2023-07-10 17:41:36 +02:00
|
|
|
use base64::Engine;
|
2023-07-10 16:53:31 +02:00
|
|
|
use hmac::{Hmac, Mac};
|
2023-06-22 22:20:15 +02:00
|
|
|
use secrecy::{ExposeSecret, Secret, SecretString};
|
2021-08-25 03:13:16 +02:00
|
|
|
use serde::{Deserialize, Deserializer, Serialize, Serializer};
|
2023-07-10 16:53:31 +02:00
|
|
|
use sha1::Sha1;
|
2021-08-25 03:13:16 +02:00
|
|
|
use std::convert::TryInto;
|
|
|
|
|
2021-08-25 06:19:17 +02:00
|
|
|
#[derive(Debug, Clone)]
|
|
|
|
pub struct TwoFactorSecret(Secret<[u8; 20]>);
|
2023-06-23 19:36:23 +02:00
|
|
|
|
|
|
|
impl Default for TwoFactorSecret {
|
|
|
|
fn default() -> Self {
|
|
|
|
Self::new()
|
|
|
|
}
|
|
|
|
}
|
2021-08-25 03:13:16 +02:00
|
|
|
|
|
|
|
impl TwoFactorSecret {
|
|
|
|
pub fn new() -> Self {
|
2023-06-23 19:36:23 +02:00
|
|
|
Self([0u8; 20].into())
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
|
|
|
|
2023-06-22 22:20:15 +02:00
|
|
|
pub fn from_bytes(bytes: Vec<u8>) -> Self {
|
|
|
|
let bytes: [u8; 20] = bytes[..].try_into().unwrap();
|
2023-06-23 19:36:23 +02:00
|
|
|
Self(bytes.into())
|
2023-06-22 22:20:15 +02:00
|
|
|
}
|
|
|
|
|
2021-08-25 03:13:16 +02:00
|
|
|
pub fn parse_shared_secret(secret: String) -> anyhow::Result<Self> {
|
2023-06-23 19:36:23 +02:00
|
|
|
ensure!(!secret.is_empty(), "unable to parse empty shared secret");
|
2023-07-10 17:41:36 +02:00
|
|
|
let result: [u8; 20] = base64::engine::general_purpose::STANDARD
|
|
|
|
.decode(secret)?
|
|
|
|
.try_into()
|
|
|
|
.unwrap();
|
2023-06-23 19:36:23 +02:00
|
|
|
Ok(Self(result.into()))
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/// Generate a 5 character 2FA code to that can be used to log in to Steam.
|
2022-06-21 02:05:00 +02:00
|
|
|
pub fn generate_code(&self, time: u64) -> String {
|
2021-08-25 03:13:16 +02:00
|
|
|
let steam_guard_code_translations: [u8; 26] = [
|
|
|
|
50, 51, 52, 53, 54, 55, 56, 57, 66, 67, 68, 70, 71, 72, 74, 75, 77, 78, 80, 81, 82, 84,
|
|
|
|
86, 87, 88, 89,
|
|
|
|
];
|
|
|
|
|
2023-07-10 16:53:31 +02:00
|
|
|
let mut mac = Hmac::<Sha1>::new_from_slice(self.0.expose_secret()).unwrap();
|
2021-08-25 03:13:16 +02:00
|
|
|
// this effectively makes it so that it creates a new code every 30 seconds.
