+129 -29

README.md

··· 2 2 3 3 A Fabric mod for Minecraft 1.21.10 that bridges the game with the AT Protocol, enabling decentralized data synchronization and social features. 4 4 5 5 - ## ⚠️ Project Status 5 5 + ## Project Status 6 6 7 7 - **This project is in active development and is NOT ready for production use.** Identity linking and authentication are now implemented, but stat syncing and other features are still in progress. 7 7 + **This project is in active development and is NOT ready for production use.** Identity linking and authentication are now fully implemented with enterprise-grade security features. Stat syncing and other data collection features are planned but not yet implemented. 8 8 9 9 ## Overview 10 10 ··· 52 52 Authentication: ✓ Active 53 53 You can sync data to AT Protocol 54 54 ``` 55 55 + 56 56 + ### Security Features 57 57 + 58 58 + The mod implements enterprise-grade security measures to protect player data and prevent abuse: 59 59 + 60 60 + - **AES-256-GCM Encryption**: Session data encrypted at rest with server-specific keys 61 61 + - **Rate Limiting**: 3 authentication attempts per 15 minutes, 30-minute lockout on abuse 62 62 + - **Security Audit Logging**: All sensitive operations logged for monitoring 63 63 + - **Sanitized Error Messages**: No sensitive data exposed in error messages or logs 64 64 + - **Restricted File Permissions**: Owner-only access to configuration files 65 65 + - **Atomic File Writes**: Prevents corruption during saves 66 66 + - **Thread-Safe Operations**: Concurrent access protection for all shared data 67 67 + - **Automatic Token Refresh**: Access tokens refreshed before expiration 68 68 + - **Path Validation**: Protection against directory traversal attacks 69 69 + 70 70 + All passwords are handled securely - app passwords are never logged or stored (only the resulting JWT tokens are kept). 55 71 56 72 ### Key Features 57 73 ··· 60 76 - **Automatic Token Refresh**: Access tokens are automatically refreshed before expiration 61 77 - **Multi-PDS Support**: Works with any AT Protocol PDS, not just Bluesky 62 78 - **Persistent Sessions**: Authentication survives server restarts 79 79 + - **Encrypted Storage**: Session data protected with AES-256-GCM encryption 63 80 64 81 ### Getting an App Password 65 82 ··· 83 100 - **Mod Loader**: Fabric API 84 101 - **Protocol**: AT Protocol (atproto) 85 102 - **Language**: Kotlin (with Java interop) 103 103 + - **Build System**: Gradle 8.x 86 104 - **Dependencies**: 87 87 - 88 88 - - fabric-language-kotlin 1.13.8+kotlin.2.3.0 105 105 + - Fabric Loader 0.18.3 106 106 + - Fabric API 0.138.4+1.21.10 107 107 + - Fabric Language Kotlin 1.13.8+kotlin.2.3.0 89 108 - kotlinx-serialization for JSON handling 90 109 - kotlinx-coroutines for async operations 91 91 - 92 110 - **Identity Resolution**: [Slingshot](https://slingshot.microcosm.blue) by Microcosm 93 111 - **Authentication**: AT Protocol OAuth/App Passwords 94 112 ··· 97 115 ### For Users 98 116 99 117 1. Install [Fabric Loader](https://fabricmc.net/use/) for Minecraft 1.21.10 100 100 - 2. Download and install [Fabric API](https://modrinth.com/mod/fabric-api) 101 101 - 3. Download and install [Fabric Language Kotlin](https://modrinth.com/mod/fabric-language-kotlin) 118 118 + 2. Download and install [Fabric API](https://modrinth.com/mod/fabric-api) version 0.138.4+1.21.10 or compatible 119 119 + 3. Download and install [Fabric Language Kotlin](https://modrinth.com/mod/fabric-language-kotlin) version 1.13.8+kotlin.2.3.0 or compatible 102 120 4. Place the atproto-connect JAR in your `mods` folder 103 121 5. Launch the game and use `/atproto help` to see available commands 104 122 ··· 119 137 120 138 The built JAR will be in `build/libs/`. 121 139 140 140 + For development with auto-reload: 141 141 + 142 142 + ```bash 143 143 + ./gradlew runClient 144 144 + ``` 145 145 + 122 146 ## Project Structure 123 147 124 148 ```plaintext ··· 129 153 │ ├── AtProtoClient.kt # HTTP client with Slingshot integration 130 154 │ ├── AtProtoSessionManager.kt # Authentication & token management 131 155 │ ├── AtProtoCommands.kt # Command handlers 132 132 - │ └── PlayerIdentityStore.kt # UUID<->DID mapping storage 156 156 + │ ├── PlayerIdentityStore.kt # UUID<->DID mapping storage 157 157 + │ ├── security/ 158 158 + │ │ ├── RateLimiter.kt # Rate limiting for auth attempts 159 159 + │ │ ├── SecurityAuditor.kt # Security event logging 160 160 + │ │ └── SecurityUtils.kt # Cryptography & path validation 161 161 + │ └── examples/ 162 162 + │ └── RecordCreationExample.kt # Example code for data syncing 133 163 └── resources/ 134 164 ├── fabric.mod.json # Mod metadata 135 165 └── lexicons/ # Lexicon schemas 166 166 + ├── README.md # Lexicon documentation 136 167 ├── com.jollywhoppers.minecraft.defs.json 137 168 ├── com.jollywhoppers.minecraft.player.profile.json 138 169 ├── com.jollywhoppers.minecraft.player.stats.json ··· 146 177 147 178 The mod defines several AT Protocol lexicon schemas under the `com.jollywhoppers.minecraft.*` namespace: 148 179 149 149 - - **Player Profile** - Links Minecraft UUIDs to AT Protocol DIDs 150 150 - - **Player Stats** - Snapshots of player statistics for leaderboards 151 151 - - **Player Sessions** - Play session tracking (join/leave times) 152 152 - - **Achievements** - Records of earned achievements/advancements 153 153 - - **Leaderboards** - Pre-computed leaderboard entries 154 154 - - **Server Status** - Server information and status 180 180 + - **Player Profile** (`literal:self`) - Links Minecraft UUIDs to AT Protocol DIDs with privacy controls 181 181 + - **Player Stats** (`tid`) - Snapshots of player statistics for leaderboards 182 182 + - **Player Sessions** (`tid`) - Play session tracking (join/leave times) 183 183 + - **Achievements** (`tid`) - Records of earned achievements/advancements 184 184 + - **Leaderboards** (`tid`) - Pre-computed leaderboard entries 185 185 + - **Server Status** (`literal:self`) - Server information and status 155 186 156 187 See `src/main/resources/lexicons/README.md` for detailed schema documentation. 157 188 ··· 164 195 ↓ 165 196 ┌────────────────────────────────────────┐ 166 197 │ AtProtoSessionManager │ 167 167 - │ (Authentication & Token Storage) │ 198 198 + │ • Authentication & Token Storage │ 199 199 + │ • AES-256-GCM Encryption │ 200 200 + │ • Automatic Token Refresh │ 168 201 └────────────────────────────────────────┘ 169 202 ↓ 170 203 ┌────────────────────────────────────────┐ 171 204 │ AtProtoClient │ 172 172 - │ (HTTP + XRPC + Slingshot) │ 205 205 + │ • HTTP + XRPC + Slingshot │ 206 206 + │ • Identity Resolution │ 207 207 + └────────────────────────────────────────┘ 208 208 + ↓ 209 209 + ┌────────────────────────────────────────┐ 210 210 + │ Security Layer │ 211 211 + │ • RateLimiter (3/15min) │ 212 212 + │ • SecurityAuditor (Event Logging) │ 213 213 + │ • SecurityUtils (Crypto & Validation)│ 173 214 └────────────────────────────────────────┘ 174 215 ↓ 175 216 ┌────────────────────────────────────────┐ ··· 183 224 ↓ 184 225 Local Storage 185 226 - player-identities.json (UUID↔DID mappings) 186 186 - - player-sessions.json (Auth tokens) 227 227 + - player-sessions.json (Encrypted auth tokens) 228 228 + - .encryption.key (AES-256 key) 229 229 + - security-audit.log (Security events) 187 230 ``` 188 231 189 232 ## Authentication & Security ··· 192 235 193 236 1. **Link Identity**: Players link their Minecraft UUID to their AT Protocol DID (read-only, no login required) 194 237 2. **Authenticate**: Players log in with their handle and an app password to create an authenticated session 195 195 - 3. **Token Management**: The mod stores JWT access and refresh tokens securely 238 238 + 3. **Token Management**: The mod stores JWT access and refresh tokens securely with AES-256-GCM encryption 196 239 4. **Auto-Refresh**: Access tokens are automatically refreshed before expiration 197 197 - 5. **Data Syncing**: Authenticated players can sync their Minecraft data to their PDS 240 240 + 5. **Data Syncing**: Authenticated players will be able to sync their Minecraft data to their PDS (coming soon) 198 241 199 242 ### Security Best Practices 200 243 201 201 - - ✅ **Always use App Passwords**, never main account passwords 202 202 - - ✅ Create a unique app password for each Minecraft server 203 203 - - ✅ Revoke unused app passwords regularly 204 204 - - ✅ Server operators should secure the `config/atproto-connect/` directory 205 205 - - ✅ Tokens are stored in JSON files - protect file permissions appropriately 244 244 + **For Players:** 245 245 + 246 246 + - **Always use App Passwords**, never main account passwords 247 247 + - Create a unique app password for each Minecraft server 248 248 + - Revoke unused app passwords regularly 249 249 + - If you suspect compromise, revoke the app password immediately 250 250 + 251 251 + **For Server Operators:** 252 252 + 253 253 + - Secure the `config/atproto-connect/` directory with appropriate file permissions 254 254 + - Monitor `security-audit.log` for suspicious activity 255 255 + - Keep the `.encryption.key` file secure (never share or commit to version control) 256 256 + - Regular backups of configuration files 257 257 + - Update the mod regularly for security patches 206 258 207 259 ### Token Storage 208 260 209 261 - **Location**: `config/atproto-connect/player-sessions.json` 262 262 + - **Encryption**: AES-256-GCM with server-specific key 210 263 - **Contents**: Access and refresh JWTs for authenticated players 211 211 - - **Security**: File permissions should restrict access to server owner only 264 264 + - **Security**: Encrypted at rest, owner-only file permissions 212 265 - **Lifetime**: Access tokens expire after ~2 hours, refresh tokens last longer 213 266 267 267 + ### Rate Limiting 268 268 + 269 269 + To prevent brute-force attacks: 270 270 + 271 271 + - **Maximum Attempts**: 3 failed login attempts 272 272 + - **Time Window**: 15 minutes 273 273 + - **Lockout Duration**: 30 minutes after exceeding limit 274 274 + - **Tracking**: Per-player UUID and per-identifier 275 275 + 276 276 + ### Security Audit Log 277 277 + 278 278 + All security-sensitive operations are logged to `config/atproto-connect/security-audit.log`: 279 279 + 280 280 + - Authentication attempts (success/failure) 281 281 + - Rate limit violations 282 282 + - Session creation/deletion 283 283 + - Token refresh operations 284 284 + - Security errors 285 285 + 286 286 + ## Configuration Files 287 287 + 288 288 + All configuration files are stored in `config/atproto-connect/`: 289 289 + 290 290 + - **`player-identities.json`** - UUID to DID/handle mappings (plaintext) 291 291 + - **`player-sessions.json`** - Encrypted authentication sessions 292 292 + - **`.encryption.key`** - AES-256 encryption key (auto-generated, keep secure!) 293 293 + - **`security-audit.log`** - Security event log 294 294 + 295 295 + **Important**: Never commit `.encryption.key` or `player-sessions.json` to version control! 296 296 + 214 297 ## Development Roadmap 215 298 216 299 - [x] Design lexicon schemas for Minecraft data types ··· 218 301 - [x] Create identity linking system 219 302 - [x] Implement authentication with app passwords 220 303 - [x] Build session management with automatic token refresh 221 221 - - [ ] Add authenticated record creation (writing stats) 304 304 + - [x] Add encryption for session storage 305 305 + - [x] Implement rate limiting and security auditing 222 306 - [ ] Build data collection hooks for player statistics 223 223 - - [ ] Implement automatic stat syncing 307 307 + - [ ] Implement authenticated record creation (writing stats) 308 308 + - [ ] Add automatic stat syncing at configurable intervals 224 309 - [ ] Add privacy controls and data filtering options 225 310 - [ ] Create example AppView for displaying Minecraft data 311 311 + - [ ] Implement OAuth device flow for better UX 312 312 + - [ ] Add DPoP support 226 313 - [ ] Write comprehensive documentation 227 314 - [ ] Add automated tests 315 315 + - [ ] Publish to Modrinth/CurseForge 228 316 229 317 ## Contributing 230 318 ··· 234 322 2. Fork the repository 235 323 3. Create a feature branch 236 324 4. Submit a pull request with a clear description 325 325 + 326 326 + Please follow Kotlin coding conventions and include tests for new features. 237 327 238 328 ## Resources 239 329 ··· 249 339 250 340 - [Slingshot Documentation](https://slingshot.microcosm.blue/) 251 341 - [Microcosm Project](https://microcosm.blue/) 342 342 + 343 343 + ### Minecraft Modding 344 344 + 345 345 + - [Fabric Documentation](https://fabricmc.net/wiki/) 346 346 + - [Fabric Language Kotlin](https://github.com/FabricMC/fabric-language-kotlin) 252 347 253 348 ## License 254 349 255 255 - TBD 350 350 + [CC0-1.0](LICENSE) - Public Domain 351 351 + 352 352 + This project is released into the public domain. You are free to use, modify, and distribute this software for any purpose without restriction. 256 353 257 354 ## Disclaimer 258 355 ··· 263 360 - [Microcosm](https://microcosm.blue) for Slingshot, which makes PDS resolution fast and reliable 264 361 - The AT Protocol team for building an open, decentralized social network protocol 265 362 - The Fabric community for excellent mod development tools 363 363 + - The Kotlin community for a great language and ecosystem 266 364 267 365 --- 268 366 269 269 - **Repository**: `git@tangled.sh:ewancroft.uk/atproto-connect` 367 367 + **Version**: 0.0.1 368 368 + **Repository**: `git@tangled.sh:ewancroft.uk/atproto-connect` 369 369 + **Status**: Alpha - Not Production Ready

