errorf("failed to download SteamCMD: %v", err) return fmt.Errorf("failed to download SteamCMD: %v", err)
} }
@@ -76,11 +93,16 @@ func (s *SteamService) ensureSteamCMD(ctx context.Context) error {
return nil return nil
} }
func (s *SteamService) InstallServer(ctx context.Context, installPath string) error { func (s *SteamService) InstallServer(ctx context.Context, installPath string, serverID *uuid.UUID) error {
if err := s.ensureSteamCMD(ctx); err != nil { if err := s.ensureSteamCMD(ctx); err != nil {
return err return err
} }
// Validate installation path for security
if err := s.pathValidator.ValidateInstallPath(installPath); err != nil {
return fmt.Errorf("invalid installation path: %v", err)
}
// Convert to absolute path and ensure proper Windows path format // Convert to absolute path and ensure proper Windows path format
absPath, err := filepath.Abs(installPath) absPath, err := filepath.Abs(installPath)
if err != nil { if err != nil {
@@ -126,17 +148,15 @@ func (s *SteamService) InstallServer(ctx context.Context, installPath string) er
"+quit", "+quit",
) )
// Run SteamCMD // Use interactive executor to handle potential 2FA prompts
logging.Info("Installing ACC server to %s...", absPath) logging.Info("Installing ACC server to %s...", absPath)
if err := s.executor.Execute(args...); err != nil { if err := s.interactiveExecutor.ExecuteInteractive(ctx, serverID, args...); err != nil {
return fmt.Errorf("failed to run SteamCMD: %v", err) return fmt.Errorf("failed to run SteamCMD: %v", err)
} }
// Add a delay to allow Steam to properly cleanup // Add a delay to allow Steam to properly cleanup
logging.Info("Waiting for Steam operations to complete...") logging.Info("Waiting for Steam operations to complete...")
if err := s.executor.Execute("-Command", "Start-Sleep -Seconds 5"); err != nil { time.Sleep(5 * time.Second)
logging.Warn("Failed to wait after Steam operations: %v", err)
}
// Verify installation // Verify installation
exePath := filepath.Join(absPath, "server", "accServer.exe") exePath := filepath.Join(absPath, "server", "accServer.exe")
@@ -148,8 +168,8 @@ func (s *SteamService) InstallServer(ctx context.Context, installPath string) er
return nil return nil
} }
func (s *SteamService) UpdateServer(ctx context.Context, installPath string) error { func (s *SteamService) UpdateServer(ctx context.Context, installPath string, serverID *uuid.UUID) error {
return s.InstallServer(ctx, installPath) // Same process as install return s.InstallServer(ctx, installPath, serverID) // Same process as install
} }
func (s *SteamService) UninstallServer(installPath string) error { func (s *SteamService) UninstallServer(installPath string) error {

64
local/utl/audit/audit.go Normal file
View File

@@ -0,0 +1,64 @@
package audit
import (
"acc-server-manager/local/utl/logging"
"context"
"time"
)
type AuditAction string
const (
ActionLogin AuditAction = "LOGIN"
ActionLogout AuditAction = "LOGOUT"
ActionServerCreate AuditAction = "SERVER_CREATE"
ActionServerUpdate AuditAction = "SERVER_UPDATE"
ActionServerDelete AuditAction = "SERVER_DELETE"
ActionServerStart AuditAction = "SERVER_START"
ActionServerStop AuditAction = "SERVER_STOP"
ActionUserCreate AuditAction = "USER_CREATE"
ActionUserUpdate AuditAction = "USER_UPDATE"
ActionUserDelete AuditAction = "USER_DELETE"
ActionConfigUpdate AuditAction = "CONFIG_UPDATE"
ActionSteamAuth AuditAction = "STEAM_AUTH"
ActionPermissionGrant AuditAction = "PERMISSION_GRANT"
ActionPermissionRevoke AuditAction = "PERMISSION_REVOKE"
)
type AuditEntry struct {
Timestamp time.Time `json:"timestamp"`
UserID string `json:"user_id"`
Username string `json:"username"`
Action AuditAction `json:"action"`
Resource string `json:"resource"`
Details string `json:"details"`
IPAddress string `json:"ip_address"`
UserAgent string `json:"user_agent"`
Success bool `json:"success"`
}
func LogAction(ctx context.Context, userID, username string, action AuditAction, resource, details, ipAddress, userAgent string, success bool) {
logging.InfoWithContext("AUDIT", "User %s (%s) performed %s on %s from %s - Success: %t - Details: %s",
username, userID, action, resource, ipAddress, success, details)
}
func LogAuthAction(ctx context.Context, username, ipAddress, userAgent string, success bool, details string) {
action := ActionLogin
if !success {
details = "Failed: " + details
}
LogAction(ctx, "", username, action, "authentication", details, ipAddress, userAgent, success)
}
func LogServerAction(ctx context.Context, userID, username string, action AuditAction, serverID, ipAddress, userAgent string, success bool, details string) {
LogAction(ctx, userID, username, action, "server:"+serverID, details, ipAddress, userAgent, success)
}
func LogUserManagementAction(ctx context.Context, adminUserID, adminUsername string, action AuditAction, targetUserID, ipAddress, userAgent string, success bool, details string) {
LogAction(ctx, adminUserID, adminUsername, action, "user:"+targetUserID, details, ipAddress, userAgent, success)
}
func LogConfigAction(ctx context.Context, userID, username string, configType, ipAddress, userAgent string, success bool, details string) {
LogAction(ctx, userID, username, ActionConfigUpdate, "config:"+configType, details, ipAddress, userAgent, success)
}

