server: Add authorization by checking against the connection ID in the database

Author: armsnyder

pkg/server/db.go

@@ -38,7 +38,7 @@ type game struct {
 	Player     common.Disk
 }
 
-func getGameAndOpponentAndConnectionIDs(ctx context.Context, args Args, host string) (game, string, []string, error) {
+func getGame(ctx context.Context, args Args, host string) (game, string, map[string]string, error) {
 	// Get the whole item from DynamoDB.
 	output, err := args.DB.GetItemWithContext(ctx, &dynamodb.GetItemInput{
 		TableName: aws.String(args.TableName),
@@ -64,39 +64,39 @@ func getGameAndOpponentAndConnectionIDs(ctx context.Context, args Args, host str
 		return game, "", nil, err
 	}
 
-	// Get just the connection ID values.
-	var connectionIDs []string
-	for _, v := range item.Connections {
-		connectionIDs = append(connectionIDs, v)
-	}
-
-	return game, item.Opponent, connectionIDs, err
+	return game, item.Opponent, item.Connections, err
 }
 
-func updateGame(ctx context.Context, args Args, host string, game game) error {
+func updateGame(ctx context.Context, args Args, host string, game game, connName, connID string) error {
 	gameBytes, err := json.Marshal(&game)
 	if err != nil {
 		return err
 	}
 
 	update := expression.Set(expression.Name(attribGame), expression.Value(gameBytes))
+	condition := expression.Name(attribConnections + "." + connName).Equal(expression.Value(connID))
 
-	_, err = updateItem(ctx, args, host, update, false)
+	_, err = updateItem(ctx, args, host, update, condition, false)
 	return err
 }
 
-func updateGameOpponentSetConnection(ctx context.Context, args Args, host string, game game, opponent, connName, connID string) error {
+func createGame(ctx context.Context, args Args, host string, game game, opponent, connName, connID string) error {
 	gameBytes, err := json.Marshal(&game)
 	if err != nil {
 		return err
 	}
 
 	update := expression.
 		Set(expression.Name(attribGame), expression.Value(gameBytes)).
-		Set(expression.Name(attribOpponent), expression.Value(opponent)).
 		Set(expression.Name(attribConnections), expression.Value(map[string]string{connName: connID}))
 
-	_, err = updateItem(ctx, args, host, update, false)
+	if opponent != "" {
+		update = update.Set(expression.Name(attribOpponent), expression.Value(opponent))
+	}
+
+	condition := expression.Name(attribHost).AttributeNotExists()
+
+	_, err = updateItem(ctx, args, host, update, condition, false)
 	return err
 }
 
@@ -106,7 +106,7 @@ func updateOpponentConnectionGetGameConnectionIDs(ctx context.Context, args Args
 		Set(expression.Name(attribConnections+"."+connName), expression.Value(connID))
 	condition := expression.In(expression.Name(attribOpponent), expression.Value(expectedOpponents[0]), expression.Value(expectedOpponents[1]))
 
-	output, err := updateItemWithCondition(ctx, args, host, update, condition, true)
+	output, err := updateItem(ctx, args, host, update, condition, true)
 	if err != nil {
 		return game{}, nil, err
 	}
@@ -158,11 +158,24 @@ func getHostsByOpponent(ctx context.Context, args Args, opponent string) ([]stri
 	return hosts, nil
 }
 
-func deleteGameGetConnectionIDs(ctx context.Context, args Args, host string) ([]string, error) {
+func deleteGameGetConnectionIDs(ctx context.Context, args Args, host, connName, connID string) ([]string, error) {
+	exp, err := expression.NewBuilder().
+		WithCondition(expression.Or(
+			expression.Name(attribConnections+"."+connName).Equal(expression.Value(connID)),
+			expression.Name(attribHost).AttributeNotExists(),
+		)).
+		Build()
+	if err != nil {
+		return nil, err
+	}
+
 	output, err := args.DB.DeleteItemWithContext(ctx, &dynamodb.DeleteItemInput{
-		TableName:    aws.String(args.TableName),
-		Key:          hostKey(host),
-		ReturnValues: aws.String(dynamodb.ReturnValueAllOld),
+		TableName:                 aws.String(args.TableName),
+		Key:                       hostKey(host),
+		ConditionExpression:       exp.Condition(),
+		ExpressionAttributeNames:  exp.Names(),
+		ExpressionAttributeValues: exp.Values(),
+		ReturnValues:              aws.String(dynamodb.ReturnValueAllOld),
 	})
 	if err != nil {
 		return nil, err
@@ -184,21 +197,9 @@ func deleteGameGetConnectionIDs(ctx context.Context, args Args, host string) ([]
 }
 
 // updateItem wraps dynamodb.UpdateItemWithContext.
-func updateItem(ctx context.Context, args Args, host string, update expression.UpdateBuilder, returnOldValues bool) (*dynamodb.UpdateItemOutput, error) {
-	update = update.Set(expression.Name(attribTTL), expression.Value(time.Now().Add(time.Hour).Unix()))
-	builder := expression.NewBuilder().WithUpdate(update)
-	return updateItemWithBuilder(ctx, args, host, builder, returnOldValues)
-}
-
-// updateItemWithCondition wraps dynamodb.UpdateItemWithContext.
-func updateItemWithCondition(ctx context.Context, args Args, host string, update expression.UpdateBuilder, condition expression.ConditionBuilder, returnOldValues bool) (*dynamodb.UpdateItemOutput, error) {
+func updateItem(ctx context.Context, args Args, host string, update expression.UpdateBuilder, condition expression.ConditionBuilder, returnOldValues bool) (*dynamodb.UpdateItemOutput, error) {
 	update = update.Set(expression.Name(attribTTL), expression.Value(time.Now().Add(time.Hour).Unix()))
 	builder := expression.NewBuilder().WithUpdate(update).WithCondition(condition)
-	return updateItemWithBuilder(ctx, args, host, builder, returnOldValues)
-}
-
-// updateItemWithBuilder wraps dynamodb.UpdateItemWithContext.
-func updateItemWithBuilder(ctx context.Context, args Args, host string, builder expression.Builder, returnOldValues bool) (*dynamodb.UpdateItemOutput, error) {
 	exp, err := builder.Build()
 	if err != nil {
 		return nil, err

pkg/server/handle_gameplay.go

@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log"
 	"os"
@@ -17,11 +18,28 @@ import (
 // Handlers for messages pertaining to gameplay.
 
