Undo previous commit, authenticate via Steam API

patapancakes · patapancakes · commit 6d84c253daa2 · 2025-05-19T21:00:32.000-04:00
diff --git a/go.mod b/go.mod
@@ -8,11 +8,8 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.78.2
 	github.com/blezek/tga v0.0.0-20150626111426-80720cbc1017
 	github.com/go-sql-driver/mysql v1.9.0
-	github.com/tmcarey/steam-appticket-go v0.0.0-20250415182558-823c1784f126
 )
 
-require google.golang.org/protobuf v1.30.0 // indirect
-
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
@@ -29,6 +26,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
-	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/ftrvxmtrx/tga v0.0.0-20150524081124-bd8e8d5be13a // indirect
 )
diff --git a/go.sum b/go.sum
@@ -34,21 +34,11 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 h1:KwuLovgQPcdjNMfFt9OhUd9a
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
 github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 h1:PZV5W8yk4OtH1JAuhV2PXwwO9v5G5Aoj+eMCn4T+1Kc=
 github.com/aws/aws-sdk-go-v2/service/sts v1.33.17/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
-github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k=
-github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/blezek/tga v0.0.0-20150626111426-80720cbc1017 h1:TWk6m6k3qegbUZsdsHk/ix22ANqPgLau40bPwiNQN40=
 github.com/blezek/tga v0.0.0-20150626111426-80720cbc1017/go.mod h1:WnX8JiQN+UtyUPq/1EIUaB2WVX3wdAmOBH5K52NyOO0=
 github.com/ftrvxmtrx/tga v0.0.0-20150524081124-bd8e8d5be13a h1:eSqaRmdlZ9JsJ7JuWfDr3ym3monToXRczohBOL+heVQ=
 github.com/ftrvxmtrx/tga v0.0.0-20150524081124-bd8e8d5be13a/go.mod h1:US5WvgEHtG+BvWNNs6gk937h0QL2g2x+r7RH8m3g80Y=
 github.com/go-sql-driver/mysql v1.9.0 h1:Y0zIbQXhQKmQgTp44Y1dp3wTXcn804QoTptLZT1vtvo=
 github.com/go-sql-driver/mysql v1.9.0/go.mod h1:pDetrLJeA3oMujJuvXc8RJoasr589B6A9fwzD3QMrqw=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/tmcarey/steam-appticket-go v0.0.0-20250415182558-823c1784f126 h1:9Fo5DAXX55SJTdcNiIWP0xCgCWWEoy/mApnQ8H8Vs9w=
-github.com/tmcarey/steam-appticket-go v0.0.0-20250415182558-823c1784f126/go.mod h1:TJFVH9O45IxZNWgnBtvWMl/5RlOCQ+eikbdNYACo1K4=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
diff --git a/ingame/toyboxapi/auth.go b/ingame/toyboxapi/auth.go
@@ -23,13 +23,10 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/http"
-	"slices"
-	"strconv"
+	"strings"
 
 	"github.com/flatgrassdotnet/cloudbox/db"
 	"github.com/flatgrassdotnet/cloudbox/utils"
-
-	appticket "github.com/tmcarey/steam-appticket-go"
 )
 
 // auth logs someone into the toybox api
@@ -49,18 +46,22 @@ func Auth(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	token := utils.UnBinHex(utils.UnBinHexString(r.FormValue("token")))
-
+	token := utils.UnBinHexString(r.FormValue("token"))
 	steamid := utils.UnBinHexString(r.FormValue("u"))
-
 	vac := utils.UnBinHexString(r.FormValue("vac"))
-	if !slices.Contains([]string{"good", "banned"}, vac) {
-		utils.WriteError(w, r, "invalid vac value")
+
+	user, err := utils.AuthenticateUserTicket(token)
+	if err != nil {
+		utils.WriteError(w, r, fmt.Sprintf("failed to validate steam ticket: %s", err))
+
+		// net/http errors shouldn't cause the game to exit
+		if !strings.Contains(err.Error(), "net/http:") {
+			fmt.Fprint(w, "chrome") // terminate game with anti-piracy error
+		}
+
 		return
 	}
-
-	appticket, err := appticket.ParseAppTicket(token, false)
-	if err != nil || !appticket.IsValid || appticket.AppID != 4000 || strconv.Itoa(int(appticket.SteamID)) != steamid {
+	if user.SteamID != steamid {
 		fmt.Fprint(w, "chrome") // terminate game with anti-piracy error
 		return
 	}
diff --git a/utils/steam.go b/utils/steam.go
@@ -35,6 +35,44 @@ import (
 
 var SteamAPIKey string
 
+type AuthenticateUserTicketResponse struct {
+	Response struct {
+		Params common.UserTicketInfo `json:"params"`
+		Error  struct {
+			ErrorCode int    `json:"errorcode"`
+			ErrorDesc string `json:"errordesc"`
+		} `json:"error"`
+	} `json:"response"`
+}
+
+func AuthenticateUserTicket(ticket string) (common.UserTicketInfo, error) {
+	v := make(url.Values)
+
+	v.Set("key", SteamAPIKey)
+	v.Set("appid", "4000") // garry's mod
+	v.Set("ticket", ticket)
+
+	r, err := http.Get(fmt.Sprintf("https://api.steampowered.com/ISteamUserAuth/AuthenticateUserTicket/v0001/?%s", v.Encode()))
+	if err != nil {
+		return common.UserTicketInfo{}, err
+	}
+
+	defer r.Body.Close()
+
+	var rd AuthenticateUserTicketResponse
+	err = json.NewDecoder(r.Body).Decode(&rd)
+	if err != nil {
+		return common.UserTicketInfo{}, err
+	}
+
+	// no steamid, something is wrong
+	if rd.Response.Params.SteamID == "" {
+		return common.UserTicketInfo{}, errors.New(rd.Response.Error.ErrorDesc)
+	}
+
+	return rd.Response.Params, nil
+}
+
 type GetPlayerSummariesResponse struct {
 	Response struct {
 		Players []common.PlayerSummaryInfo `json:"players"`