179
local/utl/command/interactive_executor.go Normal file
View File

@@ -0,0 +1,179 @@
package command
import (
"acc-server-manager/local/model"
"acc-server-manager/local/utl/logging"
"bufio"
"context"
"fmt"
"io"
"os/exec"
"strings"
"time"
"github.com/google/uuid"
)
// InteractiveCommandExecutor extends CommandExecutor to handle interactive commands
type InteractiveCommandExecutor struct {
*CommandExecutor
tfaManager *model.Steam2FAManager
}
func NewInteractiveCommandExecutor(baseExecutor *CommandExecutor, tfaManager *model.Steam2FAManager) *InteractiveCommandExecutor {
return &InteractiveCommandExecutor{
CommandExecutor: baseExecutor,
tfaManager: tfaManager,
}
}
// ExecuteInteractive runs a command that may require 2FA input
func (e *InteractiveCommandExecutor) ExecuteInteractive(ctx context.Context, serverID *uuid.UUID, args ...string) error {
cmd := exec.CommandContext(ctx, e.ExePath, args...)
if e.WorkDir != "" {
cmd.Dir = e.WorkDir
}
// Create pipes for stdin, stdout, and stderr
stdin, err := cmd.StdinPipe()
if err != nil {
return fmt.Errorf("failed to create stdin pipe: %v", err)
}
defer stdin.Close()
stdout, err := cmd.StdoutPipe()
if err != nil {
return fmt.Errorf("failed to create stdout pipe: %v", err)
}
defer stdout.Close()
stderr, err := cmd.StderrPipe()
if err != nil {
return fmt.Errorf("failed to create stderr pipe: %v", err)
}
defer stderr.Close()
logging.Info("Executing interactive command: %s %s", e.ExePath, strings.Join(args, " "))
if err := cmd.Start(); err != nil {
return fmt.Errorf("failed to start command: %v", err)
}
// Create channels for output monitoring
outputDone := make(chan error)
// Monitor stdout and stderr for 2FA prompts
go e.monitorOutput(ctx, stdout, stderr, serverID, outputDone)
// Wait for either the command to finish or output monitoring to complete
cmdErr := cmd.Wait()
outputErr := <-outputDone
if outputErr != nil {
logging.Warn("Output monitoring error: %v", outputErr)
}
return cmdErr
}
func (e *InteractiveCommandExecutor) monitorOutput(ctx context.Context, stdout, stderr io.Reader, serverID *uuid.UUID, done chan error) {
defer close(done)
// Create scanners for both outputs
stdoutScanner := bufio.NewScanner(stdout)
stderrScanner := bufio.NewScanner(stderr)
outputChan := make(chan string)
// Read from stdout
go func() {
for stdoutScanner.Scan() {
line := stdoutScanner.Text()
if e.LogOutput {
logging.Info("STDOUT: %s", line)
}
outputChan <- line
}
}()
// Read from stderr
go func() {
for stderrScanner.Scan() {
line := stderrScanner.Text()
if e.LogOutput {
logging.Info("STDERR: %s", line)
}
outputChan <- line
}
}()
// Monitor for 2FA prompts
for {
select {
case <-ctx.Done():
done <- ctx.Err()
return
case line, ok := <-outputChan:
if !ok {
done <- nil
return
}
// Check if this line indicates a 2FA prompt
if e.is2FAPrompt(line) {
if err := e.handle2FAPrompt(ctx, line, serverID); err != nil {
logging.Error("Failed to handle 2FA prompt: %v", err)
done <- err
return
}
}
}
}
}
func (e *InteractiveCommandExecutor) is2FAPrompt(line string) bool {
// Common SteamCMD 2FA prompts
twoFAKeywords := []string{
"please enter your steam guard code",
"steam guard",
"two-factor",
"authentication code",
"please check your steam mobile app",
"confirm in application",
}
lowerLine := strings.ToLower(line)
for _, keyword := range twoFAKeywords {
if strings.Contains(lowerLine, keyword) {
return true
}
}
return false
}
func (e *InteractiveCommandExecutor) handle2FAPrompt(_ context.Context, promptLine string, serverID *uuid.UUID) error {
logging.Info("2FA prompt detected: %s", promptLine)
// Create a 2FA request
request := e.tfaManager.CreateRequest(promptLine, serverID)
logging.Info("Created 2FA request with ID: %s", request.ID)
// Wait for user to complete the 2FA process
// Use a reasonable timeout (e.g., 5 minutes)
timeout := 5 * time.Minute
success, err := e.tfaManager.WaitForCompletion(request.ID, timeout)
if err != nil {
logging.Error("2FA completion failed: %v", err)
return err
}
if !success {
logging.Error("2FA was not completed successfully")
return fmt.Errorf("2FA authentication failed")
}
logging.Info("2FA completed successfully")
return nil
}

1
local/utl/common/common.go
View File

@@ -25,6 +25,7 @@ type RouteGroups struct {
StateHistory fiber.Router StateHistory fiber.Router
Membership fiber.Router Membership fiber.Router
System fiber.Router System fiber.Router
Steam2FA fiber.Router
} }
func CheckError(err error) { func CheckError(err error) {

2
local/utl/configs/configs.go
View File

@@ -8,7 +8,7 @@ import (
) )
var ( var (
Version = "0.10.3" Version = "0.10.5"
Prefix = "v1" Prefix = "v1"
Secret string Secret string
SecretCode string SecretCode string

