Require login to connect to staging (#1360)

## Description: Complete: - Add support for cookie-based auth (ref https://github.com/openfrontio/infra/pull/83) - Restrict game server API access to users with a specific flare - Restrict join game to users with a valid token and an allowed flare - Unauthorized landing page - Token cache - Destroy token cookie on logout ## Please complete the following: - [x] I have added screenshots for all UI updates - [x] I process any text displayed to the user through translateText() and I've added it to the en.json file - [x] I have added relevant tests to the test directory - [x] I confirm I have thoroughly tested these changes and take full responsibility for any bugs introduced - [x] I understand that submitting code with bugs that could have been caught through manual testing blocks releases and new features for all contributors
2026-06-30 17:12:24 +00:00 · 2025-07-09 03:57:08 -04:00
parent 78deecdb6c
commit d8d5220948
8 changed files with 181 additions and 41 deletions
@@ -345,8 +345,8 @@ export function startWorker() {
          // Verify token signature
          const result = await verifyClientToken(clientMsg.token, config);
          if (result === false) {
-            log.warn("Failed to verify token");
-            ws.close(1002, "Failed to verify token");
+            log.warn("Unauthorized: Invalid token");
+            ws.close(1002, "Unauthorized");
            return;
          }
          const { persistentId, claims } = result;
@@ -354,18 +354,36 @@ export function startWorker() {
          let roles: string[] | undefined;
          let flares: string[] | undefined;

+          const allowedFlares = config.allowedFlares();
          if (claims === null) {
-            // TODO: Verify that the persistendId is is not a registered player
+            if (allowedFlares !== undefined) {
+              log.warn("Unauthorized: Anonymous user attempted to join game");
+              ws.close(1002, "Unauthorized");
+              return;
+            }
          } else {
            // Verify token and get player permissions
            const result = await getUserMe(clientMsg.token, config);
            if (result === false) {
-              log.warn("Failed to verify token");
-              ws.close(1002, "Failed to verify token");
+              log.warn("Unauthorized: Invalid session");
+              ws.close(1002, "Unauthorized");
              return;
            }
            roles = result.player.roles;
            flares = result.player.flares;
+
+            if (allowedFlares !== undefined) {
+              const allowed =
+                allowedFlares.length === 0 ||
+                allowedFlares.some((f) => flares?.includes(f));
+              if (!allowed) {
+                log.warn(
+                  "Forbidden: player without an allowed flare attempted to join game",
+                );
+                ws.close(1002, "Forbidden");
+                return;
+              }
+            }
          }

          // Check if the flag is allowed