diff --git a/src/main/java/emu/grasscutter/game/HandbookActions.java b/src/main/java/emu/grasscutter/game/HandbookActions.java index 7a9566012..5c946ad9a 100644 --- a/src/main/java/emu/grasscutter/game/HandbookActions.java +++ b/src/main/java/emu/grasscutter/game/HandbookActions.java @@ -5,6 +5,7 @@ import emu.grasscutter.data.GameData; import emu.grasscutter.game.avatar.Avatar; import emu.grasscutter.game.entity.EntityMonster; import emu.grasscutter.game.inventory.GameItem; +import emu.grasscutter.game.player.Player; import emu.grasscutter.game.props.ActionReason; import emu.grasscutter.server.packet.send.PacketAddNoGachaAvatarCardNotify; import emu.grasscutter.utils.objects.HandbookBody.*; @@ -12,6 +13,20 @@ import java.util.Objects; /** Commands executed by the handbook. */ public interface HandbookActions { + /** + * Checks if the player is authenticated. + * + * @param player The player. + * @param token The player's unique session token. + * @return True if the player is authenticated. + */ + static boolean isAuthenticated(Player player, String token) { + // Check properties. + if (player == null || token == null) return false; + // Compare the session key and token. + return player.getSessionKey().equals(token); + } + /** * Grants an avatar to the player. * @@ -37,6 +52,9 @@ public interface HandbookActions { if (player == null) { return Response.builder().status(1).message("Player not found.").build(); } + if (!HandbookActions.isAuthenticated(player, request.getPlayerToken())) { + return Response.builder().status(1).message("Player not authorized.").build(); + } if (avatarData == null) { return Response.builder().status(400).message("Invalid avatar ID.").build(); } @@ -92,6 +110,9 @@ public interface HandbookActions { if (player == null) { return Response.builder().status(1).message("Player not found.").build(); } + if (!HandbookActions.isAuthenticated(player, request.getPlayerToken())) { + return Response.builder().status(1).message("Player not authorized.").build(); + } if (itemData == null) { return Response.builder().status(400).message("Invalid player UID or item ID.").build(); } @@ -150,6 +171,9 @@ public interface HandbookActions { if (player == null) { return Response.builder().status(1).message("Player not found.").build(); } + if (!HandbookActions.isAuthenticated(player, request.getPlayerToken())) { + return Response.builder().status(1).message("Player not authorized.").build(); + } // Find the scene in the player's world. var scene = player.getWorld().getSceneById(sceneId); @@ -201,6 +225,9 @@ public interface HandbookActions { if (player == null) { return Response.builder().status(1).message("Player not found.").build(); } + if (!HandbookActions.isAuthenticated(player, request.getPlayerToken())) { + return Response.builder().status(1).message("Player not authorized.").build(); + } if (entityData == null) { return Response.builder().status(400).message("Invalid entity ID.").build(); } diff --git a/src/main/java/emu/grasscutter/game/player/Player.java b/src/main/java/emu/grasscutter/game/player/Player.java index c4ea75232..b1846a50e 100644 --- a/src/main/java/emu/grasscutter/game/player/Player.java +++ b/src/main/java/emu/grasscutter/game/player/Player.java @@ -72,10 +72,7 @@ import emu.grasscutter.server.game.GameServer; import emu.grasscutter.server.game.GameSession; import emu.grasscutter.server.game.GameSession.SessionState; import emu.grasscutter.server.packet.send.*; -import emu.grasscutter.utils.DateHelper; -import emu.grasscutter.utils.MessageHandler; -import emu.grasscutter.utils.Position; -import emu.grasscutter.utils.Utils; +import emu.grasscutter.utils.*; import it.unimi.dsi.fastutil.ints.Int2ObjectMap; import it.unimi.dsi.fastutil.ints.Int2ObjectOpenHashMap; import lombok.Getter; @@ -98,6 +95,7 @@ public class Player implements PlayerHook { @Getter private String accountId; @Setter private transient Account account; @Getter @Setter private transient GameSession session; + @Transient private String sessionKey; @Getter private String nickname; @Getter private String signature; @@ -376,6 +374,24 @@ public class Player implements PlayerHook { return this.account; } + /** + * @return The player's session key. + */ + public String getSessionKey() { + if (this.sessionKey == null) { + // Check if the account is null. + if (this.account == null) { + this.account = DispatchUtils.getAccountById(this.getAccountId()); + } + if (this.account == null) return ""; + + // Get the session key. + this.sessionKey = this.getAccount().getSessionKey(); + } + + return this.sessionKey; + } + public boolean isOnline() { return this.getSession() != null && this.getSession().isActive(); }