+75 -7

src/main/kotlin/com/jollywhoppers/Atprotoconnect.kt

··· 4 4 import com.jollywhoppers.atproto.AtProtoCommands 5 5 import com.jollywhoppers.atproto.AtProtoSessionManager 6 6 import com.jollywhoppers.atproto.PlayerIdentityStore 7 7 + import com.jollywhoppers.atproto.security.SecurityAuditor 7 8 import net.fabricmc.api.ModInitializer 8 9 import net.fabricmc.fabric.api.command.v2.CommandRegistrationCallback 10 10 + import net.fabricmc.fabric.api.event.lifecycle.v1.ServerLifecycleEvents 9 11 import net.fabricmc.loader.api.FabricLoader 10 12 import org.slf4j.LoggerFactory 13 13 + import java.util.concurrent.Executors 14 14 + import java.util.concurrent.TimeUnit 11 15 12 16 object Atprotoconnect : ModInitializer { 13 17 private val logger = LoggerFactory.getLogger("atproto-connect") ··· 25 29 26 30 lateinit var commands: AtProtoCommands 27 31 private set 32 32 + 33 33 + // Cleanup scheduler 34 34 + private val scheduler = Executors.newScheduledThreadPool(1) { r -> 35 35 + Thread(r, "atproto-cleanup").apply { isDaemon = true } 36 36 + } 28 37 29 38 override fun onInitialize() { 30 30 - logger.info("Initializing atproto-connect mod") 39 39 + logger.info("Initializing atproto-connect mod v${getVersion()}") 31 40 32 41 try { 42 42 + // Get config directory 43 43 + val configDir = FabricLoader.getInstance().configDir.resolve(MOD_ID) 44 44 + 45 45 + // Initialize security auditor first 46 46 + SecurityAuditor.initialize(configDir) 47 47 + logger.info("Security auditor initialized") 48 48 + 33 49 // Initialize AT Protocol client with Slingshot for PDS resolution 34 50 atProtoClient = AtProtoClient( 35 51 slingshotUrl = "https://slingshot.microcosm.blue", ··· 38 54 logger.info("AT Protocol client initialized with Slingshot resolver") 39 55 40 56 // Initialize identity store 41 41 - val configDir = FabricLoader.getInstance().configDir 42 42 - val identityStorePath = configDir.resolve("$MOD_ID/player-identities.json") 57 57 + val identityStorePath = configDir.resolve("player-identities.json") 43 58 identityStore = PlayerIdentityStore(identityStorePath) 44 59 logger.info("Player identity store initialized at: $identityStorePath") 45 60 46 46 - // Initialize session manager 47 47 - val sessionStorePath = configDir.resolve("$MOD_ID/player-sessions.json") 61 61 + // Initialize session manager (with encryption) 62 62 + val sessionStorePath = configDir.resolve("player-sessions.json") 48 63 sessionManager = AtProtoSessionManager(sessionStorePath, atProtoClient) 49 49 - logger.info("Session manager initialized at: $sessionStorePath") 64 64 + logger.info("Session manager initialized with encryption at: $sessionStorePath") 50 65 51 51 - // Initialize command handler 66 66 + // Initialize command handler (with rate limiting and audit logging) 52 67 commands = AtProtoCommands(atProtoClient, identityStore, sessionManager) 53 68 54 69 // Register commands ··· 56 71 commands.register(dispatcher) 57 72 logger.info("AT Protocol commands registered") 58 73 } 74 74 + 75 75 + // Schedule periodic cleanup tasks 76 76 + setupCleanupTasks() 77 77 + 78 78 + // Register server lifecycle events 79 79 + ServerLifecycleEvents.SERVER_STOPPING.register { _ -> 80 80 + onServerStopping() 81 81 + } 59 82 83 83 + logger.info("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━") 60 84 logger.info("atproto-connect mod successfully initialized!") 85 85 + logger.info("Security features enabled:") 86 86 + logger.info(" ✓ Token encryption (AES-256-GCM)") 87 87 + logger.info(" ✓ File permissions (owner-only)") 88 88 + logger.info(" ✓ Rate limiting (3 attempts / 15 min)") 89 89 + logger.info(" ✓ Security audit logging") 90 90 + logger.info(" ✓ Enhanced SSRF protection") 61 91 logger.info("Players can use /atproto help to see available commands") 92 92 + logger.info("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━") 62 93 } catch (e: Exception) { 63 94 logger.error("Failed to initialize atproto-connect mod", e) 95 95 + logger.error("The mod will be disabled. Check the error above for details.") 64 96 } 97 97 + } 98 98 + 99 99 + /** 100 100 + * Sets up periodic cleanup tasks for security components. 101 101 + */ 102 102 + private fun setupCleanupTasks() { 103 103 + // Cleanup rate limiter every hour 104 104 + scheduler.scheduleAtFixedRate({ 105 105 + try { 106 106 + commands.cleanup() 107 107 + logger.debug("Rate limiter cleanup completed") 108 108 + } catch (e: Exception) { 109 109 + logger.error("Failed to cleanup rate limiter", e) 110 110 + } 111 111 + }, 1, 1, TimeUnit.HOURS) 112 112 + 113 113 + logger.info("Periodic cleanup tasks scheduled") 114 114 + } 115 115 + 116 116 + /** 117 117 + * Called when the server is stopping. 118 118 + */ 119 119 + private fun onServerStopping() { 120 120 + logger.info("Server stopping, shutting down atproto-connect components") 121 121 + 122 122 + try { 123 123 + // Shutdown scheduler 124 124 + scheduler.shutdown() 125 125 + if (!scheduler.awaitTermination(5, TimeUnit.SECONDS)) { 126 126 + scheduler.shutdownNow() 127 127 + } 128 128 + } catch (e: Exception) { 129 129 + logger.error("Error during shutdown", e) 130 130 + } 131 131 + 132 132 + logger.info("atproto-connect mod shut down successfully") 65 133 } 66 134 67 135 /**

