Add readonly parameter to game_data_token

To prevent modified servers to try to save player data with a dev token

Author: SirLynix

src/data/game_data_token.rs

@@ -3,10 +3,16 @@ use std::time::Duration;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
+fn default_as_false() -> bool {
+    false
+}
+
 #[derive(Debug, Serialize, Deserialize)]
 pub struct GameDataToken {
     pub player_db_id: i32,
     pub player_uuid: Uuid,
+    #[serde(default = "default_as_false")]
+    pub is_readonly: bool,
     // JWT fields
     pub exp: u64,
     pub iat: u64,
@@ -15,22 +21,39 @@ pub struct GameDataToken {
 
 impl GameDataToken {
     #[inline]
-    pub fn new_access(player_db_id: i32, player_uuid: Uuid, duration: Duration) -> Self {
-        Self::new("access", player_db_id, player_uuid, duration)
+    pub fn new_access(
+        player_db_id: i32,
+        player_uuid: Uuid,
+        duration: Duration,
+        is_readonly: bool,
+    ) -> Self {
+        Self::new("access", player_db_id, player_uuid, duration, is_readonly)
     }
 
     #[inline]
-    pub fn new_refresh(player_db_id: i32, player_uuid: Uuid, duration: Duration) -> Self {
-        Self::new("refresh", player_db_id, player_uuid, duration)
+    pub fn new_refresh(
+        player_db_id: i32,
+        player_uuid: Uuid,
+        duration: Duration,
+        is_readonly: bool,
+    ) -> Self {
+        Self::new("refresh", player_db_id, player_uuid, duration, is_readonly)
     }
 
-    fn new(token_type: &str, player_db_id: i32, player_uuid: Uuid, duration: Duration) -> Self {
+    fn new(
+        token_type: &str,
+        player_db_id: i32,
+        player_uuid: Uuid,
+        duration: Duration,
+        is_readonly: bool,
+    ) -> Self {
         debug_assert!(valid_token_type(token_type));
 
         let now = jsonwebtoken::get_current_timestamp();
         Self {
             player_db_id,
             player_uuid,
+            is_readonly,
             exp: now + duration.as_secs(),
             iat: now,
             sub: token_type.to_string(),

src/routes/connection.rs

@@ -76,8 +76,12 @@ async fn game_connect(
 
     let player_data = PlayerData::new(uuid, nickname, permissions);
 
-    let refresh_token =
-        GameDataToken::new_refresh(player_id, uuid, config.game_api_refresh_token_duration);
+    let refresh_token = GameDataToken::new_refresh(
+        player_id,
+        uuid,
+        config.game_api_refresh_token_duration,
+        is_dev,
+    );
     let refresh_token_jwt = jsonwebtoken::encode(
         &Header::default(),
         &refresh_token,

src/routes/game_server.rs

@@ -77,11 +77,13 @@ async fn refresh_access_token(
         refresh_token.player_db_id,
         refresh_token.player_uuid,
         config.game_api_access_token_duration,
+        refresh_token.is_readonly,
     );
     let refresh_token = GameDataToken::new_refresh(
         refresh_token.player_db_id,
         refresh_token.player_uuid,
         config.game_api_refresh_token_duration,
+        refresh_token.is_readonly,
     );
 
     let access_token_jwt = jsonwebtoken::encode(
@@ -150,6 +152,12 @@ async fn player_ship_patch(
     pg_pool: web::Data<deadpool_postgres::Pool>,
 ) -> Result<impl Responder, RouteError> {
     let access_token = validate_token(&req, &config, "access")?;
+    if access_token.is_readonly {
+        return Err(RouteError::InvalidRequest(
+            ServerErrorCode::InvalidToken(Some("Token is readonly".into())),
+            "Token only allows for readonly access to the player data".to_string(),
+        ));
+    }
 
     let pg_client = pg_pool.get().await?;
     let insert_player_ship = pg_client