From 4f54f252f95f691cdc05901768201248f2f7d065 Mon Sep 17 00:00:00 2001
From: Sheikah45 <66929319+Sheikah45@users.noreply.github.com>
Date: Mon, 27 Sep 2021 14:07:08 -0400
Subject: [PATCH] Check for lobby scope in token during login (#840)

* Add check for lobby scope during login with token

* rebase and fix line length
---
 server/oauth_service.py               |  7 ++++++
 tests/integration_tests/test_login.py | 33 +++++++++++++++++++++++++--
 2 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/server/oauth_service.py b/server/oauth_service.py
index 47bab9c3e..75ab71d67 100644
--- a/server/oauth_service.py
+++ b/server/oauth_service.py
@@ -85,6 +85,13 @@ async def get_player_id_from_token(self, token: str) -> int:
                 algorithms="RS256",
                 options={"verify_aud": False}
             )
+
+            if "lobby" not in decoded["scp"]:
+                raise AuthenticationError(
+                    "Token does not have permission to login to the lobby server",
+                    "token"
+                )
+
             return int(decoded["sub"])
         except (InvalidTokenError, KeyError, ValueError):
             raise AuthenticationError("Token signature was invalid", "token")
diff --git a/tests/integration_tests/test_login.py b/tests/integration_tests/test_login.py
index 54998033e..2582f5cd3 100644
--- a/tests/integration_tests/test_login.py
+++ b/tests/integration_tests/test_login.py
@@ -235,7 +235,7 @@ async def test_server_valid_login_with_token(lobby_server, jwk_priv_key, jwk_kid
         "token": jwt.encode({
             "sub": 3,
             "user_name": "Rhiza",
-            "scope": [],
+            "scp": ["lobby"],
             "exp": int(time() + 1000),
             "authorities": [],
             "non_locked": True,
@@ -298,7 +298,7 @@ async def test_server_login_bad_id_in_token(lobby_server, jwk_priv_key, jwk_kid)
         "token": jwt.encode({
             "sub": -1,
             "user_name": "Rhiza",
-            "scope": [],
+            "scp": ["lobby"],
             "exp": int(time() + 1000),
             "authorities": [],
             "non_locked": True,
@@ -323,6 +323,7 @@ async def test_server_login_expired_token(lobby_server, jwk_priv_key, jwk_kid):
         "user_agent": "faf-client",
         "token": jwt.encode({
             "sub": 1,
+            "scp": ["lobby"],
             "user_name": "test",
             "exp": int(time() - 10)
         }, jwk_priv_key, algorithm="RS256", headers={"kid": jwk_kid}),
@@ -356,3 +357,31 @@ async def test_server_login_malformed_token(lobby_server, jwk_priv_key, jwk_kid)
         "command": "authentication_failed",
         "text": "Token signature was invalid"
     }
+
+
+async def test_server_login_lobby_scope_missing(lobby_server, jwk_priv_key, jwk_kid):
+    """This scenario could only happen if the hydra signed a token that
+    was missing critical data"""
+    proto = await connect_client(lobby_server)
+    await proto.send_message({
+        "command": "auth",
+        "version": "1.0.0-dev",
+        "user_agent": "faf-client",
+        "token": jwt.encode({
+            "sub": 3,
+            "user_name": "Rhiza",
+            "scp": [],
+            "exp": int(time() + 1000),
+            "authorities": [],
+            "non_locked": True,
+            "jti": "",
+            "client_id": ""
+        }, jwk_priv_key, algorithm="RS256", headers={"kid": jwk_kid}),
+        "unique_id": "some_id"
+    })
+
+    msg = await proto.read_message()
+    assert msg == {
+        "command": "authentication_failed",
+        "text": "Token does not have permission to login to the lobby server"
+    }