change steamCMD executor

steam-crypt app and fix the interactive executor
remove blocker pattern
2025-08-17 16:42:10 +02:00 · 2025-08-17 16:26:28 +02:00 · 2025-08-17 15:53:55 +02:00 · 2025-08-17 13:12:36 +02:00 · 2025-08-17 12:46:37 +02:00 · 2025-08-17 12:15:39 +02:00
11 changed files with 216 additions and 42 deletions
--- a/cmd/steam-crypt/main.go
+++ b/cmd/steam-crypt/main.go
@@ -0,0 +1,93 @@
+package main
+
+import (
+	"acc-server-manager/local/model"
+	"acc-server-manager/local/utl/configs"
+	"flag"
+	"fmt"
+	"os"
+)
+
+func main() {
+	var (
+		encrypt   = flag.Bool("encrypt", false, "Encrypt a password")
+		decrypt   = flag.Bool("decrypt", false, "Decrypt a password")
+		password  = flag.String("password", "", "Password to encrypt/decrypt")
+		help      = flag.Bool("help", false, "Show help")
+	)
+
+	flag.Parse()
+
+	if *help || (!*encrypt && !*decrypt) {
+		showHelp()
+		return
+	}
+
+	if *encrypt && *decrypt {
+		fmt.Fprintf(os.Stderr, "Error: Cannot specify both -encrypt and -decrypt\n")
+		os.Exit(1)
+	}
+
+	if *password == "" {
+		fmt.Fprintf(os.Stderr, "Error: Password is required\n")
+		showHelp()
+		os.Exit(1)
+	}
+
+	// Initialize configs to load encryption key
+	configs.Init()
+
+	if *encrypt {
+		encrypted, err := model.EncryptPassword(*password)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error encrypting password: %v\n", err)
+			os.Exit(1)
+		}
+		fmt.Println(encrypted)
+	}
+
+	if *decrypt {
+		decrypted, err := model.DecryptPassword(*password)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error decrypting password: %v\n", err)
+			os.Exit(1)
+		}
+		fmt.Println(decrypted)
+	}
+}
+
+func showHelp() {
+	fmt.Println("Steam Credentials Encryption/Decryption Utility")
+	fmt.Println()
+	fmt.Println("This utility encrypts and decrypts Steam credentials using the same")
+	fmt.Println("AES-256-GCM encryption used by the ACC Server Manager application.")
+	fmt.Println()
+	fmt.Println("Usage:")
+	fmt.Println("  steam-crypt -encrypt -password \"your_password\"")
+	fmt.Println("  steam-crypt -decrypt -password \"encrypted_string\"")
+	fmt.Println()
+	fmt.Println("Options:")
+	fmt.Println("  -encrypt    Encrypt the provided password")
+	fmt.Println("  -decrypt    Decrypt the provided encrypted string")
+	fmt.Println("  -password   The password to encrypt or encrypted string to decrypt")
+	fmt.Println("  -help       Show this help message")
+	fmt.Println()
+	fmt.Println("Environment Variables Required:")
+	fmt.Println("  ENCRYPTION_KEY  - 32-byte encryption key (same as main application)")
+	fmt.Println("  APP_SECRET      - Application secret (required by configs)")
+	fmt.Println("  APP_SECRET_CODE - Application secret code (required by configs)")
+	fmt.Println("  ACCESS_KEY      - Access key (required by configs)")
+	fmt.Println()
+	fmt.Println("Examples:")
+	fmt.Println("  # Encrypt a password")
+	fmt.Println("  steam-crypt -encrypt -password \"mysteampassword\"")
+	fmt.Println()
+	fmt.Println("  # Decrypt an encrypted password")
+	fmt.Println("  steam-crypt -decrypt -password \"base64encryptedstring\"")
+	fmt.Println()
+	fmt.Println("Security Notes:")
+	fmt.Println("  - The encryption key must be exactly 32 bytes for AES-256")
+	fmt.Println("  - Uses AES-256-GCM for authenticated encryption")
+	fmt.Println("  - Each encryption includes a unique nonce for security")
+	fmt.Println("  - Passwords are validated for length and basic security")
+}
--- a/local/controller/membership.go
+++ b/local/controller/membership.go
@@ -34,7 +34,7 @@ func NewMembershipController(service *service.MembershipService, auth *middlewar
 	}