+169 -46

src/main/kotlin/com/jollywhoppers/atproto/AtProtoClient.kt

··· 1 1 package com.jollywhoppers.atproto 2 2 3 3 + import com.jollywhoppers.atproto.security.SecurityUtils 4 4 + import com.jollywhoppers.atproto.security.SecurityAuditor 3 5 import kotlinx.serialization.Serializable 4 6 import kotlinx.serialization.json.Json 5 7 import org.slf4j.LoggerFactory 8 8 + import java.net.InetAddress 6 9 import java.net.URI 7 10 import java.net.http.HttpClient 8 11 import java.net.http.HttpRequest ··· 13 16 /** 14 17 * Enhanced AT Protocol client with PDS resolution via Slingshot. 15 18 * Handles identity resolution, authentication, and XRPC requests. 19 19 + * 20 20 + * SECURITY FEATURES: 21 21 + * - SSRF protection with comprehensive private network blocking 22 22 + * - DNS resolution validation 23 23 + * - No automatic HTTP redirects (prevents redirect-based SSRF) 24 24 + * - Request timeouts on all HTTP operations 25 25 + * - Sanitized error messages 16 26 */ 17 27 class AtProtoClient( 18 28 private val slingshotUrl: String = "https://slingshot.microcosm.blue", 19 29 private val fallbackPdsUrl: String = "https://bsky.social" 20 30 ) { 21 31 private val logger = LoggerFactory.getLogger("atproto-connect") 32 32 + 33 33 + // HTTP client with security hardening 22 34 private val httpClient = HttpClient.newBuilder() 23 35 .connectTimeout(Duration.ofSeconds(10)) 24 24 - .followRedirects(HttpClient.Redirect.NORMAL) 36 36 + .followRedirects(HttpClient.Redirect.NEVER) // Disabled for security - prevents redirect-based SSRF 25 37 .build() 26 38 27 39 private val json = Json { ··· 101 113 * This is the preferred method as it's fast and cached. 102 114 */ 103 115 suspend fun resolveMiniDoc(identifier: String): Result<MiniDoc> = runCatching { 104 104 - logger.info("Resolving identifier via Slingshot: $identifier") 116 116 + logger.info("Resolving identifier via Slingshot: ${SecurityUtils.sanitizeForLog(identifier)}") 117 117 + 118 118 + // Validate URL before making request 119 119 + val url = "$slingshotUrl/xrpc/com.bad-example.identity.resolveMiniDoc?identifier=${encodeURIComponent(identifier)}" 120 120 + validateUrl(url) 105 121 106 122 val request = HttpRequest.newBuilder() 107 107 - .uri(URI.create("$slingshotUrl/xrpc/com.bad-example.identity.resolveMiniDoc?identifier=${encodeURIComponent(identifier)}")) 123 123 + .uri(URI.create(url)) 108 124 .GET() 109 125 .timeout(Duration.ofSeconds(10)) 110 126 .build() ··· 112 128 val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 113 129 114 130 if (response.statusCode() != 200) { 115 115 - throw Exception("Failed to resolve via Slingshot: HTTP ${response.statusCode()}") 131 131 + throw Exception("Resolution failed") 116 132 } 117 133 118 134 val miniDoc = json.decodeFromString<MiniDoc>(response.body()) 135 135 + 136 136 + // Validate PDS URL 137 137 + validateUrl(miniDoc.pds) 138 138 + 119 139 logger.info("Resolved ${miniDoc.handle} -> PDS: ${miniDoc.pds}") 120 140 miniDoc 121 141 } ··· 125 145 * Falls back to standard resolution if Slingshot fails. 126 146 */ 127 147 suspend fun resolveHandle(handle: String): Result<String> = runCatching { 128 128 - logger.info("Resolving handle: $handle") 148 148 + logger.info("Resolving handle: ${SecurityUtils.sanitizeForLog(handle)}") 129 149 130 150 // Try Slingshot's MiniDoc first 131 151 try { 132 152 val miniDoc = resolveMiniDoc(handle).getOrThrow() 133 153 return@runCatching miniDoc.did 134 154 } catch (e: Exception) { 135 135 - logger.warn("Slingshot resolution failed, trying fallback: ${e.message}") 155 155 + logger.warn("Slingshot resolution failed, trying fallback") 136 156 } 137 157 138 158 // Fallback to standard XRPC resolution 159 159 + val url = "$fallbackPdsUrl/xrpc/com.atproto.identity.resolveHandle?handle=$handle" 160 160 + validateUrl(url) 161 161 + 139 162 val request = HttpRequest.newBuilder() 140 140 - .uri(URI.create("$fallbackPdsUrl/xrpc/com.atproto.identity.resolveHandle?handle=$handle")) 163 163 + .uri(URI.create(url)) 141 164 .GET() 142 165 .timeout(Duration.ofSeconds(10)) 143 166 .build() ··· 145 168 val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 146 169 147 170 if (response.statusCode() != 200) { 148 148 - throw Exception("Failed to resolve handle: HTTP ${response.statusCode()}") 171 171 + throw Exception("Handle resolution failed") 149 172 } 150 173 151 174 val resolution = json.decodeFromString<HandleResolution>(response.body()) 152 152 - logger.info("Resolved handle $handle to DID: ${resolution.did}") 175 175 + logger.info("Resolved handle to DID") 153 176 resolution.did 154 177 } 155 178 ··· 158 181 * Supports did:plc and did:web methods. 159 182 */ 160 183 suspend fun resolveDid(did: String): Result<DidDocument> = runCatching { 161 161 - logger.info("Resolving DID: $did") 184 184 + logger.info("Resolving DID: ${SecurityUtils.sanitizeForLog(did)}") 162 185 163 186 val url = when { 164 187 did.startsWith("did:plc:") -> { ··· 170 193 171 194 // Validate domain format (no IPs, only valid hostnames) 172 195 if (!domain.matches(Regex("^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$"))) { 173 173 - throw IllegalArgumentException("Invalid did:web domain format: must be a valid hostname") 196 196 + throw IllegalArgumentException("Invalid did:web domain format") 174 197 } 175 198 176 199 // Block private IP ranges and localhost 177 200 validateNotPrivateNetwork(domain) 201 201 + 202 202 + // Validate DNS resolution 203 203 + validateDnsResolution(domain) 178 204 179 205 "https://$domain/.well-known/did.json" 180 206 } 181 181 - else -> throw IllegalArgumentException("Unsupported DID method: $did") 207 207 + else -> throw IllegalArgumentException("Unsupported DID method") 182 208 } 183 209 184 210 val request = HttpRequest.newBuilder() ··· 190 216 val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 191 217 192 218 if (response.statusCode() != 200) { 193 193 - throw Exception("Failed to resolve DID: HTTP ${response.statusCode()}") 219 219 + throw Exception("DID resolution failed") 194 220 } 195 221 196 222 val didDoc = json.decodeFromString<DidDocument>(response.body()) 197 197 - logger.info("Resolved DID $did successfully") 223 223 + logger.info("Resolved DID successfully") 198 224 didDoc 199 225 } 200 226 ··· 203 229 * Uses Slingshot for PDS resolution if needed. 204 230 */ 205 231 suspend fun getProfile(actor: String, pdsUrl: String? = null): Result<ProfileView> = runCatching { 206 206 - logger.info("Fetching profile for: $actor") 232 232 + logger.info("Fetching profile for: ${SecurityUtils.sanitizeForLog(actor)}") 207 233 208 234 val serviceUrl = pdsUrl ?: run { 209 235 // Resolve PDS if not provided ··· 211 237 val miniDoc = resolveMiniDoc(actor).getOrThrow() 212 238 miniDoc.pds 213 239 } catch (e: Exception) { 214 214 - logger.warn("Could not resolve PDS, using fallback: ${e.message}") 240 240 + logger.warn("Could not resolve PDS, using fallback") 215 241 fallbackPdsUrl 216 242 } 217 243 } 244 244 + 245 245 + val url = "$serviceUrl/xrpc/app.bsky.actor.getProfile?actor=$actor" 246 246 + validateUrl(url) 218 247 219 248 val request = HttpRequest.newBuilder() 220 220 - .uri(URI.create("$serviceUrl/xrpc/app.bsky.actor.getProfile?actor=$actor")) 249 249 + .uri(URI.create(url)) 221 250 .GET() 222 251 .timeout(Duration.ofSeconds(10)) 223 252 .build() ··· 225 254 val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 226 255 227 256 if (response.statusCode() != 200) { 228 228 - throw Exception("Failed to get profile: HTTP ${response.statusCode()}: ${response.body()}") 257 257 + throw Exception("Profile fetch failed") 229 258 } 230 259 231 260 val profile = json.decodeFromString<ProfileView>(response.body()) 232 232 - logger.info("Retrieved profile for ${profile.handle} (${profile.did})") 261 261 + logger.info("Retrieved profile successfully") 233 262 profile 234 263 } 235 264 236 265 /** 237 266 * Creates an authenticated session using identifier and app password. 238 267 * This is the primary authentication method for the mod. 268 268 + * Password is NOT logged for security. 