67
local/utl/errors/safe_error.go Normal file
View File

@@ -0,0 +1,67 @@
package errors
import (
"acc-server-manager/local/utl/logging"
"fmt"
"os"
)
type SafeError struct {
Message string
Code int
Fatal bool
}
func (e *SafeError) Error() string {
return e.Message
}
func NewSafeError(message string, code int) *SafeError {
return &SafeError{
Message: message,
Code: code,
Fatal: false,
}
}
func NewFatalError(message string, code int) *SafeError {
return &SafeError{
Message: message,
Code: code,
Fatal: true,
}
}
func HandleError(err error, context string) {
if err == nil {
return
}
if safeErr, ok := err.(*SafeError); ok {
if safeErr.Fatal {
logging.Error("Fatal error in %s: %s", context, safeErr.Message)
if os.Getenv("ENVIRONMENT") == "production" {
logging.Error("Application shutting down due to fatal error")
os.Exit(safeErr.Code)
} else {
logging.Warn("Fatal error occurred but not exiting in non-production environment")
}
} else {
logging.Error("Error in %s: %s", context, safeErr.Message)
}
} else {
logging.Error("Unexpected error in %s: %v", context, err)
}
}
func SafeFatal(message string, args ...interface{}) {
formattedMessage := fmt.Sprintf(message, args...)
err := NewFatalError(formattedMessage, 1)
HandleError(err, "application")
}
func SafeLog(message string, args ...interface{}) {
formattedMessage := fmt.Sprintf(message, args...)
err := NewSafeError(formattedMessage, 0)
HandleError(err, "application")
}

91
local/utl/graceful/shutdown.go Normal file
View File

@@ -0,0 +1,91 @@
package graceful
import (
"context"
"os"
"os/signal"
"sync"
"syscall"
"time"
)
type ShutdownManager struct {
ctx context.Context
cancel context.CancelFunc
wg sync.WaitGroup
handlers []func() error
mutex sync.Mutex
}
var globalManager *ShutdownManager
var once sync.Once
func GetManager() *ShutdownManager {
once.Do(func() {
ctx, cancel := context.WithCancel(context.Background())
globalManager = &ShutdownManager{
ctx: ctx,
cancel: cancel,
handlers: make([]func() error, 0),
}
go globalManager.watchSignals()
})
return globalManager
}
func (sm *ShutdownManager) watchSignals() {
sigChan := make(chan os.Signal, 1)
signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
<-sigChan
sm.Shutdown(30 * time.Second)
}
func (sm *ShutdownManager) AddHandler(handler func() error) {
sm.mutex.Lock()
defer sm.mutex.Unlock()
sm.handlers = append(sm.handlers, handler)
}
func (sm *ShutdownManager) Context() context.Context {
return sm.ctx
}
func (sm *ShutdownManager) AddGoroutine() {
sm.wg.Add(1)
}
func (sm *ShutdownManager) GoroutineDone() {
sm.wg.Done()
}
func (sm *ShutdownManager) RunGoroutine(fn func(ctx context.Context)) {
sm.wg.Add(1)
go func() {
defer sm.wg.Done()
fn(sm.ctx)
}()
}
func (sm *ShutdownManager) Shutdown(timeout time.Duration) {
sm.cancel()
done := make(chan struct{})
go func() {
sm.wg.Wait()
sm.mutex.Lock()
for _, handler := range sm.handlers {
handler()
}
sm.mutex.Unlock()
close(done)
}()
select {
case <-done:
case <-time.After(timeout):
}
}