 	routeGroups.Auth.Post("/login", mc.Login)
-	routeGroups.Auth.Post("/open-token", mc.GenerateOpenToken)
+	routeGroups.Auth.Post("/open-token", mc.auth.Authenticate, mc.GenerateOpenToken)

 	usersGroup := routeGroups.Membership
 	usersGroup.Use(mc.auth.Authenticate)
@@ -95,7 +95,7 @@ func (c *MembershipController) Login(ctx *fiber.Ctx) error {
 // @Failure 500 {object} error_handler.ErrorResponse "Internal server error"
 // @Router /auth/open-token [post]
 func (c *MembershipController) GenerateOpenToken(ctx *fiber.Ctx) error {
-	token, err := c.service.GenerateOpenToken(ctx.UserContext(), ctx.Locals("userId").(string))
+	token, err := c.service.GenerateOpenToken(ctx.UserContext(), ctx.Locals("userID").(string))
 	if err != nil {
 		return c.errorHandler.HandleAuthError(ctx, err)
 	}
--- a/local/middleware/auth.go
+++ b/local/middleware/auth.go
@@ -52,20 +52,28 @@ func NewAuthMiddleware(ms *service.MembershipService, cache *cache.InMemoryCache

 // Authenticate is a middleware for JWT authentication with enhanced security.
 func (m *AuthMiddleware) AuthenticateOpen(ctx *fiber.Ctx) error {
-	return m.AuthenticateWithHandler(m.openJWTHandler.JWTHandler, ctx)
+	return m.AuthenticateWithHandler(m.openJWTHandler.JWTHandler, true, ctx)
 }

 // Authenticate is a middleware for JWT authentication with enhanced security.
 func (m *AuthMiddleware) Authenticate(ctx *fiber.Ctx) error {
-	return m.AuthenticateWithHandler(m.jwtHandler, ctx)
+	return m.AuthenticateWithHandler(m.jwtHandler, false, ctx)
 }

-func (m *AuthMiddleware) AuthenticateWithHandler(jwtHandler *jwt.JWTHandler, ctx *fiber.Ctx) error {
+func (m *AuthMiddleware) AuthenticateWithHandler(jwtHandler *jwt.JWTHandler, isOpenToken bool, ctx *fiber.Ctx) error {
 	// Log authentication attempt
 	ip := ctx.IP()
 	userAgent := ctx.Get("User-Agent")

 	authHeader := ctx.Get("Authorization")
+
+	if jwtHandler.IsOpenToken && !isOpenToken {
+		logging.Error("Authentication failed: attempting to authenticate with open token")
+		return ctx.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
+			"error": "Wrong token type used",
+		})
+	}
+
 	if authHeader == "" {
 		logging.Error("Authentication failed: missing Authorization header from IP %s", ip)
 		return ctx.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
@@ -98,6 +106,13 @@ func (m *AuthMiddleware) AuthenticateWithHandler(jwtHandler *jwt.JWTHandler, ctx
 		})
 	}

+	if !jwtHandler.IsOpenToken && claims.IsOpenToken {
+		logging.Error("Authentication failed: attempting to authenticate with open token")
+		return ctx.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
+			"error": "Wrong token type used",
+		})
+	}
+
 	// Additional security: validate user ID format
 	if claims.UserID == "" || len(claims.UserID) < 10 {
 		logging.Error("Authentication failed: invalid user ID in token from IP %s", ip)
--- a/local/service/membership.go
+++ b/local/service/membership.go
@@ -63,16 +63,11 @@ func (s *MembershipService) Login(ctx context.Context, username, password string
 		return "", err
 	}

-	return s.jwtHandler.GenerateToken(user)
+	return s.jwtHandler.GenerateToken(user.ID.String())
 }

 func (s *MembershipService) GenerateOpenToken(ctx context.Context, userId string) (string, error) {
-	user, err := s.repo.GetByID(ctx, userId)
-	if err != nil {
-		return "", err
-	}
-
-	return s.openJwtHandler.GenerateToken(user)
+	return s.openJwtHandler.GenerateToken(userId)
 }