|
2023-07-10 16:53:31 +02:00
|
|
|
mac.update(&build_time_bytes(time / 30u64));
|
|
|
|
let result = mac.finalize();
|
|
|
|
let hashed_data = result.into_bytes();
|
2021-08-25 03:13:16 +02:00
|
|
|
let mut code_array: [u8; 5] = [0; 5];
|
|
|
|
let b = (hashed_data[19] & 0xF) as usize;
|
|
|
|
let mut code_point: i32 = ((hashed_data[b] & 0x7F) as i32) << 24
|
2023-06-23 19:36:23 +02:00
|
|
|
| (hashed_data[b + 1] as i32) << 16
|
|
|
|
| (hashed_data[b + 2] as i32) << 8
|
|
|
|
| (hashed_data[b + 3] as i32);
|
2021-08-25 03:13:16 +02:00
|
|
|
|
2023-06-23 19:36:23 +02:00
|
|
|
for item in &mut code_array {
|
|
|
|
*item = steam_guard_code_translations
|
2021-08-25 03:13:16 +02:00
|
|
|
[code_point as usize % steam_guard_code_translations.len()];
|
|
|
|
code_point /= steam_guard_code_translations.len() as i32;
|
|
|
|
}
|
|
|
|
|
2023-06-23 19:36:23 +02:00
|
|
|
String::from_utf8(code_array.to_vec()).unwrap()
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
2023-06-24 19:45:03 +02:00
|
|
|
|
|
|
|
pub(crate) fn expose_secret(&self) -> &[u8; 20] {
|
|
|
|
self.0.expose_secret()
|
|
|
|
}
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
impl Serialize for TwoFactorSecret {
|
|
|
|
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
|
|
|
|
where
|
|
|
|
S: Serializer,
|
|
|
|
{
|
2023-07-10 17:41:36 +02:00
|
|
|
serializer.serialize_str(
|
|
|
|
base64::engine::general_purpose::STANDARD
|
|
|
|
.encode(self.0.expose_secret())
|
|
|
|
.as_str(),
|
|
|
|
)
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl<'de> Deserialize<'de> for TwoFactorSecret {
|
|
|
|
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
|
|
|
|
where
|
|
|
|
D: Deserializer<'de>,
|
|
|
|
{
|
|
|
|
Ok(TwoFactorSecret::parse_shared_secret(String::deserialize(deserializer)?).unwrap())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-25 06:19:17 +02:00
|
|
|
impl PartialEq for TwoFactorSecret {
|
|
|
|
fn eq(&self, other: &Self) -> bool {
|
2023-06-23 19:36:23 +02:00
|
|
|
self.0.expose_secret() == other.0.expose_secret()
|
2021-08-25 06:19:17 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl Eq for TwoFactorSecret {}
|
|
|
|
|
2022-06-21 02:05:00 +02:00
|
|
|
fn build_time_bytes(time: u64) -> [u8; 8] {
|
2023-06-23 19:36:23 +02:00
|
|
|
time.to_be_bytes()
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
|
|
|
|
2023-06-22 22:20:15 +02:00
|
|
|
#[derive(Debug, Clone, Serialize, Deserialize)]
|
|
|
|
pub struct Tokens {
|
|
|
|
access_token: Jwt,
|
|
|
|
refresh_token: Jwt,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl Tokens {
|
|
|
|
pub fn new(access_token: impl Into<Jwt>, refresh_token: impl Into<Jwt>) -> Self {
|
|
|
|
Self {
|
|
|
|
access_token: access_token.into(),
|
|
|
|
refresh_token: refresh_token.into(),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
pub fn access_token(&self) -> &Jwt {
|
|
|
|
&self.access_token
|
|
|
|
}
|
|
|
|
|
2023-06-24 19:18:22 +02:00
|
|
|
pub fn set_access_token(&mut self, token: Jwt) {
|
|
|
|
self.access_token = token;
|
|
|
|
}
|
|
|
|
|
2023-06-22 22:20:15 +02:00
|
|
|
pub fn refresh_token(&self) -> &Jwt {
|
|
|
|
&self.refresh_token