64
local/utl/jwt/jwt.go
View File

@@ -2,57 +2,73 @@ package jwt
import ( import (
"acc-server-manager/local/model" "acc-server-manager/local/model"
"acc-server-manager/local/utl/errors"
"crypto/rand" "crypto/rand"
"encoding/base64" "encoding/base64"
"errors" goerrors "errors"
"log"
"os"
"time" "time"
"github.com/golang-jwt/jwt/v4" "github.com/golang-jwt/jwt/v4"
) )
// SecretKey holds the JWT signing key loaded from environment
var SecretKey []byte
// Claims represents the JWT claims. // Claims represents the JWT claims.
type Claims struct { type Claims struct {
UserID string `json:"user_id"` UserID string `json:"user_id"`
jwt.RegisteredClaims jwt.RegisteredClaims
} }
// init initializes the JWT secret key from environment variable type JWTHandler struct {
func Init() { SecretKey []byte
jwtSecret := os.Getenv("JWT_SECRET") }
if jwtSecret == "" {
log.Fatal("JWT_SECRET environment variable is required and cannot be empty") type OpenJWTHandler struct {
*JWTHandler
}
// NewJWTHandler creates a new JWTHandler instance with the provided secret key.
func NewOpenJWTHandler(jwtSecret string) *OpenJWTHandler {
jwtHandler := NewJWTHandler(jwtSecret)
return &OpenJWTHandler{
JWTHandler: jwtHandler,
} }
}
// NewJWTHandler creates a new JWTHandler instance with the provided secret key.
func NewJWTHandler(jwtSecret string) *JWTHandler {
if jwtSecret == "" {
errors.SafeFatal("JWT_SECRET environment variable is required and cannot be empty")
}
var secretKey []byte
// Decode base64 secret if it looks like base64, otherwise use as-is // Decode base64 secret if it looks like base64, otherwise use as-is
if decoded, err := base64.StdEncoding.DecodeString(jwtSecret); err == nil && len(decoded) >= 32 { if decoded, err := base64.StdEncoding.DecodeString(jwtSecret); err == nil && len(decoded) >= 32 {
SecretKey = decoded secretKey = decoded
} else { } else {
SecretKey = []byte(jwtSecret) secretKey = []byte(jwtSecret)
} }
// Ensure minimum key length for security // Ensure minimum key length for security
if len(SecretKey) < 32 { if len(secretKey) < 32 {
log.Fatal("JWT_SECRET must be at least 32 bytes long for security") errors.SafeFatal("JWT_SECRET must be at least 32 bytes long for security")
}
return &JWTHandler{
SecretKey: secretKey,
} }
} }
// GenerateSecretKey generates a cryptographically secure random key for JWT signing // GenerateSecretKey generates a cryptographically secure random key for JWT signing
// This is a utility function for generating new secrets, not used in normal operation // This is a utility function for generating new secrets, not used in normal operation
func GenerateSecretKey() string { func (jh *JWTHandler) GenerateSecretKey() string {
key := make([]byte, 64) // 512 bits key := make([]byte, 64) // 512 bits
if _, err := rand.Read(key); err != nil { if _, err := rand.Read(key); err != nil {
log.Fatal("Failed to generate random key: ", err) errors.SafeFatal("Failed to generate random key: %v", err)
} }
return base64.StdEncoding.EncodeToString(key) return base64.StdEncoding.EncodeToString(key)
} }
// GenerateToken generates a new JWT for a given user. // GenerateToken generates a new JWT for a given user.
func GenerateToken(user *model.User) (string, error) { func (jh *JWTHandler) GenerateToken(user *model.User) (string, error) {
expirationTime := time.Now().Add(24 * time.Hour) expirationTime := time.Now().Add(24 * time.Hour)
claims := &Claims{ claims := &Claims{
UserID: user.ID.String(), UserID: user.ID.String(),
@@ -62,10 +78,10 @@ func GenerateToken(user *model.User) (string, error) {
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(SecretKey) return token.SignedString(jh.SecretKey)
} }
func GenerateTokenWithExpiry(user *model.User, expiry time.Time) (string, error) { func (jh *JWTHandler) GenerateTokenWithExpiry(user *model.User, expiry time.Time) (string, error) {
expirationTime := expiry expirationTime := expiry
claims := &Claims{ claims := &Claims{
UserID: user.ID.String(), UserID: user.ID.String(),
@@ -75,15 +91,15 @@ func GenerateTokenWithExpiry(user *model.User, expiry time.Time) (string, error)
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(SecretKey) return token.SignedString(jh.SecretKey)
} }
// ValidateToken validates a JWT and returns the claims if the token is valid. // ValidateToken validates a JWT and returns the claims if the token is valid.
func ValidateToken(tokenString string) (*Claims, error) { func (jh *JWTHandler) ValidateToken(tokenString string) (*Claims, error) {
claims := &Claims{} claims := &Claims{}
token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) { token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
return SecretKey, nil return jh.SecretKey, nil
}) })
if err != nil { if err != nil {
@@ -91,7 +107,7 @@ func ValidateToken(tokenString string) (*Claims, error) {
} }
if !token.Valid { if !token.Valid {
return nil, errors.New("invalid token") return nil, goerrors.New("invalid token")
} }
return claims, nil return claims, nil

76
local/utl/security/download_verifier.go Normal file
View File

@@ -0,0 +1,76 @@
package security
import (
"crypto/sha256"
"fmt"
"io"
"net/http"
"os"
"time"
)
type DownloadVerifier struct {
client *http.Client
}
func NewDownloadVerifier() *DownloadVerifier {
return &DownloadVerifier{
client: &http.Client{
Timeout: 30 * time.Second,
Transport: &http.Transport{
DisableKeepAlives: true,
},
},
}
}
func (dv *DownloadVerifier) VerifyAndDownload(url, outputPath, expectedSHA256 string) error {
if url == "" {
return fmt.Errorf("URL cannot be empty")
}
if outputPath == "" {
return fmt.Errorf("output path cannot be empty")
}
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return fmt.Errorf("failed to create request: %v", err)
}
req.Header.Set("User-Agent", "ACC-Server-Manager/1.0")
resp, err := dv.client.Do(req)
if err != nil {
return fmt.Errorf("failed to download: %v", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return fmt.Errorf("download failed with status: %d", resp.StatusCode)
}
file, err := os.Create(outputPath)
if err != nil {
return fmt.Errorf("failed to create output file: %v", err)
}
defer file.Close()
hash := sha256.New()
writer := io.MultiWriter(file, hash)
_, err = io.Copy(writer, resp.Body)
if err != nil {
os.Remove(outputPath)
return fmt.Errorf("failed to write file: %v", err)
}
if expectedSHA256 != "" {
actualHash := fmt.Sprintf("%x", hash.Sum(nil))
if actualHash != expectedSHA256 {
os.Remove(outputPath)
return fmt.Errorf("file hash mismatch: expected %s, got %s", expectedSHA256, actualHash)
}
}
return nil
}