239 269 */ 240 270 suspend fun createSession(identifier: String, password: String): Result<CreateSessionResponse> = runCatching { 241 241 - logger.info("Creating session for: $identifier") 271 271 + logger.info("Creating session for: ${SecurityUtils.sanitizeForLog(identifier)}") 242 272 243 273 // Resolve to find the correct PDS 244 274 val pdsUrl = try { 245 275 val miniDoc = resolveMiniDoc(identifier).getOrThrow() 246 276 miniDoc.pds 247 277 } catch (e: Exception) { 248 248 - logger.warn("Could not resolve PDS via Slingshot, trying fallback: ${e.message}") 278 278 + logger.warn("Could not resolve PDS via Slingshot, trying fallback") 249 279 fallbackPdsUrl 250 280 } 251 281 252 282 val requestBody = CreateSessionRequest( 253 283 identifier = identifier, 254 254 - password = password 284 284 + password = password // Password is never logged 255 285 ) 256 286 287 287 + val url = "$pdsUrl/xrpc/com.atproto.server.createSession" 288 288 + validateUrl(url) 289 289 + 257 290 val request = HttpRequest.newBuilder() 258 258 - .uri(URI.create("$pdsUrl/xrpc/com.atproto.server.createSession")) 291 291 + .uri(URI.create(url)) 259 292 .POST(HttpRequest.BodyPublishers.ofString(json.encodeToString(CreateSessionRequest.serializer(), requestBody))) 260 293 .header("Content-Type", "application/json") 261 294 .timeout(Duration.ofSeconds(15)) ··· 264 297 val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 265 298 266 299 if (response.statusCode() != 200) { 267 267 - val errorBody = response.body() 268 268 - logger.error("Session creation failed: HTTP ${response.statusCode()}: $errorBody") 269 269 - throw Exception("Failed to create session: HTTP ${response.statusCode()}: $errorBody") 300 300 + // Don't log response body as it might contain sensitive info 301 301 + logger.error("Session creation failed: HTTP ${response.statusCode()}") 302 302 + throw Exception("Authentication failed") 270 303 } 271 304 272 305 val session = json.decodeFromString<CreateSessionResponse>(response.body()) 273 273 - logger.info("Session created successfully for ${session.handle}") 306 306 + logger.info("Session created successfully") 274 307 session 275 308 } 276 309 ··· 282 315 283 316 val requestBody = RefreshSessionRequest(refreshJwt = refreshJwt) 284 317 318 318 + val url = "$pdsUrl/xrpc/com.atproto.server.refreshSession" 319 319 + validateUrl(url) 320 320 + 285 321 val request = HttpRequest.newBuilder() 286 286 - .uri(URI.create("$pdsUrl/xrpc/com.atproto.server.refreshSession")) 322 322 + .uri(URI.create(url)) 287 323 .POST(HttpRequest.BodyPublishers.ofString(json.encodeToString(RefreshSessionRequest.serializer(), requestBody))) 288 324 .header("Content-Type", "application/json") 289 325 .header("Authorization", "Bearer $refreshJwt") ··· 293 329 val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 294 330 295 331 if (response.statusCode() != 200) { 296 296 - throw Exception("Failed to refresh session: HTTP ${response.statusCode()}") 332 332 + throw Exception("Session refresh failed") 297 333 } 298 334 299 335 json.decodeFromString<CreateSessionResponse>(response.body()) ··· 309 345 pdsUrl: String, 310 346 body: String? = null 311 347 ): Result<String> = runCatching { 348 348 + val url = "$pdsUrl/xrpc/$endpoint" 349 349 + validateUrl(url) 350 350 + 312 351 val requestBuilder = HttpRequest.newBuilder() 313 313 - .uri(URI.create("$pdsUrl/xrpc/$endpoint")) 352 352 + .uri(URI.create(url)) 314 353 .header("Authorization", "Bearer $accessJwt") 315 354 .header("Content-Type", "application/json") 316 355 .timeout(Duration.ofSeconds(15)) ··· 324 363 HttpRequest.BodyPublishers.ofString(body ?: "{}") 325 364 ).build() 326 365 "DELETE" -> requestBuilder.DELETE().build() 327 327 - else -> throw IllegalArgumentException("Unsupported HTTP method: $method") 366 366 + else -> throw IllegalArgumentException("Unsupported HTTP method") 328 367 } 329 368 330 369 val response = httpClient.send(request, HttpResponse.BodyHandlers.ofString()) 331 370 332 371 if (response.statusCode() !in 200..299) { 333 333 - throw Exception("XRPC request failed: HTTP ${response.statusCode()}: ${response.body()}") 372 372 + throw Exception("Request failed") 334 373 } 335 374 336 375 response.body() ··· 378 417 val uri = try { 379 418 URI.create(serviceEndpoint) 380 419 } catch (e: Exception) { 381 381 - throw Exception("Invalid serviceEndpoint URI: ${e.message}") 420 420 + throw Exception("Invalid serviceEndpoint URI") 382 421 } 383 422 384 423 // Validate per AT Protocol spec 385 424 require(uri.scheme in listOf("http", "https")) { 386 386 - "serviceEndpoint must use HTTP or HTTPS scheme, got: ${uri.scheme}" 425 425 + "serviceEndpoint must use HTTP or HTTPS scheme" 387 426 } 388 427 require(uri.host != null) { 389 428 "serviceEndpoint must have a valid host" 390 429 } 391 430 require(uri.path.isNullOrEmpty() || uri.path == "/") { 392 392 - "serviceEndpoint must not contain path, got: ${uri.path}" 431 431 + "serviceEndpoint must not contain path" 393 432 } 394 433 require(uri.query == null) { 395 434 "serviceEndpoint must not contain query parameters" ··· 403 442 404 443 // Block private IP ranges 405 444 validateNotPrivateNetwork(uri.host) 445 445 + 446 446 + // Validate DNS resolution 447 447 + validateDnsResolution(uri.host) 406 448 407 449 // Reconstruct clean URL 408 450 val cleanPdsUrl = "${uri.scheme}://${uri.host}${uri.port.takeIf { it != -1 }?.let { ":$it" } ?: ""}" ··· 427 469 } 428 470 429 471 /** 472 472 + * Validates a URL before making HTTP requests. 473 473 + * Checks for SSRF vulnerabilities. 474 474 + */ 475 475 + private fun validateUrl(url: String) { 476 476 + try { 477 477 + val uri = URI.create(url) 478 478 + 479 479 + // Ensure HTTPS (except for localhost during development) 480 480 + if (uri.scheme != "https" && uri.host != "localhost") { 481 481 + throw IllegalArgumentException("Only HTTPS URLs are allowed") 482 482 + } 483 483 + 484 484 + require(uri.host != null) { "URL must have a host" } 485 485 + 486 486 + // Validate host is not private network 487 487 + validateNotPrivateNetwork(uri.host) 488 488 + 489 489 + // Validate DNS resolution if it's a hostname 490 490 + if (!uri.host.matches(Regex("^\\d+\\.\\d+\\.\\d+\\.\\d+$"))) { 491 491 + validateDnsResolution(uri.host) 492 492 + } 493 493 + } catch (e: IllegalArgumentException) { 494 494 + throw e 495 495 + } catch (e: Exception) { 496 496 + throw IllegalArgumentException("Invalid URL format") 497 497 + } 498 498 + } 499 499 + 500 500 + /** 430 501 * Validates that a hostname or domain is not a private network address. 431 431 - * Throws IllegalArgumentException if the address is localhost or a private IP range. 502 502 + * Enhanced with more comprehensive checks. 432 503 */ 433 504 private fun validateNotPrivateNetwork(host: String) { 434 434 - val blockedPatterns = listOf( 505 505 + // Localhost variants 506 506 + val localhostPatterns = listOf( 435 507 Regex("^localhost$", RegexOption.IGNORE_CASE), 436 436 - Regex("^127\\."), 437 437 - Regex("^10\\."), 438 438 - Regex("^172\\.(1[6-9]|2[0-9]|3[01])\\."), 439 439 - Regex("^192\\.168\\."), 440 440 - Regex("^169\\.254\\."), 508 508 + Regex("^127\\..*"), 441 509 Regex("^::1$"), 442 442 - Regex("^fc00:"), 443 443 - Regex("^fe80:") 510 510 + Regex("^::ffff:127\\..*"), // IPv4-mapped IPv6 localhost 511 511 + Regex("^0:0:0:0:0:0:0:1$") 512 512 + ) 513 513 + 514 514 + // Private IPv4 ranges 515 515 + val privateIPv4 = listOf( 516 516 + Regex("^10\\..*"), 517 517 + Regex("^172\\.(1[6-9]|2[0-9]|3[01])\\..*"), 518 518 + Regex("^192\\.168\\..*"), 519 519 + Regex("^169\\.254\\..*") // Link-local 520 520 + ) 521 521 + 522 522 + // Private IPv6 ranges 523 523 + val privateIPv6 = listOf( 524 524 + Regex("^fc00:.*", RegexOption.IGNORE_CASE), 525 525 + Regex("^fd[0-9a-f]{2}:.*", RegexOption.IGNORE_CASE), 526 526 + Regex("^fe80:.*", RegexOption.IGNORE_CASE) // Link-local 527 527 + ) 528 528 + 529 529 + // Cloud metadata services 530 530 + val cloudMetadata = listOf( 531 531 + Regex("^169\\.254\\.169\\.254$"), // AWS, Azure, GCP 532 532 + Regex("^metadata\\.google\\.internal$", RegexOption.IGNORE_CASE), 533 533 + Regex("^100\\.100\\.100\\.200$") // Alibaba Cloud 444 534 ) 535 535 + 536 536 + val allPatterns = localhostPatterns + privateIPv4 + privateIPv6 + cloudMetadata 445 537 446 446 - if (blockedPatterns.any { it.containsMatchIn(host) }) { 447 447 - throw IllegalArgumentException("Access to private networks is not allowed: $host") 538 538 + if (allPatterns.any { it.containsMatchIn(host) }) { 539 539 + SecurityAuditor.logSuspiciousActivity(null, "Blocked access to private network: $host") 540 540 + throw IllegalArgumentException("Access to private networks is not allowed") 541 541 + } 542 542 + } 543 543 + 544 544 + /** 545 545 + * Validates DNS resolution to ensure it doesn't resolve to private IPs. 546 546 + * Helps prevent DNS rebinding attacks. 547 547 + */ 548 548 + private fun validateDnsResolution(hostname: String) { 549 549 + try { 550 550 + val addresses = InetAddress.getAllByName(hostname) 551 551 + 552 552 + addresses.forEach { addr -> 553 553 + val hostAddress = addr.hostAddress 554 554 + 555 555 + // Check if resolved IP is private 556 556 + if (addr.isLoopbackAddress || addr.isLinkLocalAddress || 557 557 + addr.isSiteLocalAddress || addr.isAnyLocalAddress) { 558 558 + SecurityAuditor.logSuspiciousActivity(null, "DNS resolved to private address: $hostAddress for $hostname") 559 559 + throw IllegalArgumentException("DNS resolved to private address") 560 560 + } 561 561 + 562 562 + // Additional string pattern check 563 563 + validateNotPrivateNetwork(hostAddress) 564 564 + } 565 565 + } catch (e: java.net.UnknownHostException) { 566 566 + throw IllegalArgumentException("Could not resolve hostname") 567 567 + } catch (e: IllegalArgumentException) { 568 568 + throw e 569 569 + } catch (e: Exception) { 570 570 + throw IllegalArgumentException("DNS resolution validation failed") 448 571 } 449 572 } 450 573 }