 // CreateUser creates a new user.
--- a/local/service/steam_service.go
+++ b/local/service/steam_service.go
@@ -35,9 +35,15 @@ func NewSteamService(repository *repository.SteamCredentialsRepository, tfaManag
 		LogOutput: true,
 	}

+	// Create a separate executor for SteamCMD that doesn't use PowerShell
+	steamCMDExecutor := &command.CommandExecutor{
+		ExePath:   env.GetSteamCMDPath(),
+		LogOutput: true,
+	}
+
 	return &SteamService{
 		executor:            baseExecutor,
-		interactiveExecutor: command.NewInteractiveCommandExecutor(baseExecutor, tfaManager),
+		interactiveExecutor: command.NewInteractiveCommandExecutor(steamCMDExecutor, tfaManager),
 		repository:          repository,
 		tfaManager:          tfaManager,
 		pathValidator:       security.NewPathValidator(),
@@ -121,14 +127,8 @@ func (s *SteamService) InstallServer(ctx context.Context, installPath string, se
 		return fmt.Errorf("failed to get Steam credentials: %v", err)
 	}

-	// Get SteamCMD path from environment variable
-	steamCMDPath := env.GetSteamCMDPath()
-
-	// Build SteamCMD command
+	// Build SteamCMD command (no PowerShell args needed since we call SteamCMD directly)
 	args := []string{
-		"-nologo",
-		"-noprofile",
-		steamCMDPath,
 		"+force_install_dir", absPath,
 		"+login",
 	}
@@ -148,9 +148,17 @@ func (s *SteamService) InstallServer(ctx context.Context, installPath string, se
 		"+quit",
 	)

-	// Use interactive executor to handle potential 2FA prompts
+	// Use interactive executor to handle potential 2FA prompts with timeout
 	logging.Info("Installing ACC server to %s...", absPath)
-	if err := s.interactiveExecutor.ExecuteInteractive(ctx, serverID, args...); err != nil {
+	
+	// Create a context with timeout to prevent hanging indefinitely
+	timeoutCtx, cancel := context.WithTimeout(ctx, 10*time.Minute)
+	defer cancel()
+	
+	if err := s.interactiveExecutor.ExecuteInteractive(timeoutCtx, serverID, args...); err != nil {
+		if timeoutCtx.Err() == context.DeadlineExceeded {
+			return fmt.Errorf("SteamCMD operation timed out after 10 minutes")
+		}
 		return fmt.Errorf("failed to run SteamCMD: %v", err)
 	}

--- a/local/utl/command/interactive_executor.go
+++ b/local/utl/command/interactive_executor.go
@@ -61,14 +61,33 @@ func (e *InteractiveCommandExecutor) ExecuteInteractive(ctx context.Context, ser
 	}

 	// Create channels for output monitoring
-	outputDone := make(chan error)
+	outputDone := make(chan error, 1)
+	cmdDone := make(chan error, 1)

 	// Monitor stdout and stderr for 2FA prompts
 	go e.monitorOutput(ctx, stdout, stderr, serverID, outputDone)

-	// Wait for either the command to finish or output monitoring to complete
-	cmdErr := cmd.Wait()
-	outputErr := <-outputDone
+	// Wait for the command to finish in a separate goroutine
+	go func() {
+		cmdDone <- cmd.Wait()
+	}()
+
+	// Wait for both command and output monitoring to complete
+	var cmdErr, outputErr error
+	completedCount := 0
+
+	for completedCount < 2 {
+		select {
+		case cmdErr = <-cmdDone:
+			completedCount++
+			logging.Info("Command execution completed")
+		case outputErr = <-outputDone:
+			completedCount++
+			logging.Info("Output monitoring completed")
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}

 	if outputErr != nil {
 		logging.Warn("Output monitoring error: %v", outputErr)
@@ -78,45 +97,85 @@ func (e *InteractiveCommandExecutor) ExecuteInteractive(ctx context.Context, ser
 }

 func (e *InteractiveCommandExecutor) monitorOutput(ctx context.Context, stdout, stderr io.Reader, serverID *uuid.UUID, done chan error) {
-	defer close(done)
+	defer func() {
+		select {
+		case done <- nil:
+		default:
+		}
+	}()