95
local/utl/security/path_validator.go Normal file
View File

@@ -0,0 +1,95 @@
package security
import (
"fmt"
"os"
"path/filepath"
"regexp"
"strings"
)
type PathValidator struct {
allowedBasePaths []string
blockedPatterns []*regexp.Regexp
}
func NewPathValidator() *PathValidator {
blockedPatterns := []*regexp.Regexp{
regexp.MustCompile(`\.\.`),
regexp.MustCompile(`[<>:"|?*]`),
regexp.MustCompile(`^(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$`),
regexp.MustCompile(`\x00`),
regexp.MustCompile(`^\\\\`),
regexp.MustCompile(`^[a-zA-Z]:\\Windows`),
regexp.MustCompile(`^[a-zA-Z]:\\Program Files`),
}
return &PathValidator{
allowedBasePaths: []string{
`C:\ACC-Servers`,
`D:\ACC-Servers`,
`E:\ACC-Servers`,
`C:\SteamCMD`,
`D:\SteamCMD`,
`E:\SteamCMD`,
},
blockedPatterns: blockedPatterns,
}
}
func (pv *PathValidator) ValidateInstallPath(path string) error {
if path == "" {
return fmt.Errorf("path cannot be empty")
}
cleanPath := filepath.Clean(path)
absPath, err := filepath.Abs(cleanPath)
if err != nil {
return fmt.Errorf("invalid path: %v", err)
}
for _, pattern := range pv.blockedPatterns {
if pattern.MatchString(absPath) || pattern.MatchString(strings.ToUpper(filepath.Base(absPath))) {
return fmt.Errorf("path contains forbidden patterns")
}
}
allowed := false
for _, basePath := range pv.allowedBasePaths {
if strings.HasPrefix(strings.ToLower(absPath), strings.ToLower(basePath)) {
allowed = true
break
}
}
if !allowed {
return fmt.Errorf("path must be within allowed directories: %v", pv.allowedBasePaths)
}
if len(absPath) > 260 {
return fmt.Errorf("path too long (max 260 characters)")
}
parentDir := filepath.Dir(absPath)
if parentInfo, err := os.Stat(parentDir); err == nil {
if !parentInfo.IsDir() {
return fmt.Errorf("parent path is not a directory")
}
}
return nil
}
func (pv *PathValidator) AddAllowedBasePath(path string) error {
absPath, err := filepath.Abs(path)
if err != nil {
return fmt.Errorf("invalid base path: %v", err)
}
pv.allowedBasePaths = append(pv.allowedBasePaths, absPath)
return nil
}
func (pv *PathValidator) GetAllowedBasePaths() []string {
return append([]string(nil), pv.allowedBasePaths...)
}

1
local/utl/server/server.go
View File

@@ -30,6 +30,7 @@ func Start(di *dig.Container) *fiber.App {
app.Use(securityMW.SecurityHeaders()) app.Use(securityMW.SecurityHeaders())
app.Use(securityMW.LogSecurityEvents()) app.Use(securityMW.LogSecurityEvents())
app.Use(securityMW.TimeoutMiddleware(30 * time.Second)) app.Use(securityMW.TimeoutMiddleware(30 * time.Second))
app.Use(securityMW.RequestContextTimeout(60 * time.Second))
app.Use(securityMW.RequestSizeLimit(10 * 1024 * 1024)) // 10MB app.Use(securityMW.RequestSizeLimit(10 * 1024 * 1024)) // 10MB
app.Use(securityMW.ValidateUserAgent()) app.Use(securityMW.ValidateUserAgent())
app.Use(securityMW.ValidateContentType("application/json", "application/x-www-form-urlencoded", "multipart/form-data")) app.Use(securityMW.ValidateContentType("application/json", "application/x-www-form-urlencoded", "multipart/form-data"))

263
swagger/docs.go
View File

@@ -218,6 +218,52 @@ const docTemplate = `{
} }
} }
}, },
"/auth/open-token": {
"post": {
"description": "Generate an open token for a user",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Authentication"
],
"summary": "Generate an open token",
"responses": {
"200": {
"description": "JWT token",
"schema": {
"type": "object",
"properties": {
"token": {
"type": "string"
}
}
}
},
"400": {
"description": "Invalid request body",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"401": {
"description": "Invalid credentials",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"500": {
"description": "Internal server error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/lookup/car-models": { "/lookup/car-models": {
"get": { "get": {
"security": [ "security": [
@@ -1777,6 +1823,182 @@ const docTemplate = `{
} }
} }
}, },
"/steam2fa/pending": {
"get": {
"description": "Get all pending Steam 2FA authentication requests",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Steam 2FA"
],
"summary": "Get pending 2FA requests",
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"$ref": "#/definitions/model.Steam2FARequest"
}
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/steam2fa/{id}": {
"get": {
"description": "Get a specific Steam 2FA authentication request by ID",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Steam 2FA"
],
"summary": "Get 2FA request",
"parameters": [
{
"type": "string",
"description": "2FA Request ID",
"name": "id",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/model.Steam2FARequest"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/steam2fa/{id}/cancel": {
"post": {
"description": "Cancel a Steam 2FA authentication request",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Steam 2FA"
],
"summary": "Cancel 2FA request",
"parameters": [
{
"type": "string",
"description": "2FA Request ID",
"name": "id",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/model.Steam2FARequest"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/steam2fa/{id}/complete": {
"post": {
"description": "Mark a Steam 2FA authentication request as completed",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Steam 2FA"
],
"summary": "Complete 2FA request",
"parameters": [
{
"type": "string",
"description": "2FA Request ID",
"name": "id",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/model.Steam2FARequest"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/system/health": { "/system/health": {
"get": { "get": {
"description": "Return service control status", "description": "Return service control status",
@@ -1934,6 +2156,47 @@ const docTemplate = `{
"StatusRunning" "StatusRunning"
] ]
}, },
"model.Steam2FARequest": {
"type": "object",
"properties": {
"completedAt": {
"type": "string"
},
"errorMsg": {
"type": "string"
},
"id": {
"type": "string"
},
"message": {
"type": "string"
},
"requestTime": {
"type": "string"
},
"serverId": {
"type": "string"
},
"status": {
"$ref": "#/definitions/model.Steam2FAStatus"
}
}
},
"model.Steam2FAStatus": {
"type": "string",
"enum": [
"idle",
"pending",
"complete",
"error"
],
"x-enum-varnames": [
"Steam2FAStatusIdle",
"Steam2FAStatusPending",
"Steam2FAStatusComplete",
"Steam2FAStatusError"
]
},
"model.User": { "model.User": {
"type": "object", "type": "object",
"properties": { "properties": {

