From e2a956692620dd09dc46afe9c0774bb26c4fc3ca Mon Sep 17 00:00:00 2001 From: RednedEpic Date: Wed, 12 Aug 2020 10:42:02 -0500 Subject: [PATCH] Kick player with invalid chain data for additional security The client should disallow players to join servers if they're not logged in, however this just adds a second layer of security in the event that it's somehow bypassed. --- .../org/geysermc/connector/utils/LoginEncryptionUtils.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/connector/src/main/java/org/geysermc/connector/utils/LoginEncryptionUtils.java b/connector/src/main/java/org/geysermc/connector/utils/LoginEncryptionUtils.java index 3d4dd506..8a13d054 100644 --- a/connector/src/main/java/org/geysermc/connector/utils/LoginEncryptionUtils.java +++ b/connector/src/main/java/org/geysermc/connector/utils/LoginEncryptionUtils.java @@ -105,6 +105,10 @@ public class LoginEncryptionUtils { connector.getLogger().debug(String.format("Is player data valid? %s", validChain)); + if (!validChain) { + session.disconnect(LanguageUtils.getLocaleStringLog("geyser.auth.login.form.notice.desc")); + return; + } JWSObject jwt = JWSObject.parse(certChainData.get(certChainData.size() - 1).asText()); JsonNode payload = JSON_MAPPER.readTree(jwt.getPayload().toBytes());