feat: NCS-82 add Swiss-system tournament module #55
@@ -49,3 +49,8 @@ graphify-out/
|
||||
/jacoco-reporter/.venv/
|
||||
/.claude/settings.local.json
|
||||
/.claude/worktrees/
|
||||
modules/tournament/src/main/resources/keys/dev-public.pem
|
||||
modules/account/src/main/resources/keys/dev-private.pem
|
||||
modules/account/src/main/resources/keys/dev-public.pem
|
||||
modules/core/src/main/resources/keys/dev-public.pem
|
||||
|
|
||||
java_pid2736.hprof
|
||||
|
||||
@@ -51,7 +51,7 @@ class BotAccount extends PanacheEntityBase:
|
||||
@JoinColumn(name = "owner_id", nullable = false)
|
||||
var owner: UserAccount = uninitialized
|
||||
|
||||
@Column(unique = true, nullable = false, length = 256)
|
||||
@Column(unique = true, nullable = false, length = 1024)
|
||||
var token: String = uninitialized
|
||||
|
||||
var rating: Int = 1500
|
||||
|
||||
@@ -153,9 +153,10 @@ class AccountService:
|
||||
val bot = new BotAccount()
|
||||
bot.name = botName
|
||||
bot.owner = owner
|
||||
bot.token = generateBotToken(bot.id)
|
||||
bot.token = UUID.randomUUID().toString
|
||||
lq64
commented
The token is set to a random UUID, persisted, then immediately overwritten with the real JWT and persisted again. This is two DB writes and leaves a window where the entity carries a meaningless token. Generate the ID first, build the JWT, set it once, then persist. The token is set to a random UUID, persisted, then immediately overwritten with the real JWT and persisted again. This is two DB writes and leaves a window where the entity carries a meaningless token. Generate the ID first, build the JWT, set it once, then persist.
|
||||
bot.createdAt = Instant.now()
|
||||
botAccountRepository.persist(bot)
|
||||
bot.token = generateBotToken(bot.id, bot.name)
|
||||
log.infof("Bot account %s created for owner %s", botName, ownerId.toString)
|
||||
Right(bot)
|
||||
|
||||
@@ -194,7 +195,7 @@ class AccountService:
|
||||
case Some(bot) =>
|
||||
if bot.owner.id != ownerId then Left(AccountError.NotAuthorized)
|
||||
else
|
||||
bot.token = generateBotToken(botId)
|
||||
bot.token = generateBotToken(botId, bot.name)
|
||||
botAccountRepository.persist(bot)
|
||||
Right(bot)
|
||||
|
||||
@@ -228,12 +229,13 @@ class AccountService:
|
||||
officialBotAccountRepository.delete(botId)
|
||||
Right(())
|
||||
|
||||
private def generateBotToken(botId: UUID): String =
|
||||
private def generateBotToken(botId: UUID, botName: String): String =
|
||||
Jwt
|
||||
.issuer("nowchess")
|
||||
.subject(botId.toString)
|
||||
.expiresAt(Long.MaxValue)
|
||||
.claim("type", "bot")
|
||||
.claim("name", botName)
|
||||
.sign()
|
||||
|
||||
|
lq64
commented
Non-expiring tokens are a security liability. If a bot token is leaked there is no recovery short of deleting the account. At minimum use a multi-year expiry, and surface a token-rotation endpoint so operators have a recovery path. Non-expiring tokens are a security liability. If a bot token is leaked there is no recovery short of deleting the account. At minimum use a multi-year expiry, and surface a token-rotation endpoint so operators have a recovery path.
|
||||
@Transactional
|
||||
|
||||
+1
-1
@@ -140,7 +140,7 @@ class TournamentService:
|
||||
Some(CorePlayerInfo(white.botId, white.botName)),
|
||||
Some(CorePlayerInfo(black.botId, black.botName)),
|
||||
Some(tc),
|
||||
if t.rated then Some("Rated") else Some("Casual"),
|
||||
Some("Authenticated"),
|
||||
)
|
||||
Try(coreGameClient.createGame(req)) match
|
||||
case Failure(ex) => log.errorf(ex, "Failed to create game for round %d in tournament %s", round, tournamentId)
|
||||
|
||||
@@ -96,6 +96,8 @@ class GameWebSocketResource:
|
||||
private def resolvePlayerId(handshake: HandshakeRequest): Option[String] =
|
||||
Option(handshake.header("Authorization"))
|
||||
.filter(_.nonEmpty)
|
||||
.map(h => if h.startsWith("Bearer ") then h.drop(7) else h)
|
||||
.orElse(Option(handshake.query("token")).filter(_.nonEmpty))
|
||||
.flatMap(token => Try(jwtParser.parse(token)).toOption)
|
||||
.map(_.getSubject)
|
||||
|
||||
|
||||
@@ -35,8 +35,7 @@ class UserWebSocketResource:
|
||||
|
||||
@OnOpen
|
||||
def onOpen(connection: WebSocketConnection, handshake: HandshakeRequest): Unit =
|
||||
val userIdOpt = Option(handshake.header("Authorization"))
|
||||
.filter(_.nonEmpty)
|
||||
val userIdOpt = resolveToken(handshake)
|
||||
.flatMap(token => Try(jwtParser.parse(token)).toOption)
|
||||
.map(_.getSubject)
|
||||
|
||||
@@ -52,6 +51,12 @@ class UserWebSocketResource:
|
||||
val connectedMsg = s"""{"type":"CONNECTED","userId":"$userId"}"""
|
||||
connection.sendText(connectedMsg).subscribe().`with`(_ => (), _ => ())
|
||||
|
||||
private def resolveToken(handshake: HandshakeRequest): Option[String] =
|
||||
Option(handshake.header("Authorization"))
|
||||
.filter(_.nonEmpty)
|
||||
.map(h => if h.startsWith("Bearer ") then h.drop(7) else h)
|
||||
.orElse(Option(handshake.query("token")).filter(_.nonEmpty))
|
||||
|
||||
@OnClose
|
||||
def onClose(connection: WebSocketConnection): Unit =
|
||||
log.infof("User WebSocket closed — connectionId=%s", connection.id())
|
||||
|
||||
Reference in New Issue
Block a user
This is a heap dump filename with a specific PID, meaning a heap dump was taken during development. Confirm the dump file itself is not tracked in the repository (git ls-files | grep hprof). The gitignore entry should use a wildcard (*.hprof) to catch any future dump rather than a single named file.