 func handlePlaceDisk(ctx context.Context, req events.APIGatewayWebsocketProxyRequest, args Args, message *messages.PlaceDisk) error {
-	game, opponent, connectionIDs, err := getGameAndOpponentAndConnectionIDs(ctx, args, message.Host)
+	game, opponent, connections, err := getGame(ctx, args, message.Host)
 	if err != nil {
 		return fmt.Errorf("failed to load game state: %w", err)
 	}
 
+	authorized := false
+	for k, v := range connections {
+		if k == message.Nickname && v == req.RequestContext.ConnectionID {
+			authorized = true
+			break
+		}
+	}
+
+	if !authorized {
+		return errors.New("unauthorized")
+	}
+
+	var connectionIDs []string
+	for _, v := range connections {
+		connectionIDs = append(connectionIDs, v)
+	}
+
 	if opponent == "" {
 		return handlePlaceDiskSolo(ctx, req.RequestContext, args, message, game)
 	}
@@ -41,7 +59,7 @@ func handlePlaceDiskSolo(ctx context.Context, reqCtx events.APIGatewayWebsocketP
 		game.Player = game.Player%2 + 1
 	}
 
-	if err := updateGame(ctx, args, message.Host, game); err != nil {
+	if err := updateGame(ctx, args, message.Host, game, message.Nickname, reqCtx.ConnectionID); err != nil {
 		return fmt.Errorf("failed to save updated game state: %w", err)
 	}
 
@@ -65,7 +83,7 @@ func handlePlaceDiskSolo(ctx context.Context, reqCtx events.APIGatewayWebsocketP
 			game.Player = 1
 		}
 
-		if err := updateGame(ctx, args, message.Host, game); err != nil {
+		if err := updateGame(ctx, args, message.Host, game, message.Nickname, reqCtx.ConnectionID); err != nil {
 			return fmt.Errorf("failed to save updated game state: %w", err)
 		}
 
@@ -94,7 +112,7 @@ func handlePlaceDiskMultiplayer(ctx context.Context, reqCtx events.APIGatewayWeb
 		game.Player = player%2 + 1
 	}
 
-	if err := updateGame(ctx, args, message.Host, game); err != nil {
+	if err := updateGame(ctx, args, message.Host, game, message.Nickname, reqCtx.ConnectionID); err != nil {
 		return fmt.Errorf("failed to save updated game state: %w", err)
 	}
 

pkg/server/handle_sessions.go

@@ -20,7 +20,7 @@ const waiting = "#waiting"
 func handleHostGame(ctx context.Context, req events.APIGatewayWebsocketProxyRequest, args Args, message *messages.HostGame) error {
 	game := newGame()
 
-	if err := updateGameOpponentSetConnection(ctx, args, message.Nickname, game, waiting, message.Nickname, req.RequestContext.ConnectionID); err != nil {
+	if err := createGame(ctx, args, message.Nickname, game, waiting, message.Nickname, req.RequestContext.ConnectionID); err != nil {
 		return fmt.Errorf("failed to save new game state: %w", err)
 	}
 
@@ -31,7 +31,7 @@ func handleStartSoloGame(ctx context.Context, req events.APIGatewayWebsocketProx
 	game := newGame()
 	game.Difficulty = message.Difficulty
 
-	if err := updateGame(ctx, args, message.Nickname, game); err != nil {
+	if err := createGame(ctx, args, message.Nickname, game, "", message.Nickname, req.RequestContext.ConnectionID); err != nil {
 		return fmt.Errorf("failed to save new game state: %w", err)
 	}
 
@@ -75,7 +75,7 @@ func handleListOpenGames(ctx context.Context, req events.APIGatewayWebsocketProx
 }
 
 func handleLeaveGame(ctx context.Context, req events.APIGatewayWebsocketProxyRequest, args Args, message *messages.LeaveGame) error {
-	connectionIDs, err := deleteGameGetConnectionIDs(ctx, args, message.Host)
+	connectionIDs, err := deleteGameGetConnectionIDs(ctx, args, message.Host, message.Nickname, req.RequestContext.ConnectionID)
 	if err != nil {
 		return err
 	}

pkg/server/handler.go

@@ -72,7 +72,7 @@ func handleMessage(ctx context.Context, req events.APIGatewayWebsocketProxyReque
 
 	message := wrapper.Message
 
-	log.Printf("Handling message %T", message)
+	log.Printf("Handling message %T from connection %s", message, req.RequestContext.ConnectionID)
 
 	if err := validate.Struct(message); err != nil {
 		return err

pkg/server/management_api.go

@@ -34,7 +34,7 @@ func reply(ctx context.Context, reqCtx events.APIGatewayWebsocketProxyRequestCon
 
 func sendMessage(ctx context.Context, reqCtx events.APIGatewayWebsocketProxyRequestContext, args Args, connectionID string, message interface{}) func() error {
 	return func() error {
-		log.Printf("Sending message to connection %s", connectionID)
+		log.Printf("Sending message %T to connection %s", message, connectionID)
 
 		data, err := json.Marshal(messages.Wrapper{Message: message})
 		if err != nil {