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Debug, Clone, Deserialize)]
|
|
|
|
pub struct Jwt(SecretString);
|
|
|
|
|
|
|
|
impl Serialize for Jwt {
|
|
|
|
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
|
|
|
|
where
|
|
|
|
S: Serializer,
|
|
|
|
{
|
2023-06-23 19:36:23 +02:00
|
|
|
serializer.serialize_str(self.0.expose_secret())
|
2023-06-22 22:20:15 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl Jwt {
|
|
|
|
pub fn decode(&self) -> anyhow::Result<SteamJwtData> {
|
|
|
|
decode_jwt(self.0.expose_secret())
|
|
|
|
}
|
|
|
|
|
|
|
|
pub fn expose_secret(&self) -> &str {
|
|
|
|
self.0.expose_secret()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl From<String> for Jwt {
|
|
|
|
fn from(s: String) -> Self {
|
|
|
|
Self(SecretString::new(s))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-06-23 19:36:23 +02:00
|
|
|
fn decode_jwt(jwt: impl AsRef<str>) -> anyhow::Result<SteamJwtData> {
|
|
|
|
let parts = jwt.as_ref().split('.').collect::<Vec<&str>>();
|
2023-06-22 22:20:15 +02:00
|
|
|
ensure!(parts.len() == 3, "Invalid JWT");
|
|
|
|
|
|
|
|
let data = parts[1];
|
2023-08-10 14:49:37 +02:00
|
|
|
let bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(data)?;
|
2023-06-22 22:20:15 +02:00
|
|
|
let json = String::from_utf8(bytes)?;
|
|
|
|
let jwt_data: SteamJwtData = serde_json::from_str(&json)?;
|
|
|
|
Ok(jwt_data)
|
|
|
|
}
|
|
|
|
|
|
|
|
#[derive(Deserialize, Debug)]
|
|
|
|
pub struct SteamJwtData {
|
|
|
|
pub exp: u64,
|
|
|
|
pub iat: u64,
|
|
|
|
pub iss: String,
|
|
|
|
/// Audience
|
|
|
|
pub aud: Vec<String>,
|
|
|
|
/// Subject (steam id)
|
|
|
|
pub sub: String,
|
|
|
|
pub jti: String,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl SteamJwtData {
|
|
|
|
pub fn steam_id(&self) -> u64 {
|
|
|
|
self.sub.parse::<u64>().unwrap()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-25 03:13:16 +02:00
|
|
|
mod tests {
|
|
|
|
use super::*;
|
|
|
|
|
2023-06-23 19:36:23 +02:00
|
|
|
#[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
|
|
|
|
struct FooBar {
|
|
|
|
secret: TwoFactorSecret,
|
|
|
|
}
|
|
|
|
|
2021-08-25 03:13:16 +02:00
|
|
|
#[test]
|
2023-06-22 22:20:15 +02:00
|
|
|
fn test_serialize_2fa_secret() -> anyhow::Result<()> {
|
2021-08-25 03:13:16 +02:00
|
|
|
let secret = FooBar {
|
|
|
|
secret: TwoFactorSecret::parse_shared_secret("zvIayp3JPvtvX/QGHqsqKBk/44s=".into())?,
|
|
|
|
};
|
|
|
|
|
|
|
|
let serialized = serde_json::to_string(&secret)?;
|
|
|
|
assert_eq!(serialized, "{\"secret\":\"zvIayp3JPvtvX/QGHqsqKBk/44s=\"}");
|
|
|
|
|
2023-06-23 19:36:23 +02:00
|
|
|
Ok(())
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
2023-06-22 22:20:15 +02:00
|
|
|
fn test_deserialize_2fa_secret() -> anyhow::Result<()> {
|
2023-06-23 19:36:23 +02:00
|
|
|
let secret: FooBar = serde_json::from_str("{\"secret\":\"zvIayp3JPvtvX/QGHqsqKBk/44s=\"}")?;
|
2021-08-25 03:13:16 +02:00
|
|
|
|
2022-06-21 02:05:00 +02:00
|
|
|
let code = secret.secret.generate_code(1616374841u64);
|
2021-08-25 03:13:16 +02:00
|
|
|
assert_eq!(code, "2F9J5");
|
|
|
|
|
2023-06-23 19:36:23 +02:00
|
|
|
Ok(())
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
2023-06-22 22:20:15 +02:00
|
|
|