263
swagger/swagger.json
View File

@@ -215,6 +215,52 @@
} }
} }
}, },
"/auth/open-token": {
"post": {
"description": "Generate an open token for a user",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Authentication"
],
"summary": "Generate an open token",
"responses": {
"200": {
"description": "JWT token",
"schema": {
"type": "object",
"properties": {
"token": {
"type": "string"
}
}
}
},
"400": {
"description": "Invalid request body",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"401": {
"description": "Invalid credentials",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"500": {
"description": "Internal server error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/lookup/car-models": { "/lookup/car-models": {
"get": { "get": {
"security": [ "security": [
@@ -1774,6 +1820,182 @@
} }
} }
}, },
"/steam2fa/pending": {
"get": {
"description": "Get all pending Steam 2FA authentication requests",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Steam 2FA"
],
"summary": "Get pending 2FA requests",
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"$ref": "#/definitions/model.Steam2FARequest"
}
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/steam2fa/{id}": {
"get": {
"description": "Get a specific Steam 2FA authentication request by ID",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Steam 2FA"
],
"summary": "Get 2FA request",
"parameters": [
{
"type": "string",
"description": "2FA Request ID",
"name": "id",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/model.Steam2FARequest"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/steam2fa/{id}/cancel": {
"post": {
"description": "Cancel a Steam 2FA authentication request",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Steam 2FA"
],
"summary": "Cancel 2FA request",
"parameters": [
{
"type": "string",
"description": "2FA Request ID",
"name": "id",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/model.Steam2FARequest"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/steam2fa/{id}/complete": {
"post": {
"description": "Mark a Steam 2FA authentication request as completed",
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"tags": [
"Steam 2FA"
],
"summary": "Complete 2FA request",
"parameters": [
{
"type": "string",
"description": "2FA Request ID",
"name": "id",
"in": "path",
"required": true
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/model.Steam2FARequest"
}
},
"400": {
"description": "Bad Request",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"404": {
"description": "Not Found",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
},
"500": {
"description": "Internal Server Error",
"schema": {
"$ref": "#/definitions/error_handler.ErrorResponse"
}
}
}
}
},
"/system/health": { "/system/health": {
"get": { "get": {
"description": "Return service control status", "description": "Return service control status",
@@ -1931,6 +2153,47 @@
"StatusRunning" "StatusRunning"
] ]
}, },
"model.Steam2FARequest": {
"type": "object",
"properties": {
"completedAt": {
"type": "string"
},
"errorMsg": {
"type": "string"
},
"id": {
"type": "string"
},
"message": {
"type": "string"
},
"requestTime": {
"type": "string"
},
"serverId": {
"type": "string"
},
"status": {
"$ref": "#/definitions/model.Steam2FAStatus"
}
}
},
"model.Steam2FAStatus": {
"type": "string",
"enum": [
"idle",
"pending",
"complete",
"error"
],
"x-enum-varnames": [
"Steam2FAStatusIdle",
"Steam2FAStatusPending",
"Steam2FAStatusComplete",
"Steam2FAStatusError"
]
},
"model.User": { "model.User": {
"type": "object", "type": "object",
"properties": { "properties": {

175
swagger/swagger.yaml
View File

@@ -92,6 +92,35 @@ definitions:
- StatusRestarting - StatusRestarting
- StatusStarting - StatusStarting
- StatusRunning - StatusRunning
model.Steam2FARequest:
properties:
completedAt:
type: string
errorMsg:
type: string
id:
type: string
message:
type: string
requestTime:
type: string
serverId:
type: string
status:
$ref: '#/definitions/model.Steam2FAStatus'
type: object
model.Steam2FAStatus:
enum:
- idle
- pending
- complete
- error
type: string
x-enum-varnames:
- Steam2FAStatusIdle
- Steam2FAStatusPending
- Steam2FAStatusComplete
- Steam2FAStatusError
model.User: model.User:
properties: properties:
id: id:
@@ -247,6 +276,36 @@ paths:
summary: Get current user details summary: Get current user details
tags: tags:
- Authentication - Authentication
/auth/open-token:
post:
consumes:
- application/json
description: Generate an open token for a user
produces:
- application/json
responses:
"200":
description: JWT token
schema:
properties:
token:
type: string
type: object
"400":
description: Invalid request body
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
"401":
description: Invalid credentials
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
"500":
description: Internal server error
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
summary: Generate an open token
tags:
- Authentication
/lookup/car-models: /lookup/car-models:
get: get:
consumes: consumes:
@@ -1242,6 +1301,122 @@ paths:
summary: Return StateHistorys summary: Return StateHistorys
tags: tags:
- StateHistory - StateHistory
/steam2fa/{id}:
get:
consumes:
- application/json
description: Get a specific Steam 2FA authentication request by ID
parameters:
- description: 2FA Request ID
in: path
name: id
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/model.Steam2FARequest'
"404":
description: Not Found
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
"500":
description: Internal Server Error
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
summary: Get 2FA request
tags:
- Steam 2FA
/steam2fa/{id}/cancel:
post:
consumes:
- application/json
description: Cancel a Steam 2FA authentication request
parameters:
- description: 2FA Request ID
in: path
name: id
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/model.Steam2FARequest'
"400":
description: Bad Request
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
"404":
description: Not Found
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
"500":
description: Internal Server Error
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
summary: Cancel 2FA request
tags:
- Steam 2FA
/steam2fa/{id}/complete:
post:
consumes:
- application/json
description: Mark a Steam 2FA authentication request as completed
parameters:
- description: 2FA Request ID
in: path
name: id
required: true
type: string
produces:
- application/json
responses:
"200":
description: OK
schema:
$ref: '#/definitions/model.Steam2FARequest'
"400":
description: Bad Request
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
"404":
description: Not Found
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
"500":
description: Internal Server Error
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
summary: Complete 2FA request
tags:
- Steam 2FA
/steam2fa/pending:
get:
consumes:
- application/json
description: Get all pending Steam 2FA authentication requests
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
$ref: '#/definitions/model.Steam2FARequest'
type: array
"500":
description: Internal Server Error
schema:
$ref: '#/definitions/error_handler.ErrorResponse'
summary: Get pending 2FA requests
tags:
- Steam 2FA
/system/health: /system/health:
get: get:
description: Return service control status description: Return service control status