+140 -12

src/main/kotlin/com/jollywhoppers/atproto/AtProtoCommands.kt

··· 1 1 package com.jollywhoppers.atproto 2 2 3 3 + import com.jollywhoppers.atproto.security.RateLimiter 4 4 + import com.jollywhoppers.atproto.security.SecurityAuditor 5 5 + import com.jollywhoppers.atproto.security.SecurityUtils 3 6 import com.mojang.brigadier.CommandDispatcher 4 7 import com.mojang.brigadier.arguments.StringArgumentType 5 8 import com.mojang.brigadier.context.CommandContext ··· 11 14 import net.minecraft.network.chat.Component 12 15 import net.minecraft.server.level.ServerPlayer 13 16 import org.slf4j.LoggerFactory 17 17 + import java.time.Duration 18 18 + import java.time.Instant 14 19 15 20 /** 16 21 * Handles AT Protocol-related commands for players. 17 22 * Provides commands to link, authenticate, and manage AT Protocol identities. 23 23 + * 24 24 + * SECURITY FEATURES: 25 25 + * - Rate limiting on authentication (3 attempts per 15 minutes) 26 26 + * - Security audit logging for all sensitive operations 27 27 + * - Sanitized error messages 28 28 + * - Secure password handling (no logging) 18 29 */ 19 30 class AtProtoCommands( 20 31 private val client: AtProtoClient, ··· 23 34 ) { 24 35 private val logger = LoggerFactory.getLogger("atproto-connect") 25 36 private val coroutineScope = CoroutineScope(Dispatchers.IO) 37 37 + 38 38 + // Rate limiter: 3 attempts per 15 minutes, 30 minute lockout 39 39 + private val rateLimiter = RateLimiter( 40 40 + maxAttempts = 3, 41 41 + windowSeconds = 900, // 15 minutes 42 42 + lockoutSeconds = 1800 // 30 minutes 43 43 + ) 26 44 27 45 /** 28 46 * Registers all AT Protocol commands. ··· 96 114 97 115 // Link the identity 98 116 identityStore.linkIdentity(player.uuid, profile.did, profile.handle) 117 117 + 118 118 + // Audit log 119 119 + SecurityAuditor.logIdentityLink(player.uuid, profile.handle, player.name.string) 99 120 100 121 player.sendSystemMessage( 101 122 Component.literal("§a✓ Successfully linked to AT Protocol!") ··· 114 135 } catch (e: Exception) { 115 136 player.sendSystemMessage( 116 137 Component.literal("§c✗ Failed to link AT Protocol identity") 117 117 - .append(Component.literal("\n§7${e.message ?: "Unknown error"}")) 138 138 + .append(Component.literal("\n§7${sanitizeError(e)}")) 118 139 ) 119 119 - logger.error("Failed to link identity for player ${player.name.string}", e) 140 140 + logger.error("Failed to link identity for player ${player.name.string}: ${e.javaClass.simpleName}") 120 141 } 121 142 } 122 143 ··· 137 158 } 138 159 139 160 identityStore.unlinkIdentity(player.uuid) 161 161 + 162 162 + // Audit log 163 163 + SecurityAuditor.logIdentityUnlink(player.uuid, identity.handle, player.name.string) 164 164 + 140 165 context.source.sendSuccess( 141 166 { 142 167 Component.literal("§a✓ Unlinked from AT Protocol identity") ··· 156 181 157 182 /** 158 183 * Authenticates a player with their AT Protocol credentials. 159 159 - * Uses app passwords for security. 184 184 + * Uses app passwords for security. Includes rate limiting. 160 185 */ 161 186 private fun login(context: CommandContext<CommandSourceStack>): Int { 162 187 val player = context.source.playerOrException 163 188 val identifier = StringArgumentType.getString(context, "identifier") 164 189 val password = StringArgumentType.getString(context, "password") 165 190 191 191 + // Check rate limit BEFORE attempting authentication 192 192 + val rateLimit = rateLimiter.checkAttempt(player.uuid) 193 193 + if (!rateLimit.allowed) { 194 194 + val lockUntil = rateLimit.lockedUntil 195 195 + if (lockUntil != null) { 196 196 + val minutesRemaining = Duration.between( 197 197 + Instant.now(), 198 198 + lockUntil 199 199 + ).toMinutes() 200 200 + 201 201 + SecurityAuditor.logRateLimitLockout(player.uuid, player.name.string, minutesRemaining) 202 202 + 203 203 + context.source.sendFailure( 204 204 + Component.literal("§c✗ Too many failed authentication attempts") 205 205 + .append(Component.literal("\n§7Your account has been temporarily locked for security")) 206 206 + .append(Component.literal("\n§7Please try again in §f$minutesRemaining minutes")) 207 207 + .append(Component.literal("\n\n§7If you're having trouble, check your app password")) 208 208 + ) 209 209 + logger.warn("Player ${player.name.string} (${player.uuid}) blocked by rate limiter") 210 210 + return 0 211 211 + } 212 212 + } 213 213 + 214 214 + val attemptsRemaining = rateLimit.attemptsRemaining 166 215 context.source.sendSuccess( 167 167 - { Component.literal("§eAuthenticating with AT Protocol...") }, 216 216 + { 217 217 + Component.literal("§eAuthenticating with AT Protocol...") 218 218 + .append(Component.literal(" §7(${attemptsRemaining} attempts remaining)")) 219 219 + }, 168 220 false 169 221 ) 170 222 171 223 coroutineScope.launch { 172 224 try { 173 173 - // Create session 225 225 + // Create session (password is not logged) 174 226 val session = sessionManager.createSession(player.uuid, identifier, password).getOrThrow() 175 227 176 228 // Link identity if not already linked ··· 178 230 identityStore.linkIdentity(player.uuid, session.did, session.handle) 179 231 } 180 232 233 233 + // Record successful authentication (clears rate limit) 234 234 + rateLimiter.recordSuccess(player.uuid) 235 235 + 236 236 + // Audit log 237 237 + SecurityAuditor.logAuthSuccess(player.uuid, session.handle, player.name.string) 238 238 + 181 239 player.sendSystemMessage( 182 240 Component.literal("§a✓ Successfully authenticated!") 183 241 .append(Component.literal("\n§7Handle: §f${session.handle}")) ··· 188 246 189 247 logger.info("Player ${player.name.string} (${player.uuid}) authenticated as ${session.handle}") 190 248 } catch (e: Exception) { 191 191 - player.sendSystemMessage( 192 192 - Component.literal("§c✗ Authentication failed") 193 193 - .append(Component.literal("\n§7${e.message ?: "Unknown error"}")) 194 194 - .append(Component.literal("\n\n§7Tip: Use an §fApp Password§7 from your AT Protocol account settings")) 195 195 - .append(Component.literal("\n§7Never use your main account password!")) 249 249 + // Record failed attempt 250 250 + rateLimiter.recordFailure(player.uuid) 251 251 + val status = rateLimiter.getStatus(player.uuid) 252 252 + 253 253 + // Audit log 254 254 + SecurityAuditor.logAuthFailure( 255 255 + player.uuid, 256 256 + SecurityUtils.sanitizeForLog(identifier), 257 257 + e.javaClass.simpleName, 258 258 + player.name.string 196 259 ) 197 197 - logger.error("Failed to authenticate player ${player.name.string}", e) 260 260 + 261 261 + if (status.attemptsRemaining > 0) { 262 262 + player.sendSystemMessage( 263 263 + Component.literal("§c✗ Authentication failed") 264 264 + .append(Component.literal("\n§7${sanitizeError(e)}")) 265 265 + .append(Component.literal("\n§7Attempts remaining: §f${status.attemptsRemaining}")) 266 266 + .append(Component.literal("\n\n§7Tip: Use an §fApp Password§7 from your AT Protocol account settings")) 267 267 + .append(Component.literal("\n§cNever use your main account password!")) 268 268 + ) 269 269 + } else { 270 270 + val lockUntil = status.lockedUntil 271 271 + val minutesRemaining = if (lockUntil != null) { 272 272 + Duration.between(Instant.now(), lockUntil).toMinutes() 273 273 + } else 30 274 274 + 275 275 + SecurityAuditor.logRateLimitHit(player.uuid, player.name.string) 276 276 + 277 277 + player.sendSystemMessage( 278 278 + Component.literal("§c✗ Authentication failed - Rate limit exceeded") 279 279 + .append(Component.literal("\n§7Too many failed attempts")) 280 280 + .append(Component.literal("\n§7Your account is locked for §f$minutesRemaining minutes")) 281 281 + .append(Component.literal("\n\n§7Please verify your app password and try again later")) 282 282 + ) 283 283 + } 284 284 + 285 285 + logger.error("Failed to authenticate player ${player.name.string}: ${e.javaClass.simpleName}") 198 286 } 199 287 } 200 288 ··· 206 294 */ 207 295 private fun logout(context: CommandContext<CommandSourceStack>): Int { 208 296 val player = context.source.playerOrException 297 297 + val identity = identityStore.getIdentity(player.uuid) 209 298 210 299 return if (sessionManager.hasSession(player.uuid)) { 211 300 sessionManager.deleteSession(player.uuid) 301 301 + 302 302 + // Audit log 303 303 + if (identity != null) { 304 304 + SecurityAuditor.logLogout(player.uuid, identity.handle, player.name.string) 305 305 + } 306 306 + 212 307 context.source.sendSuccess( 213 308 { 214 309 Component.literal("§a✓ Logged out successfully") ··· 306 401 ) 307 402 } 308 403 } catch (e: Exception) { 309 309 - logger.error("Error in whois command", e) 404 404 + logger.error("Error in whois command: ${e.javaClass.simpleName}") 310 405 } 311 406 } 312 407 ··· 401 496 seconds < 86400 -> "${seconds / 3600} hours" 402 497 else -> "${seconds / 86400} days" 403 498 } 499 499 + } 500 500 + 501 501 + /** 502 502 + * Sanitizes error messages to avoid leaking sensitive information. 503 503 + */ 504 504 + private fun sanitizeError(e: Exception): String { 505 505 + return when (e) { 506 506 + is java.net.UnknownHostException -> "Could not resolve hostname. Please check the handle or DID." 507 507 + is java.net.ConnectException -> "Connection failed. The server may be unavailable." 508 508 + is java.net.SocketTimeoutException -> "Connection timed out. Please try again." 509 509 + is javax.crypto.BadPaddingException -> "Authentication failed. Please check your credentials." 510 510 + is IllegalArgumentException -> { 511 511 + // Only show message if it's a safe validation error 512 512 + if (e.message?.contains("Invalid") == true || e.message?.contains("format") == true) { 513 513 + e.message ?: "Invalid input" 514 514 + } else { 515 515 + "Invalid request" 516 516 + } 517 517 + } 518 518 + else -> { 519 519 + // Log full error server-side only 520 520 + logger.error("Operation failed with ${e.javaClass.simpleName}: ${e.message}") 521 521 + "An error occurred. Please try again or contact an administrator." 522 522 + } 523 523 + } 524 524 + } 525 525 + 526 526 + /** 527 527 + * Periodic cleanup task for rate limiter. 528 528 + * Should be called from the main mod initializer. 529 529 + */ 530 530 + fun cleanup() { 531 531 + rateLimiter.cleanup() 404 532 } 405 533 }

