[s] BeeAuth: Session creation nonce checking, Better Input validation#37
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements a session‐creation nonce to prevent replay or proxy attacks by validating a randomized token tied to an IP and port, and expires it after a configurable period.
- Introduces a new
SessionCreationNoncemodel with validation and automatic cleanup. - Adds
nonce-valid-durationto the API configuration. - Updates the Discord OAuth flow to include nonce generation, transmission, and validation.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/bapi/db.py | Added SessionCreationNonce model and its is_valid_session_creation method |
| src/bapi/config/api.yml | Added nonce-valid-duration configuration entry |
| src/bapi/blueprints/discord.py | Extended auth routes to pass and verify nonces; improved input checks |
Comments suppressed due to low confidence (1)
src/bapi/blueprints/discord.py:96
- The nested double quotes inside the f-string will cause a syntax error. Use single quotes or escape inner quotes, for example:
f"{reason_invalid or 'invalid'} nonce.{notice}".
return jsonify({"error": f"{reason_invalid or "invalid"} nonce.{notice}"}), 401
Crossedfall
approved these changes
Jun 30, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mitigates a potential attack where a copycat server directs the user to authenticate against bapi, replacing the (unverified) IP address query with the attacker's IP address, thus granting the owner of the copycat server a valid session token for their IP address to connect to our actual servers with.
Now, all session create requests are validated against a nonce stored in the game database. The nonce is issued when a player requests authentication, and includes IP and seeker port. The nonce expires after a configurable period, currently 4 minutes, making cracking or re-using nonces implausible
isdigit()does not match\d+. ip string needs to be consistent with that provided to nonce, so we pass it along unchanged.Used or expired nonces are deleted to prevent re-use.
testing fake nonce
testing expired nonce