 	// Create scanners for both outputs
 	stdoutScanner := bufio.NewScanner(stdout)
 	stderrScanner := bufio.NewScanner(stderr)

-	outputChan := make(chan string)
+	outputChan := make(chan string, 100) // Buffered channel to prevent blocking
+	readersDone := make(chan struct{}, 2)

 	// Read from stdout
 	go func() {
+		defer func() { readersDone <- struct{}{} }()
 		for stdoutScanner.Scan() {
 			line := stdoutScanner.Text()
 			if e.LogOutput {
 				logging.Info("STDOUT: %s", line)
 			}
-			outputChan <- line
+			select {
+			case outputChan <- line:
+			case <-ctx.Done():
+				return
+			}
+		}
+		if err := stdoutScanner.Err(); err != nil {
+			logging.Warn("Stdout scanner error: %v", err)
 		}
 	}()

 	// Read from stderr
 	go func() {
+		defer func() { readersDone <- struct{}{} }()
 		for stderrScanner.Scan() {
 			line := stderrScanner.Text()
 			if e.LogOutput {
 				logging.Info("STDERR: %s", line)
 			}
-			outputChan <- line
+			select {
+			case outputChan <- line:
+			case <-ctx.Done():
+				return
+			}
+		}
+		if err := stderrScanner.Err(); err != nil {
+			logging.Warn("Stderr scanner error: %v", err)
 		}
 	}()

-	// Monitor for 2FA prompts
+	// Monitor for completion and 2FA prompts
+	readersFinished := 0
 	for {
 		select {
 		case <-ctx.Done():
 			done <- ctx.Err()
 			return
+		case <-readersDone:
+			readersFinished++
+			if readersFinished == 2 {
+				// Both readers are done, close output channel and finish monitoring
+				close(outputChan)
+				// Drain any remaining output
+				for line := range outputChan {
+					if e.is2FAPrompt(line) {
+						if err := e.handle2FAPrompt(ctx, line, serverID); err != nil {
+							logging.Error("Failed to handle 2FA prompt: %v", err)
+							done <- err
+							return
+						}
+					}
+				}
+				return
+			}
 		case line, ok := <-outputChan:
 			if !ok {
-				done <- nil
+				// Channel closed, we're done
 				return
 			}

--- a/local/utl/configs/configs.go
+++ b/local/utl/configs/configs.go
@@ -8,7 +8,7 @@ import (
 )

 var (
-	Version       = "0.10.5"
+	Version       = "0.10.7"
 	Prefix        = "v1"
 	Secret        string
 	SecretCode    string
--- a/local/utl/jwt/jwt.go
+++ b/local/utl/jwt/jwt.go
@@ -13,12 +13,14 @@ import (

 // Claims represents the JWT claims.
 type Claims struct {
-	UserID string `json:"user_id"`
+	UserID      string `json:"user_id"`
+	IsOpenToken bool   `json:"is_open_token"`
 	jwt.RegisteredClaims
 }

 type JWTHandler struct {
-	SecretKey []byte
+	SecretKey   []byte
+	IsOpenToken bool
 }

 type OpenJWTHandler struct {
@@ -28,6 +30,7 @@ type OpenJWTHandler struct {
 // NewJWTHandler creates a new JWTHandler instance with the provided secret key.
 func NewOpenJWTHandler(jwtSecret string) *OpenJWTHandler {
 	jwtHandler := NewJWTHandler(jwtSecret)
+	jwtHandler.IsOpenToken = true
 	return &OpenJWTHandler{
 		JWTHandler: jwtHandler,
 	}
@@ -68,13 +71,14 @@ func (jh *JWTHandler) GenerateSecretKey() string {
 }

 // GenerateToken generates a new JWT for a given user.
-func (jh *JWTHandler) GenerateToken(user *model.User) (string, error) {
+func (jh *JWTHandler) GenerateToken(userId string) (string, error) {
 	expirationTime := time.Now().Add(24 * time.Hour)
 	claims := &Claims{
-		UserID: user.ID.String(),
+		UserID: userId,
 		RegisteredClaims: jwt.RegisteredClaims{
 			ExpiresAt: jwt.NewNumericDate(expirationTime),
 		},
+		IsOpenToken: jh.IsOpenToken,
 	}

