Client JWT authentication (#723)

## Description: Send JWT to the game server for verification. ## Please complete the following: - [x] I have added screenshots for all UI updates - [ ] I confirm I have thoroughly tested these changes and take full responsibility for any bugs introduced - [x] I understand that submitting code with bugs that could have been caught through manual testing blocks releases and new features for all contributors --------- Co-authored-by: Scott Anderson <662325+scottanderson@users.noreply.github.com>
2026-06-23 00:05:21 +00:00 · 2025-05-12 14:51:40 -04:00
parent b402a3549e
commit f8a052a6ce
16 changed files with 123 additions and 20 deletions
@@ -1,4 +1,5 @@
 import WebSocket from "ws";
+import { TokenPayload } from "../core/ApiSchemas";
 import { PlayerID, Tick } from "../core/game/Game";
 import { ClientID } from "../core/Schemas";
 import { generateID } from "../core/Util";
@@ -13,6 +14,7 @@ export class Client {
  constructor(
    public readonly clientID: ClientID,
    public readonly persistentID: string,
+    public readonly claims: TokenPayload | null,
    public readonly ip: string,
    public readonly username: string,
    public readonly ws: WebSocket,
@@ -13,6 +13,7 @@ import { archive, readGameRecord } from "./Archive";
 import { Client } from "./Client";
 import { GameManager } from "./GameManager";
 import { gatekeeper, LimiterType } from "./Gatekeeper";
+import { verifyClientToken } from "./jwt";
 import { logger } from "./Logger";
 import { initWorkerMetrics } from "./WorkerMetrics";

@@ -301,10 +302,16 @@ export function startWorker() {
              return;
            }

+            const { persistentId, claims } = await verifyClientToken(
+              clientMsg.token,
+              config,
+            );
+
            // Create client and add to game
            const client = new Client(
              clientMsg.clientID,
-              clientMsg.persistentID,
+              persistentId,
+              claims ?? null,
              ip,
              clientMsg.username,
              ws,
@@ -0,0 +1,29 @@
+import { jwtVerify } from "jose";
+import { TokenPayload, TokenPayloadSchema } from "../core/ApiSchemas";
+import { ServerConfig } from "../core/configuration/Config";
+
+type TokenVerificationResult = {
+  persistentId: string;
+  claims: TokenPayload | null;
+};
+
+export async function verifyClientToken(
+  token: string,
+  config: ServerConfig,
+): Promise<TokenVerificationResult> {
+  if (token.length === 36) {
+    return { persistentId: token, claims: null };
+  }
+  const issuer = config.jwtIssuer();
+  const audience = config.jwtAudience();
+  const key = await config.jwkPublicKey();
+  const { payload, protectedHeader } = await jwtVerify(token, key, {
+    algorithms: ["EdDSA"],
+    issuer,
+    audience,
+    maxTokenAge: "6 days",
+  });
+  const claims = TokenPayloadSchema.parse(payload);
+  const persistentId = claims.sub;
+  return { persistentId, claims };
+}