+77 -15

src/main/kotlin/com/jollywhoppers/atproto/AtProtoSessionManager.kt

··· 1 1 package com.jollywhoppers.atproto 2 2 3 3 + import com.jollywhoppers.atproto.security.SecurityUtils 4 4 + import com.jollywhoppers.atproto.security.SecurityAuditor 3 5 import kotlinx.serialization.Serializable 4 6 import kotlinx.serialization.json.Json 5 7 import kotlinx.serialization.encodeToString ··· 9 11 import java.nio.file.StandardOpenOption 10 12 import java.util.* 11 13 import java.util.concurrent.ConcurrentHashMap 14 14 + import java.util.concurrent.locks.ReentrantReadWriteLock 15 15 + import javax.crypto.SecretKey 16 16 + import kotlin.concurrent.read 17 17 + import kotlin.concurrent.write 12 18 13 19 /** 14 20 * Manages AT Protocol authentication sessions for players. 15 15 - * Handles token storage, refresh, and session lifecycle. 21 21 + * Handles token storage with encryption, refresh, and session lifecycle. 22 22 + * 23 23 + * SECURITY FEATURES: 24 24 + * - AES-256-GCM encryption for session data at rest 25 25 + * - Restricted file permissions (owner-only) 26 26 + * - Atomic file writes to prevent corruption 27 27 + * - Thread-safe session management 28 28 + * - Automatic token refresh 16 29 */ 17 30 class AtProtoSessionManager( 18 31 private val storageFile: Path, ··· 20 33 ) { 21 34 private val logger = LoggerFactory.getLogger("atproto-connect") 22 35 private val sessions = ConcurrentHashMap<UUID, PlayerSession>() 36 36 + private val encryptionKey: SecretKey 37 37 + private val fileLock = ReentrantReadWriteLock() 23 38 24 39 private val json = Json { 25 40 prettyPrint = true ··· 40 55 41 56 @Serializable 42 57 private data class SessionStorage( 43 43 - val version: Int = 1, 58 58 + val version: Int = 2, // Version 2 = encrypted 44 59 val sessions: List<PlayerSession> 45 60 ) 46 61 47 62 init { 63 63 + // Validate storage path is in expected directory 64 64 + val configDir = storageFile.parent 65 65 + if (!SecurityUtils.validatePathInDirectory(storageFile, configDir)) { 66 66 + throw SecurityException("Storage file path is outside expected directory") 67 67 + } 68 68 + 69 69 + // Load or generate encryption key 70 70 + val keyFile = configDir.resolve(".encryption.key") 71 71 + encryptionKey = SecurityUtils.loadOrGenerateServerKey(keyFile) 72 72 + 73 73 + // Load existing sessions 48 74 load() 75 75 + 76 76 + logger.info("Session manager initialized with encryption enabled") 49 77 } 50 78 51 79 /** ··· 56 84 identifier: String, 57 85 password: String 58 86 ): Result<PlayerSession> = runCatching { 59 59 - logger.info("Creating session for player $uuid with identifier $identifier") 87 87 + logger.info("Creating session for player $uuid with identifier ${SecurityUtils.sanitizeForLog(identifier)}") 60 88 61 89 // Create the session via AT Protocol 62 90 val sessionResponse = client.createSession(identifier, password).getOrThrow() ··· 92 120 93 121 // Check if session needs refresh (access tokens typically expire after 2 hours) 94 122 // We'll refresh if it's been more than 1.5 hours to be safe 95 95 - val hoursSinceRefresh = (System.currentTimeMillis() - session.lastRefreshed) / (1000 * 60 * 60) 123 123 + val hoursSinceRefresh = (System.currentTimeMillis() - session.lastRefreshed) / (1000.0 * 60 * 60) 96 124 97 125 if (hoursSinceRefresh >= 1.5) { 98 98 - logger.info("Session for ${session.handle} needs refresh") 126 126 + logger.info("Session for ${session.handle} needs refresh (${String.format("%.2f", hoursSinceRefresh)} hours old)") 99 127 return refreshSession(uuid) 100 128 } 101 129 ··· 125 153 sessions[uuid] = newSession 126 154 save() 127 155 156 156 + SecurityAuditor.logSessionRefresh(uuid, oldSession.handle) 128 157 logger.info("Session refreshed successfully for ${oldSession.handle}") 129 158 newSession 130 159 } ··· 178 207 } 179 208 180 209 /** 181 181 - * Loads sessions from disk. 210 210 + * Loads sessions from disk with decryption. 211 211 + * Supports both encrypted (v2) and legacy plain text (v1) formats. 182 212 */ 183 183 - private fun load() { 213 213 + private fun load() = fileLock.read { 184 214 try { 185 215 if (Files.exists(storageFile)) { 186 186 - val content = Files.readString(storageFile) 216 216 + val fileContent = Files.readString(storageFile) 217 217 + 218 218 + // Try to decrypt first (new format) 219 219 + val content = try { 220 220 + SecurityUtils.decrypt(fileContent, encryptionKey) 221 221 + } catch (e: Exception) { 222 222 + // If decryption fails, try parsing as plain JSON (legacy format) 223 223 + logger.warn("Failed to decrypt sessions, attempting plain text read (legacy format)") 224 224 + fileContent 225 225 + } 226 226 + 187 227 val storage = json.decodeFromString<SessionStorage>(content) 188 228 189 229 storage.sessions.forEach { session -> ··· 191 231 sessions[uuid] = session 192 232 } 193 233 194 194 - logger.info("Loaded ${sessions.size} sessions from disk") 234 234 + logger.info("Loaded ${sessions.size} sessions from disk (encrypted: ${storage.version >= 2})") 235 235 + 236 236 + // If we loaded legacy format, save in new encrypted format 237 237 + if (storage.version < 2) { 238 238 + logger.info("Migrating sessions to encrypted format") 239 239 + save() 240 240 + } 195 241 } else { 196 242 logger.info("No existing session storage found, starting fresh") 197 243 } ··· 201 247 } 202 248 203 249 /** 204 204 - * Saves sessions to disk. 250 250 + * Saves sessions to disk with encryption and proper file permissions. 251 251 + * Uses atomic write pattern to prevent corruption. 205 252 */ 206 206 - private fun save() { 253 253 + private fun save() = fileLock.write { 207 254 try { 208 255 Files.createDirectories(storageFile.parent) 209 256 210 257 val storage = SessionStorage( 211 211 - version = 1, 258 258 + version = 2, // Version 2 = encrypted 212 259 sessions = sessions.values.toList() 213 260 ) 214 261 262 262 + // Serialize to JSON 215 263 val content = json.encodeToString(storage) 264 264 + 265 265 + // Encrypt the entire content 266 266 + val encrypted = SecurityUtils.encrypt(content, encryptionKey) 267 267 + 268 268 + // Atomic write: write to temp file, then rename 269 269 + val tempFile = storageFile.parent.resolve("${storageFile.fileName}.tmp") 216 270 Files.writeString( 217 217 - storageFile, 218 218 - content, 271 271 + tempFile, 272 272 + encrypted, 219 273 StandardOpenOption.CREATE, 220 274 StandardOpenOption.TRUNCATE_EXISTING 221 275 ) 222 276 223 223 - logger.debug("Saved ${sessions.size} sessions to disk") 277 277 + // Set restricted permissions on temp file 278 278 + SecurityUtils.setRestrictedPermissions(tempFile) 279 279 + 280 280 + // Atomic rename 281 281 + Files.move(tempFile, storageFile, 282 282 + java.nio.file.StandardCopyOption.REPLACE_EXISTING, 283 283 + java.nio.file.StandardCopyOption.ATOMIC_MOVE) 284 284 + 285 285 + logger.debug("Saved ${sessions.size} encrypted sessions to disk") 224 286 } catch (e: Exception) { 225 287 logger.error("Failed to save sessions", e) 226 288 }