 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
@@ -88,6 +92,7 @@ func (jh *JWTHandler) GenerateTokenWithExpiry(user *model.User, expiry time.Time
 		RegisteredClaims: jwt.RegisteredClaims{
 			ExpiresAt: jwt.NewNumericDate(expirationTime),
 		},
+		IsOpenToken: jh.IsOpenToken,
 	}

 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
--- a/local/utl/security/path_validator.go
+++ b/local/utl/security/path_validator.go
@@ -16,7 +16,6 @@ type PathValidator struct {
 func NewPathValidator() *PathValidator {
 	blockedPatterns := []*regexp.Regexp{
 		regexp.MustCompile(`\.\.`),
-		regexp.MustCompile(`[<>:"|?*]`),
 		regexp.MustCompile(`^(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$`),
 		regexp.MustCompile(`\x00`),
 		regexp.MustCompile(`^\\\\`),
@@ -92,4 +91,4 @@ func (pv *PathValidator) AddAllowedBasePath(path string) error {

 func (pv *PathValidator) GetAllowedBasePaths() []string {
 	return append([]string(nil), pv.allowedBasePaths...)
-}
+}
--- a/tests/auth_helper.go
+++ b/tests/auth_helper.go
@@ -28,7 +28,7 @@ func GenerateTestToken() (string, error) {
 	jwtHandler := jwt.NewJWTHandler(testSecret)

 	// Generate JWT token
-	token, err := jwtHandler.GenerateToken(user)
+	token, err := jwtHandler.GenerateToken(user.ID.String())
 	if err != nil {
 		return "", fmt.Errorf("failed to generate test token: %w", err)
 	}
@@ -55,7 +55,7 @@ func GenerateTestTokenWithExpiry(expiryTime time.Time) (string, error) {
 		testSecret = "test-secret-that-is-at-least-32-bytes-long-for-security"
 	}
 	jwtHandler := jwt.NewJWTHandler(testSecret)
-	
+
 	// Create test user
 	user := &model.User{
 		ID:       uuid.New(),
--- a/tests/unit/service/auth_simple_test.go
+++ b/tests/unit/service/auth_simple_test.go
@@ -26,7 +26,7 @@ func TestJWT_GenerateAndValidateToken(t *testing.T) {
 	}

 	// Test JWT generation
-	token, err := jwtHandler.GenerateToken(user)
+	token, err := jwtHandler.GenerateToken(user.ID.String())
 	tests.AssertNoError(t, err)
 	tests.AssertNotNil(t, token)
Author	SHA1	Message	Date
Fran Jurmanović	f660511b63	change steamCMD executor All checks were successful Release and Deploy / build (push) Successful in 2m1s Details Release and Deploy / deploy (push) Successful in 23s Details	2025-08-17 16:42:10 +02:00
Fran Jurmanović	044af60699	steam-crypt app and fix the interactive executor All checks were successful Release and Deploy / build (push) Successful in 2m2s Details Release and Deploy / deploy (push) Successful in 22s Details	2025-08-17 16:26:28 +02:00
Fran Jurmanović	384036bcdd	remove blocker pattern All checks were successful Release and Deploy / build (push) Successful in 2m5s Details Release and Deploy / deploy (push) Successful in 26s Details	2025-08-17 15:53:55 +02:00
Fran Jurmanović	ef300d233b	fix wrong userID from context All checks were successful Release and Deploy / build (push) Successful in 3m26s Details Release and Deploy / deploy (push) Successful in 24s Details	2025-08-17 13:12:36 +02:00
Fran Jurmanović	edad65d6a9	generate open token using normal token All checks were successful Release and Deploy / build (push) Successful in 3m1s Details Release and Deploy / deploy (push) Successful in 23s Details	2025-08-17 12:46:37 +02:00
Fran Jurmanović	486c972bba	open token authentication All checks were successful Release and Deploy / build (push) Successful in 3m51s Details Release and Deploy / deploy (push) Successful in 28s Details	2025-08-17 12:15:39 +02:00