Core/Authserver: Add auth session timeout - socket is closed after 10s of inactivity if not authenticated or after 1 minute if authenticated

Shauren · Shauren · commit 7b438d389b56 · 2025-07-16T12:57:03.000+02:00
diff --git a/src/server/authserver/Server/AuthSession.cpp b/src/server/authserver/Server/AuthSession.cpp
@@ -26,6 +26,7 @@
 #include "CryptoRandom.h"
 #include "DatabaseEnv.h"
 #include "IPLocation.h"
+#include "IoContext.h"
 #include "Log.h"
 #include "RealmList.h"
 #include "SecretMgr.h"
@@ -199,6 +200,7 @@ void AccountInfo::LoadResult(Field* fields)
 }
 
 AuthSession::AuthSession(tcp::socket&& socket) : Socket(std::move(socket)),
+    _timeout(*underlying_stream().get_executor().target<boost::asio::io_context::executor_type>()),
     _status(STATUS_CHALLENGE), _locale(LOCALE_enUS), _os(0), _build(0), _expversion(0), _timezoneOffset(0min)
 {
 }
@@ -250,6 +252,7 @@ void AuthSession::CheckIpCallback(PreparedQueryResult result)
     }
 
     AsyncRead();
+    SetTimeout();
 }
 
 void AuthSession::ReadHandler()
@@ -290,6 +293,7 @@ void AuthSession::ReadHandler()
         }
 
         packet.ReadCompleted(size);
+        SetTimeout();
     }
 
     AsyncRead();
@@ -898,3 +902,34 @@ bool AuthSession::VerifyVersion(std::span<uint8 const> a, Trinity::Crypto::SHA1:
 
     return versionProof == version.GetDigest();
 }
+
+void AuthSession::SetTimeout()
+{
+    _timeout.cancel();
+
+    switch (_status)
+    {
+        case STATUS_AUTHED:
+        case STATUS_WAITING_FOR_REALM_LIST:
+            _timeout.expires_after(1min);
+            break;
+        case STATUS_XFER:
+            return;
+        default:
+            _timeout.expires_after(10s);
+            break;
+    }
+
+    _timeout.async_wait([selfRef = weak_from_this()](boost::system::error_code const& error)
+    {
+        std::shared_ptr<AuthSession> self = selfRef.lock();
+        if (!self)
+            return;
+
+        if (error == boost::asio::error::operation_aborted)
+            return;
+
+        TC_LOG_DEBUG("server.authserver", "{}:{} session timed out.", self->GetRemoteIpAddress().to_string(), self->GetRemotePort());
+        self->CloseSocket();
+    });
+}
diff --git a/src/server/authserver/Server/AuthSession.h b/src/server/authserver/Server/AuthSession.h
@@ -22,6 +22,7 @@
 #include "Common.h"
 #include "CryptoHash.h"
 #include "DatabaseEnvFwd.h"
+#include "DeadlineTimer.h"
 #include "Duration.h"
 #include "Optional.h"
 #include "Socket.h"
@@ -92,11 +93,13 @@ class AuthSession : public Socket<AuthSession>
     void RealmListCallback(PreparedQueryResult result);
 
     bool VerifyVersion(std::span<uint8 const> a, Trinity::Crypto::SHA1::Digest const& versionProof, bool isReconnect);
+    void SetTimeout();
 
     Optional<Trinity::Crypto::SRP6> _srp6;
     SessionKey _sessionKey = {};
     std::array<uint8, 16> _reconnectProof = {};
 
+    Trinity::Asio::DeadlineTimer _timeout;
     AuthStatus _status;
     AccountInfo _accountInfo;
     Optional<std::vector<uint8>> _totpSecret;
diff --git a/src/server/shared/Networking/Socket.h b/src/server/shared/Networking/Socket.h
@@ -138,6 +138,11 @@ class Socket : public std::enable_shared_from_this<T>
 
     MessageBuffer& GetReadBuffer() { return _readBuffer; }
 
+    tcp::socket& underlying_stream()
+    {
+        return _socket;
+    }
+
 protected:
     virtual void OnClose() { }
 