+35 -5

src/main/kotlin/com/jollywhoppers/atproto/PlayerIdentityStore.kt

··· 1 1 package com.jollywhoppers.atproto 2 2 3 3 + import com.jollywhoppers.atproto.security.SecurityUtils 3 4 import kotlinx.serialization.Serializable 4 5 import kotlinx.serialization.json.Json 5 6 import kotlinx.serialization.encodeToString ··· 9 10 import java.nio.file.StandardOpenOption 10 11 import java.util.* 11 12 import java.util.concurrent.ConcurrentHashMap 13 13 + import java.util.concurrent.locks.ReentrantReadWriteLock 14 14 + import kotlin.concurrent.read 15 15 + import kotlin.concurrent.write 12 16 13 17 /** 14 18 * Manages the mapping between Minecraft UUIDs and AT Protocol DIDs. 15 15 - * Handles persistence to disk and in-memory caching. 19 19 + * Handles persistence to disk with proper file permissions and thread safety. 20 20 + * 21 21 + * SECURITY FEATURES: 22 22 + * - Restricted file permissions (owner-only) 23 23 + * - Atomic file writes to prevent corruption 24 24 + * - Thread-safe operations 25 25 + * - Path validation 16 26 */ 17 27 class PlayerIdentityStore(private val storageFile: Path) { 18 28 private val logger = LoggerFactory.getLogger("atproto-connect") 19 29 private val identities = ConcurrentHashMap<UUID, PlayerIdentity>() 30 30 + private val fileLock = ReentrantReadWriteLock() 20 31 21 32 private val json = Json { 22 33 prettyPrint = true ··· 39 50 ) 40 51 41 52 init { 53 53 + // Validate storage path is in expected directory 54 54 + val configDir = storageFile.parent 55 55 + if (!SecurityUtils.validatePathInDirectory(storageFile, configDir)) { 56 56 + throw SecurityException("Storage file path is outside expected directory") 57 57 + } 58 58 + 42 59 load() 60 60 + logger.info("Player identity store initialized with ${identities.size} identities") 43 61 } 44 62 45 63 /** ··· 127 145 /** 128 146 * Loads identities from disk. 129 147 */ 130 130 - private fun load() { 148 148 + private fun load() = fileLock.read { 131 149 try { 132 150 if (Files.exists(storageFile)) { 133 151 val content = Files.readString(storageFile) ··· 148 166 } 149 167 150 168 /** 151 151 - * Saves identities to disk. 169 169 + * Saves identities to disk with proper file permissions. 170 170 + * Uses atomic write pattern to prevent corruption. 152 171 */ 153 153 - private fun save() { 172 172 + private fun save() = fileLock.write { 154 173 try { 155 174 Files.createDirectories(storageFile.parent) 156 175 ··· 160 179 ) 161 180 162 181 val content = json.encodeToString(storage) 182 182 + 183 183 + // Atomic write: write to temp file, then rename 184 184 + val tempFile = storageFile.parent.resolve("${storageFile.fileName}.tmp") 163 185 Files.writeString( 164 164 - storageFile, 186 186 + tempFile, 165 187 content, 166 188 StandardOpenOption.CREATE, 167 189 StandardOpenOption.TRUNCATE_EXISTING 168 190 ) 191 191 + 192 192 + // Set restricted permissions on temp file 193 193 + SecurityUtils.setRestrictedPermissions(tempFile) 194 194 + 195 195 + // Atomic rename 196 196 + Files.move(tempFile, storageFile, 197 197 + java.nio.file.StandardCopyOption.REPLACE_EXISTING, 198 198 + java.nio.file.StandardCopyOption.ATOMIC_MOVE) 169 199 170 200 logger.debug("Saved ${identities.size} player identities to disk") 171 201 } catch (e: Exception) {

+135

src/main/kotlin/com/jollywhoppers/atproto/security/RateLimiter.kt

··· 1 1 + package com.jollywhoppers.atproto.security 2 2 + 3 3 + import org.slf4j.LoggerFactory 4 4 + import java.time.Instant 5 5 + import java.util.UUID 6 6 + import java.util.concurrent.ConcurrentHashMap 7 7 + 8 8 + /** 9 9 + * Rate limiter for authentication attempts to prevent brute force attacks. 10 10 + * Implements a sliding window rate limiter with exponential backoff. 11 11 + */ 12 12 + class RateLimiter( 13 13 + private val maxAttempts: Int = 3, 14 14 + private val windowSeconds: Long = 900, // 15 minutes 15 15 + private val lockoutSeconds: Long = 1800 // 30 minutes after max failures 16 16 + ) { 17 17 + private val logger = LoggerFactory.getLogger("atproto-connect-ratelimit") 18 18 + private val attempts = ConcurrentHashMap<UUID, MutableList<Instant>>() 19 19 + private val lockouts = ConcurrentHashMap<UUID, Instant>() 20 20 + 21 21 + data class RateLimitResult( 22 22 + val allowed: Boolean, 23 23 + val attemptsRemaining: Int, 24 24 + val resetAt: Instant?, 25 25 + val lockedUntil: Instant? 26 26 + ) 27 27 + 28 28 + /** 29 29 + * Checks if a player can make an authentication attempt. 30 30 + */ 31 31 + fun checkAttempt(uuid: UUID): RateLimitResult { 32 32 + val now = Instant.now() 33 33 + 34 34 + // Check if player is currently locked out 35 35 + val lockoutUntil = lockouts[uuid] 36 36 + if (lockoutUntil != null && now.isBefore(lockoutUntil)) { 37 37 + return RateLimitResult( 38 38 + allowed = false, 39 39 + attemptsRemaining = 0, 40 40 + resetAt = lockoutUntil, 41 41 + lockedUntil = lockoutUntil 42 42 + ) 43 43 + } else if (lockoutUntil != null) { 44 44 + // Lockout expired, remove it 45 45 + lockouts.remove(uuid) 46 46 + attempts.remove(uuid) 47 47 + } 48 48 + 49 49 + // Get recent attempts within the window 50 50 + val playerAttempts = attempts.getOrPut(uuid) { mutableListOf() } 51 51 + val windowStart = now.minusSeconds(windowSeconds) 52 52 + 53 53 + // Remove old attempts outside the window 54 54 + playerAttempts.removeIf { it.isBefore(windowStart) } 55 55 + 56 56 + val attemptsInWindow = playerAttempts.size 57 57 + val remaining = maxAttempts - attemptsInWindow 58 58 + 59 59 + if (attemptsInWindow >= maxAttempts) { 60 60 + // Too many attempts, lock out 61 61 + val lockUntil = now.plusSeconds(lockoutSeconds) 62 62 + lockouts[uuid] = lockUntil 63 63 + logger.warn("Player $uuid locked out due to too many failed authentication attempts until $lockUntil") 64 64 + 65 65 + return RateLimitResult( 66 66 + allowed = false, 67 67 + attemptsRemaining = 0, 68 68 + resetAt = lockUntil, 69 69 + lockedUntil = lockUntil 70 70 + ) 71 71 + } 72 72 + 73 73 + return RateLimitResult( 74 74 + allowed = true, 75 75 + attemptsRemaining = remaining, 76 76 + resetAt = if (playerAttempts.isNotEmpty()) playerAttempts.first().plusSeconds(windowSeconds) else null, 77 77 + lockedUntil = null 78 78 + ) 79 79 + } 80 80 + 81 81 + /** 82 82 + * Records a failed authentication attempt. 83 83 + */ 84 84 + fun recordFailure(uuid: UUID) { 85 85 + val playerAttempts = attempts.getOrPut(uuid) { mutableListOf() } 86 86 + playerAttempts.add(Instant.now()) 87 87 + logger.debug("Recorded failed authentication attempt for player $uuid (${playerAttempts.size} in window)") 88 88 + } 89 89 + 90 90 + /** 91 91 + * Records a successful authentication (clears attempts). 92 92 + */ 93 93 + fun recordSuccess(uuid: UUID) { 94 94 + attempts.remove(uuid) 95 95 + lockouts.remove(uuid) 96 96 + logger.debug("Cleared authentication attempts for player $uuid after successful login") 97 97 + } 98 98 + 99 99 + /** 100 100 + * Manually clears rate limit for a player (admin use). 101 101 + */ 102 102 + fun clearLimit(uuid: UUID) { 103 103 + attempts.remove(uuid) 104 104 + lockouts.remove(uuid) 105 105 + logger.info("Manually cleared rate limit for player $uuid") 106 106 + } 107 107 + 108 108 + /** 109 109 + * Gets current status for a player. 110 110 + */ 111 111 + fun getStatus(uuid: UUID): RateLimitResult { 112 112 + return checkAttempt(uuid) 113 113 + } 114 114 + 115 115 + /** 116 116 + * Cleanup old entries periodically. 117 117 + */ 118 118 + fun cleanup() { 119 119 + val now = Instant.now() 120 120 + val windowStart = now.minusSeconds(windowSeconds) 121 121 + 122 122 + // Clean up attempts 123 123 + attempts.entries.removeIf { (uuid, attemptList) -> 124 124 + attemptList.removeIf { it.isBefore(windowStart) } 125 125 + attemptList.isEmpty() 126 126 + } 127 127 + 128 128 + // Clean up expired lockouts 129 129 + lockouts.entries.removeIf { (_, until) -> 130 130 + now.isAfter(until) 131 131 + } 132 132 + 133 133 + logger.debug("Rate limiter cleanup: ${attempts.size} active players, ${lockouts.size} locked out") 134 134 + } 135 135 + }

