feat: add rudimentary implementation for *alternate OTPs* (#196)

What did I create... I don't have much time for Mc-Auth right now ,_,

Author: SpraxDev

database-setup.sql

@@ -180,6 +180,17 @@ CREATE TABLE "public"."otps" (
 );
 COMMENT ON TABLE "public"."otps" IS 'OTPs or One-Time-Passwords';
 
+-- ----------------------------
+-- Table structure for alternate_otps
+-- ----------------------------
+DROP TABLE IF EXISTS "public"."alternate_otps";
+CREATE TABLE "public"."alternate_otps" (
+  "account" varchar(32) COLLATE "pg_catalog"."default" NOT NULL,
+  "code_prefix" varchar(1) COLLATE "pg_catalog"."default" NOT NULL,
+  "code" int4 NOT NULL,
+  "issued" timestamptz(0) DEFAULT CURRENT_TIMESTAMP
+);
+
 -- ----------------------------
 -- Table structure for sessions
 -- ----------------------------
@@ -247,6 +258,11 @@ ALTER TABLE "public"."icons" ADD CONSTRAINT "images_pkey" PRIMARY KEY ("id");
 -- ----------------------------
 ALTER TABLE "public"."otps" ADD CONSTRAINT "otps_pkey" PRIMARY KEY ("account");
 
+-- ----------------------------
+-- Primary Key structure for table alternate_otps
+-- ----------------------------
+ALTER TABLE "public"."alternate_otps" ADD CONSTRAINT "alternate_otps_pkey" PRIMARY KEY ("account");
+
 -- ----------------------------
 -- Indexes structure for table sessions
 -- ----------------------------

src/Router/OAuthRouter.ts

@@ -276,6 +276,43 @@ export default class OAuthRouter {
       });
     });
 
+    router.all('/alternate-code-exchange', (req, res, next) => {
+      const supportedBodyContentTypes = ['application/json', 'application/x-www-form-urlencoded'];
+
+      handleRequestRestfully(req, res, next, {
+        post: () => {
+          if (!req.is(supportedBodyContentTypes)) {
+            return next(ApiError.create(ApiErrs.unsupportedBodyContentType(req.header('Content-Type') ?? '', supportedBodyContentTypes)));
+          }
+
+          const clientID = req.body['client_id'],
+            clientSecret = req.body['client_secret'],
+            mcId = req.body['mc_id'],
+            code = req.body['code'];
+
+          if (!clientID || !clientSecret || !mcId) return next(ApiError.create(ApiErrs.INVALID_CLIENT_ID_OR_SECRET));
+          if (typeof mcId !== 'string' || mcId.replaceAll('-', '').length != 32) return next(ApiError.create(ApiErrs.INVALID_CODE_FOR_ALTERNATE_TOKEN_EXCHANGE));
+          if (typeof code !== 'string' || code.replaceAll(' ', '').length != 7 || !StringUtils.isNumeric(code.replaceAll(' ', '').substring(1))) return next(ApiError.create(ApiErrs.INVALID_CODE_FOR_ALTERNATE_TOKEN_EXCHANGE));
+
+          db.getApp(clientID)
+            .then((app) => {
+              if (!app || app.deleted || app.secret != clientSecret) return next(ApiError.create(ApiErrs.INVALID_CLIENT_ID_OR_SECRET));
+
+              return db.invalidateAlternateOneTimePassword(mcId.replaceAll('-', ''), code.replaceAll(' ', '').charAt(0), code.replaceAll(' ', '').substring(1))
+                .then(async (success) => {
+                  if (!success) return next(ApiError.create(ApiErrs.INVALID_CODE_FOR_ALTERNATE_TOKEN_EXCHANGE));
+
+                  return res.send({
+                    _info: 'WARNING: This endpoint is subject to change in the future. This response will contain a "_warning" field (please add logging for it or join my Discord server https://sprax.me/discord for a notification).',
+                    profile: await getMinecraftApi().getProfile(mcId)
+                  });
+                });
+            })
+            .catch(next);
+        }
+      });
+    });
+
     return router;
   }
 }

src/utils/ApiErrs.ts

@@ -17,6 +17,7 @@ export default class ApiErrs {
   static readonly INVALID_REDIRECT_URI_FOR_APP: ApiErrTemplate = { httpCode: 400, message: 'Invalid redirect_uri - Please contact the administrator of the page that sent you here', logErr: false };
   static readonly INVALID_GRANT_TYPE: ApiErrTemplate = { httpCode: 400, message: 'Invalid grant_type', logErr: false };
   static readonly INVALID_CODE_FOR_TOKEN_EXCHANGE: ApiErrTemplate = { httpCode: 400, message: 'Invalid code! expired? Wrong redirect_uri?', logErr: false };
+  static readonly INVALID_CODE_FOR_ALTERNATE_TOKEN_EXCHANGE: ApiErrTemplate = { httpCode: 400, message: 'Invalid code! maybe expired?', logErr: false };
 
   static readonly INVALID_OR_EXPIRED_MAIL_CONFIRMATION: ApiErrTemplate = { httpCode: 400, message: 'Invalid or expired email confirmation token', logErr: false };
 

src/utils/DbUtils.ts

@@ -267,6 +267,18 @@ export class DbUtils {
     });
   }
 
+  async invalidateAlternateOneTimePassword(mcUUID: string, otpPrefix: string, otp: string): Promise<boolean> {
+    return new Promise((resolve, reject) => {
+      if (this.pool == null) return reject(ApiError.create(ApiErrs.NO_DATABASE, {pool: this.pool}));
+
+      this.pool.query(`DELETE FROM alternate_otps WHERE account =$1 AND code_prefix =$2 AND code =$3 AND issued >= CURRENT_TIMESTAMP - INTERVAL '5 MINUTES' RETURNING *;`, [mcUUID, otpPrefix, otp], (err, res) => {
+        if (err) return reject(err);
+
+        resolve(res.rows.length > 0);
+      });
+    });
+  }
+
   /* Grants */
 
   async createGrant(clientID: string, mcUUID: string, redirectURI: string, responseType: string, state: string | null, scopes: string[]): Promise<Grant> {