21
tests/auth_helper.go
View File

@@ -4,6 +4,7 @@ import (
"acc-server-manager/local/model" "acc-server-manager/local/model"
"acc-server-manager/local/utl/jwt" "acc-server-manager/local/utl/jwt"
"fmt" "fmt"
"os"
"time" "time"
"github.com/google/uuid" "github.com/google/uuid"
@@ -18,8 +19,16 @@ func GenerateTestToken() (string, error) {
RoleID: uuid.New(), RoleID: uuid.New(),
} }
// Use the environment JWT_SECRET for consistency with middleware
testSecret := os.Getenv("JWT_SECRET")
if testSecret == "" {
// Fallback to a test secret if env var is not set
testSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(testSecret)
// Generate JWT token // Generate JWT token
token, err := jwt.GenerateToken(user) token, err := jwtHandler.GenerateToken(user)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to generate test token: %w", err) return "", fmt.Errorf("failed to generate test token: %w", err)
} }
@@ -39,6 +48,14 @@ func MustGenerateTestToken() string {
// GenerateTestTokenWithExpiry creates a JWT token with a specific expiry time // GenerateTestTokenWithExpiry creates a JWT token with a specific expiry time
func GenerateTestTokenWithExpiry(expiryTime time.Time) (string, error) { func GenerateTestTokenWithExpiry(expiryTime time.Time) (string, error) {
// Use the environment JWT_SECRET for consistency with middleware
testSecret := os.Getenv("JWT_SECRET")
if testSecret == "" {
// Fallback to a test secret if env var is not set
testSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(testSecret)
// Create test user // Create test user
user := &model.User{ user := &model.User{
ID: uuid.New(), ID: uuid.New(),
@@ -47,7 +64,7 @@ func GenerateTestTokenWithExpiry(expiryTime time.Time) (string, error) {
} }
// Generate JWT token with custom expiry // Generate JWT token with custom expiry
token, err := jwt.GenerateTokenWithExpiry(user, expiryTime) token, err := jwtHandler.GenerateTokenWithExpiry(user, expiryTime)
if err != nil { if err != nil {
return "", fmt.Errorf("failed to generate test token with expiry: %w", err) return "", fmt.Errorf("failed to generate test token with expiry: %w", err)
} }

2
tests/test_helper.go
View File

@@ -3,7 +3,6 @@ package tests
import ( import (
"acc-server-manager/local/model" "acc-server-manager/local/model"
"acc-server-manager/local/utl/configs" "acc-server-manager/local/utl/configs"
"acc-server-manager/local/utl/jwt"
"bytes" "bytes"
"context" "context"
"errors" "errors"
@@ -52,7 +51,6 @@ func SetTestEnv() {
os.Setenv("TESTING_ENV", "true") // Used to bypass os.Setenv("TESTING_ENV", "true") // Used to bypass
configs.Init() configs.Init()
jwt.Init()
} }
// NewTestHelper creates a new test helper with in-memory database // NewTestHelper creates a new test helper with in-memory database

13
tests/unit/controller/helper.go
View File

@@ -4,7 +4,9 @@ import (
"acc-server-manager/local/middleware" "acc-server-manager/local/middleware"
"acc-server-manager/local/service" "acc-server-manager/local/service"
"acc-server-manager/local/utl/cache" "acc-server-manager/local/utl/cache"
"acc-server-manager/local/utl/jwt"
"acc-server-manager/tests" "acc-server-manager/tests"
"os"
"github.com/gofiber/fiber/v2" "github.com/gofiber/fiber/v2"
) )
@@ -15,9 +17,18 @@ type MockMiddleware struct{}
// GetTestAuthMiddleware returns a mock auth middleware that can be used in place of the real one // GetTestAuthMiddleware returns a mock auth middleware that can be used in place of the real one
// This works because we're adding real authentication tokens to requests // This works because we're adding real authentication tokens to requests
func GetTestAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache) *middleware.AuthMiddleware { func GetTestAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache) *middleware.AuthMiddleware {
// Use environment JWT secrets for consistency with token generation
jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret) // Use same secret for test consistency
// Cast our mock to the real type for testing // Cast our mock to the real type for testing
// This is a type-unsafe cast but works for testing because we're using real JWT tokens // This is a type-unsafe cast but works for testing because we're using real JWT tokens
return middleware.NewAuthMiddleware(ms, cache) return middleware.NewAuthMiddleware(ms, cache, jwtHandler, openJWTHandler)
} }
// AddAuthToRequest adds a valid authentication token to a test request // AddAuthToRequest adds a valid authentication token to a test request