+84

src/main/kotlin/com/jollywhoppers/atproto/security/SecurityAuditor.kt

··· 1 1 + package com.jollywhoppers.atproto.security 2 2 + 3 3 + import org.slf4j.LoggerFactory 4 4 + import java.nio.file.Files 5 5 + import java.nio.file.Path 6 6 + import java.nio.file.StandardOpenOption 7 7 + import java.time.Instant 8 8 + import java.util.UUID 9 9 + 10 10 + /** 11 11 + * Security audit logger for tracking authentication and security events. 12 12 + * Logs are stored separately from application logs for security analysis. 13 13 + */ 14 14 + object SecurityAuditor { 15 15 + private val logger = LoggerFactory.getLogger("atproto-connect-audit") 16 16 + private lateinit var auditFile: Path 17 17 + private var initialized = false 18 18 + 19 19 + fun initialize(configDir: Path) { 20 20 + auditFile = configDir.resolve("security-audit.log") 21 21 + initialized = true 22 22 + log("SYSTEM", null, "Security auditor initialized", null) 23 23 + } 24 24 + 25 25 + fun logAuthSuccess(uuid: UUID, handle: String, playerName: String, ip: String? = null) { 26 26 + log("AUTH_SUCCESS", uuid, "Authenticated as $handle (player: $playerName)", ip) 27 27 + } 28 28 + 29 29 + fun logAuthFailure(uuid: UUID, identifier: String, reason: String, playerName: String, ip: String? = null) { 30 30 + log("AUTH_FAILURE", uuid, "Failed login attempt for $identifier by $playerName: $reason", ip) 31 31 + } 32 32 + 33 33 + fun logRateLimitHit(uuid: UUID, playerName: String, ip: String? = null) { 34 34 + log("RATE_LIMIT", uuid, "Rate limit exceeded for $playerName", ip) 35 35 + } 36 36 + 37 37 + fun logRateLimitLockout(uuid: UUID, playerName: String, minutesRemaining: Long, ip: String? = null) { 38 38 + log("RATE_LIMIT_LOCKOUT", uuid, "Player $playerName locked out for $minutesRemaining minutes", ip) 39 39 + } 40 40 + 41 41 + fun logIdentityLink(uuid: UUID, handle: String, playerName: String) { 42 42 + log("IDENTITY_LINK", uuid, "Player $playerName linked to $handle", null) 43 43 + } 44 44 + 45 45 + fun logIdentityUnlink(uuid: UUID, handle: String, playerName: String) { 46 46 + log("IDENTITY_UNLINK", uuid, "Player $playerName unlinked from $handle", null) 47 47 + } 48 48 + 49 49 + fun logSessionRefresh(uuid: UUID, handle: String) { 50 50 + log("SESSION_REFRESH", uuid, "Session refreshed for $handle", null) 51 51 + } 52 52 + 53 53 + fun logLogout(uuid: UUID, handle: String, playerName: String) { 54 54 + log("LOGOUT", uuid, "Player $playerName ($handle) logged out", null) 55 55 + } 56 56 + 57 57 + fun logSuspiciousActivity(uuid: UUID?, message: String, ip: String? = null) { 58 58 + log("SUSPICIOUS", uuid, message, ip) 59 59 + } 60 60 + 61 61 + private fun log(event: String, uuid: UUID?, message: String, ip: String?) { 62 62 + if (!initialized) { 63 63 + logger.warn("Security auditor not initialized, skipping log: $event $message") 64 64 + return 65 65 + } 66 66 + 67 67 + val timestamp = Instant.now().toString() 68 68 + val uuidStr = uuid?.toString() ?: "SYSTEM" 69 69 + val ipStr = ip?.let { " IP=$it" } ?: "" 70 70 + val entry = "[$timestamp] $event UUID=$uuidStr$ipStr $message\n" 71 71 + 72 72 + try { 73 73 + Files.writeString( 74 74 + auditFile, 75 75 + entry, 76 76 + StandardOpenOption.CREATE, 77 77 + StandardOpenOption.APPEND 78 78 + ) 79 79 + logger.info("AUDIT: $event UUID=$uuidStr $message") 80 80 + } catch (e: Exception) { 81 81 + logger.error("Failed to write audit log", e) 82 82 + } 83 83 + } 84 84 + }

+171

src/main/kotlin/com/jollywhoppers/atproto/security/SecurityUtils.kt

··· 1 1 + package com.jollywhoppers.atproto.security 2 2 + 3 3 + import kotlinx.serialization.Serializable 4 4 + import kotlinx.serialization.encodeToString 5 5 + import kotlinx.serialization.decodeFromString 6 6 + import kotlinx.serialization.json.Json 7 7 + import org.slf4j.LoggerFactory 8 8 + import java.nio.file.Files 9 9 + import java.nio.file.Path 10 10 + import java.nio.file.StandardOpenOption 11 11 + import java.nio.file.attribute.PosixFilePermission 12 12 + import java.security.SecureRandom 13 13 + import java.util.Base64 14 14 + import javax.crypto.Cipher 15 15 + import javax.crypto.KeyGenerator 16 16 + import javax.crypto.SecretKey 17 17 + import javax.crypto.spec.GCMParameterSpec 18 18 + import javax.crypto.spec.SecretKeySpec 19 19 + 20 20 + /** 21 21 + * Security utilities for encrypting sensitive data and managing file permissions. 22 22 + * Uses AES-256-GCM for encryption with authenticated encryption. 23 23 + */ 24 24 + object SecurityUtils { 25 25 + private val logger = LoggerFactory.getLogger("atproto-connect-security") 26 26 + private const val ALGORITHM = "AES/GCM/NoPadding" 27 27 + private const val KEY_SIZE = 256 28 28 + private const val IV_SIZE = 12 29 29 + private const val TAG_SIZE = 128 30 30 + 31 31 + @Serializable 32 32 + private data class EncryptedData( 33 33 + val iv: String, 34 34 + val ciphertext: String 35 35 + ) 36 36 + 37 37 + /** 38 38 + * Generates a new AES-256 encryption key. 39 39 + */ 40 40 + fun generateKey(): SecretKey { 41 41 + val keyGen = KeyGenerator.getInstance("AES") 42 42 + keyGen.init(KEY_SIZE, SecureRandom()) 43 43 + return keyGen.generateKey() 44 44 + } 45 45 + 46 46 + /** 47 47 + * Loads or generates the server's encryption key. 48 48 + * Stores the key in a secure file with restricted permissions. 49 49 + */ 50 50 + fun loadOrGenerateServerKey(keyFile: Path): SecretKey { 51 51 + return if (Files.exists(keyFile)) { 52 52 + try { 53 53 + val encodedKey = Files.readAllBytes(keyFile) 54 54 + SecretKeySpec(encodedKey, "AES") 55 55 + } catch (e: Exception) { 56 56 + logger.warn("Failed to load existing key, generating new one", e) 57 57 + generateAndStoreKey(keyFile) 58 58 + } 59 59 + } else { 60 60 + generateAndStoreKey(keyFile) 61 61 + } 62 62 + } 63 63 + 64 64 + private fun generateAndStoreKey(keyFile: Path): SecretKey { 65 65 + val key = generateKey() 66 66 + Files.createDirectories(keyFile.parent) 67 67 + Files.write(keyFile, key.encoded, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING) 68 68 + setRestrictedPermissions(keyFile) 69 69 + logger.info("Generated new server encryption key") 70 70 + return key 71 71 + } 72 72 + 73 73 + /** 74 74 + * Encrypts sensitive data using AES-256-GCM. 75 75 + * Returns a base64-encoded JSON object containing IV and ciphertext. 76 76 + */ 77 77 + fun encrypt(data: String, key: SecretKey): String { 78 78 + val cipher = Cipher.getInstance(ALGORITHM) 79 79 + val iv = ByteArray(IV_SIZE) 80 80 + SecureRandom().nextBytes(iv) 81 81 + 82 82 + val spec = GCMParameterSpec(TAG_SIZE, iv) 83 83 + cipher.init(Cipher.ENCRYPT_MODE, key, spec) 84 84 + 85 85 + val ciphertext = cipher.doFinal(data.toByteArray(Charsets.UTF_8)) 86 86 + 87 87 + val encrypted = EncryptedData( 88 88 + iv = Base64.getEncoder().encodeToString(iv), 89 89 + ciphertext = Base64.getEncoder().encodeToString(ciphertext) 90 90 + ) 91 91 + 92 92 + return Json.encodeToString(encrypted) 93 93 + } 94 94 + 95 95 + /** 96 96 + * Decrypts data encrypted with encrypt(). 97 97 + */ 98 98 + fun decrypt(encryptedJson: String, key: SecretKey): String { 99 99 + val encrypted = Json.decodeFromString<EncryptedData>(encryptedJson) 100 100 + 101 101 + val cipher = Cipher.getInstance(ALGORITHM) 102 102 + val iv = Base64.getDecoder().decode(encrypted.iv) 103 103 + val ciphertext = Base64.getDecoder().decode(encrypted.ciphertext) 104 104 + 105 105 + val spec = GCMParameterSpec(TAG_SIZE, iv) 106 106 + cipher.init(Cipher.DECRYPT_MODE, key, spec) 107 107 + 108 108 + val plaintext = cipher.doFinal(ciphertext) 109 109 + return String(plaintext, Charsets.UTF_8) 110 110 + } 111 111 + 112 112 + /** 113 113 + * Sets file permissions to owner-only read/write (0600 on Unix). 114 114 + * On Windows, sets to owner-only access. 115 115 + */ 116 116 + fun setRestrictedPermissions(file: Path) { 117 117 + try { 118 118 + // Try POSIX permissions first (Linux, macOS) 119 119 + val perms = setOf( 120 120 + PosixFilePermission.OWNER_READ, 121 121 + PosixFilePermission.OWNER_WRITE 122 122 + ) 123 123 + Files.setPosixFilePermissions(file, perms) 124 124 + logger.debug("Set POSIX permissions (0600) on ${file.fileName}") 125 125 + } catch (e: UnsupportedOperationException) { 126 126 + // Fall back to basic file permissions (Windows) 127 127 + try { 128 128 + val javaFile = file.toFile() 129 129 + javaFile.setReadable(true, true) 130 130 + javaFile.setWritable(true, true) 131 131 + javaFile.setExecutable(false, false) 132 132 + logger.debug("Set basic file permissions on ${javaFile.name}") 133 133 + } catch (ex: Exception) { 134 134 + logger.warn("Failed to set file permissions on ${file.fileName}", ex) 135 135 + } 136 136 + } catch (e: Exception) { 137 137 + logger.warn("Failed to set POSIX permissions on ${file.fileName}", e) 138 138 + } 139 139 + } 140 140 + 141 141 + /** 142 142 + * Sanitizes a string for safe logging (removes sensitive parts). 143 143 + */ 144 144 + fun sanitizeForLog(input: String): String { 145 145 + return when { 146 146 + input.length <= 8 -> "***" 147 147 + else -> "${input.take(4)}...${input.takeLast(4)}" 148 148 + } 149 149 + } 150 150 + 151 151 + /** 152 152 + * Validates that a path is within an expected parent directory. 153 153 + * Prevents path traversal attacks. 154 154 + */ 155 155 + fun validatePathInDirectory(path: Path, parentDir: Path): Boolean { 156 156 + return try { 157 157 + val normalized = path.normalize().toAbsolutePath() 158 158 + val parent = parentDir.normalize().toAbsolutePath() 159 159 + normalized.startsWith(parent) 160 160 + } catch (e: Exception) { 161 161 + false 162 162 + } 163 163 + } 164 164 + 165 165 + /** 166 166 + * Securely clears a CharArray (for passwords). 167 167 + */ 168 168 + fun clearCharArray(array: CharArray) { 169 169 + array.fill('\u0000') 170 170 + } 171 171 + }