fn test_serialize_and_deserialize_2fa_secret() -> anyhow::Result<()> {
|
2021-08-25 03:13:16 +02:00
|
|
|
let secret = FooBar {
|
|
|
|
secret: TwoFactorSecret::parse_shared_secret("zvIayp3JPvtvX/QGHqsqKBk/44s=".into())?,
|
|
|
|
};
|
|
|
|
|
|
|
|
let serialized = serde_json::to_string(&secret)?;
|
|
|
|
let deserialized: FooBar = serde_json::from_str(&serialized)?;
|
|
|
|
assert_eq!(deserialized, secret);
|
|
|
|
|
2023-06-23 19:36:23 +02:00
|
|
|
Ok(())
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn test_build_time_bytes() {
|
2022-06-21 02:05:00 +02:00
|
|
|
let t1 = build_time_bytes(1617591917u64);
|
2021-08-25 03:13:16 +02:00
|
|
|
let t2: [u8; 8] = [0, 0, 0, 0, 96, 106, 126, 109];
|
|
|
|
assert!(
|
|
|
|
t1.iter().zip(t2.iter()).all(|(a, b)| a == b),
|
|
|
|
"Arrays are not equal, got {:?}",
|
|
|
|
t1
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn test_generate_code() -> anyhow::Result<()> {
|
|
|
|
let secret = TwoFactorSecret::parse_shared_secret("zvIayp3JPvtvX/QGHqsqKBk/44s=".into())?;
|
|
|
|
|
2022-06-21 02:05:00 +02:00
|
|
|
let code = secret.generate_code(1616374841u64);
|
2021-08-25 03:13:16 +02:00
|
|
|
assert_eq!(code, "2F9J5");
|
2023-06-23 19:36:23 +02:00
|
|
|
Ok(())
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|
2023-06-22 22:20:15 +02:00
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn test_decode_jwt() {
|
|
|
|
let sample: Jwt = "eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyAiaXNzIjogInN0ZWFtIiwgInN1YiI6ICI3NjU2MTE5OTE1NTcwNjg5MiIsICJhdWQiOiBbICJ3ZWIiLCAicmVuZXciLCAiZGVyaXZlIiBdLCAiZXhwIjogMTcwNTAxMTk1NSwgIm5iZiI6IDE2Nzg0NjQ4MzcsICJpYXQiOiAxNjg3MTA0ODM3LCAianRpIjogIjE4QzVfMjJCM0Y0MzFfQ0RGNkEiLCAib2F0IjogMTY4NzEwNDgzNywgInBlciI6IDEsICJpcF9zdWJqZWN0IjogIjY5LjEyMC4xMzYuMTI0IiwgImlwX2NvbmZpcm1lciI6ICI2OS4xMjAuMTM2LjEyNCIgfQ.7p5TPj9pGQbxIzWDDNCSP9OkKYSeDnWBE8E-M8hUrxOEPCW0XwrbDUrh199RzjPDw".to_owned().into();
|
|
|
|
let data = sample.decode().expect("Failed to decode JWT");
|
|
|
|
|
|
|
|
assert_eq!(data.exp, 1705011955);
|
|
|
|
assert_eq!(data.iat, 1687104837);
|
|
|
|
assert_eq!(data.iss, "steam");
|
|
|
|
assert_eq!(data.aud, vec!["web", "renew", "derive"]);
|
|
|
|
assert_eq!(data.sub, "76561199155706892");
|
|
|
|
assert_eq!(data.jti, "18C5_22B3F431_CDF6A");
|
|
|
|
}
|
2023-08-10 14:49:37 +02:00
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn test_decode_jwt_2() {
|
|
|
|
let sample: Jwt = "eyAidHlwIjogIkpXVCIsICJhbGciOiAiRWREU0EiIH0.eyAiaXNzIjogInI6MTRCM18yMkZEQjg0RF9BMjJDRCIsICJzdWIiOiAiNzY1NjExOTk0NDE5OTI5NzAiLCAiYXVkIjogWyAid2ViIiwgIm1vYmlsZSIgXSwgImV4cCI6IDE2OTE3NTc5MzUsICJuYmYiOiAxNjgzMDMxMDUxLCAiaWF0IjogMTY5MTY3MTA1MSwgImp0aSI6ICIxNTI1XzIyRkRCOUJBXzZBRDkwIiwgIm9hdCI6IDE2OTE2NzEwNTEsICJydF9leHAiOiAxNzEwMDExNjg5LCAicGVyIjogMCwgImlwX3N1YmplY3QiOiAiMTA0LjI0Ni4xMjUuMTQxIiwgImlwX2NvbmZpcm1lciI6ICIxMDQuMjQ2LjEyNS4xNDEiIH0.ncqc5TpVlD05lnZvy8c3Bkx70gXDvQQXN0iG5Z4mOLgY_rwasXIJXnR-X4JczT8PmZ2v5cisW5VRHAdfsz_8CA".to_owned().into();
|
|
|
|
let data = sample.decode().expect("Failed to decode JWT");
|
|
|
|
|
|
|
|
assert_eq!(data.aud, vec!["web", "mobile"]);
|
|
|
|
assert_eq!(data.sub, "76561199441992970");
|
|
|
|
}
|
2021-08-25 03:13:16 +02:00
|
|
|
}
|