74
tests/unit/controller/state_history_controller_test.go
View File

@@ -7,6 +7,7 @@ import (
"acc-server-manager/local/service" "acc-server-manager/local/service"
"acc-server-manager/local/utl/cache" "acc-server-manager/local/utl/cache"
"acc-server-manager/local/utl/common" "acc-server-manager/local/utl/common"
"acc-server-manager/local/utl/jwt"
"acc-server-manager/tests" "acc-server-manager/tests"
"acc-server-manager/tests/testdata" "acc-server-manager/tests/testdata"
"encoding/json" "encoding/json"
@@ -14,6 +15,7 @@ import (
"io" "io"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"os"
"testing" "testing"
"github.com/gofiber/fiber/v2" "github.com/gofiber/fiber/v2"
@@ -32,7 +34,13 @@ func TestStateHistoryController_GetAll_Success(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()
@@ -86,7 +94,13 @@ func TestStateHistoryController_GetAll_WithSessionFilter(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()
@@ -145,7 +159,13 @@ func TestStateHistoryController_GetAll_EmptyResult(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()
@@ -185,7 +205,13 @@ func TestStateHistoryController_GetStatistics_Success(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()
@@ -262,7 +288,13 @@ func TestStateHistoryController_GetStatistics_NoData(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()
@@ -321,7 +353,13 @@ func TestStateHistoryController_GetStatistics_InvalidQueryParams(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()
@@ -365,7 +403,13 @@ func TestStateHistoryController_HTTPMethods(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()
@@ -419,7 +463,13 @@ func TestStateHistoryController_ContentType(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()
@@ -481,7 +531,13 @@ func TestStateHistoryController_ResponseStructure(t *testing.T) {
stateHistoryService := service.NewStateHistoryService(repo) stateHistoryService := service.NewStateHistoryService(repo)
membershipRepo := repository.NewMembershipRepository(helper.DB) membershipRepo := repository.NewMembershipRepository(helper.DB)
membershipService := service.NewMembershipService(membershipRepo) jwtSecret := os.Getenv("JWT_SECRET")
if jwtSecret == "" {
jwtSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
}
jwtHandler := jwt.NewJWTHandler(jwtSecret)
openJWTHandler := jwt.NewOpenJWTHandler(jwtSecret)
membershipService := service.NewMembershipService(membershipRepo, jwtHandler, openJWTHandler)
inMemCache := cache.NewInMemoryCache() inMemCache := cache.NewInMemoryCache()

13
tests/unit/service/auth_simple_test.go
View File

@@ -5,6 +5,7 @@ import (
"acc-server-manager/local/utl/jwt" "acc-server-manager/local/utl/jwt"
"acc-server-manager/local/utl/password" "acc-server-manager/local/utl/password"
"acc-server-manager/tests" "acc-server-manager/tests"
"os"
"testing" "testing"
"github.com/google/uuid" "github.com/google/uuid"
@@ -15,6 +16,8 @@ func TestJWT_GenerateAndValidateToken(t *testing.T) {
helper := tests.NewTestHelper(t) helper := tests.NewTestHelper(t)
defer helper.Cleanup() defer helper.Cleanup()
jwtHandler := jwt.NewJWTHandler(os.Getenv("JWT_SECRET"))
// Create test user // Create test user
user := &model.User{ user := &model.User{
ID: uuid.New(), ID: uuid.New(),
@@ -23,7 +26,7 @@ func TestJWT_GenerateAndValidateToken(t *testing.T) {
} }
// Test JWT generation // Test JWT generation
token, err := jwt.GenerateToken(user) token, err := jwtHandler.GenerateToken(user)
tests.AssertNoError(t, err) tests.AssertNoError(t, err)
tests.AssertNotNil(t, token) tests.AssertNotNil(t, token)
@@ -33,7 +36,7 @@ func TestJWT_GenerateAndValidateToken(t *testing.T) {
} }
// Test JWT validation // Test JWT validation
claims, err := jwt.ValidateToken(token) claims, err := jwtHandler.ValidateToken(token)
tests.AssertNoError(t, err) tests.AssertNoError(t, err)
tests.AssertNotNil(t, claims) tests.AssertNotNil(t, claims)
tests.AssertEqual(t, user.ID.String(), claims.UserID) tests.AssertEqual(t, user.ID.String(), claims.UserID)
@@ -43,9 +46,10 @@ func TestJWT_ValidateToken_InvalidToken(t *testing.T) {
// Setup // Setup
helper := tests.NewTestHelper(t) helper := tests.NewTestHelper(t)
defer helper.Cleanup() defer helper.Cleanup()
jwtHandler := jwt.NewJWTHandler(os.Getenv("JWT_SECRET"))
// Test with invalid token // Test with invalid token
claims, err := jwt.ValidateToken("invalid-token") claims, err := jwtHandler.ValidateToken("invalid-token")
if err == nil { if err == nil {
t.Fatal("Expected error for invalid token, got nil") t.Fatal("Expected error for invalid token, got nil")
} }
@@ -59,9 +63,10 @@ func TestJWT_ValidateToken_EmptyToken(t *testing.T) {
// Setup // Setup
helper := tests.NewTestHelper(t) helper := tests.NewTestHelper(t)
defer helper.Cleanup() defer helper.Cleanup()
jwtHandler := jwt.NewJWTHandler(os.Getenv("JWT_SECRET"))
// Test with empty token // Test with empty token
claims, err := jwt.ValidateToken("") claims, err := jwtHandler.ValidateToken("")
if err == nil { if err == nil {
t.Fatal("Expected error for empty token, got nil") t.Fatal("Expected error for empty token, got nil")
} }