From dd417ae6460ed63174cd67bebbdaefc97ba1e4b8 Mon Sep 17 00:00:00 2001
From: xiaomlove <1939737565@qq.com>
Date: Wed, 12 Mar 2025 23:48:10 +0800
Subject: [PATCH] ammds approve

---
 .env.example                                  |  1 +
 app/Console/Commands/Test.php                 |  3 +-
 .../Controllers/AuthenticateController.php    | 20 +++++++++++++
 app/Repositories/AuthenticateRepository.php   | 29 +++++++++++++++++++
 routes/third-party.php                        |  1 +
 5 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index 01a215c2..9fcd97fb 100644
--- a/.env.example
+++ b/.env.example
@@ -83,6 +83,7 @@ UID_STARTS=10001
 PHP_PATH=
 NAS_TOOLS_KEY=
 IYUU_SECRET=
+AMMDS_SECRET=
 
 MEILISEARCH_SCHEME=http
 MEILISEARCH_HOST=127.0.0.1
diff --git a/app/Console/Commands/Test.php b/app/Console/Commands/Test.php
index a0b27566..a1ccba8d 100644
--- a/app/Console/Commands/Test.php
+++ b/app/Console/Commands/Test.php
@@ -103,8 +103,7 @@ class Test extends Command
      */
     public function handle()
     {
-        $with = ["ss" => function($query) {$query->orWhere("mode", 0);}];
-        $r = SearchBox::query()->with($with)->find(4);
+        $r = microtime();
 //        $r = SearchBox::query()->find(4)->ss()->orWhere("mode", 0)->get();
         dd($r);
     }
diff --git a/app/Http/Controllers/AuthenticateController.php b/app/Http/Controllers/AuthenticateController.php
index 85a0bc82..7606419d 100644
--- a/app/Http/Controllers/AuthenticateController.php
+++ b/app/Http/Controllers/AuthenticateController.php
@@ -106,6 +106,26 @@ class AuthenticateController extends Controller
         }
     }
 
+    public function ammdsApprove(Request $request)
+    {
+        try {
+            $request->validate([
+                'uid' => 'required|integer',
+                'timestamp' => 'required|integer',
+                'nonce' => 'required|string',
+                'signature' => 'required|string',
+            ]);
+            $user = $this->repository->ammdsApprove($request);
+            $resource = new UserResource($user);
+            return $this->success($resource);
+        } catch (\Exception $exception) {
+            $msg = $exception->getMessage();
+            $params = $request->all();
+            do_log(sprintf("ammdsApprove fail: %s, params: %s", $msg, nexus_json_encode($params)));
+            return $this->fail($params, $msg);
+        }
+    }
+
     public function addToken(Request $request)
     {
         try {
diff --git a/app/Repositories/AuthenticateRepository.php b/app/Repositories/AuthenticateRepository.php
index 26df1814..f66e3236 100644
--- a/app/Repositories/AuthenticateRepository.php
+++ b/app/Repositories/AuthenticateRepository.php
@@ -5,6 +5,8 @@ use App\Http\Resources\UserResource;
 use App\Models\User;
 use Carbon\Carbon;
 use Illuminate\Encryption\Encrypter;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Validation\UnauthorizedException;
 
@@ -72,4 +74,31 @@ class AuthenticateRepository extends BaseRepository
         }
         return true;
     }
+
+    public function ammdsApprove(Request $request)
+    {
+        $now = Carbon::now();
+        if (abs($now->getTimestampMs() - $request->timestamp) > 300 * 1000) {
+            throw new \InvalidArgumentException("expired.");
+        }
+        $cacheKey = sprintf("ammdsApprove:%s", $request->nonce);
+        if (Cache::has($cacheKey)) {
+            throw new \InvalidArgumentException("duplicate.");
+        }
+        Cache::put($cacheKey, 1, 600);
+        $user = User::query()->findOrFail($request->uid, User::$commonFields);
+        $user->checkIsNormal();
+        $passkeyHash = hash('sha256', $user->passkey);
+        $dataToSign = sprintf("%s%s%s%s", $user->id, $passkeyHash, $request->timestamp, $request->nonce);
+        $signatureKey = env('AMMDS_SECRET');
+        $serverSignature = hash_hmac('sha256', $dataToSign, $signatureKey);
+        if (!hash_equals($serverSignature, $request->signature)) {
+            do_log(sprintf(
+                "uid: %s, passkey_hash: %s, timestamp: %s, nonce: %s, dataToSign: %s, signatureKey: %s, serverSignature: %s, requestSignature: %s, !hash_equals",
+                $user->id, $passkeyHash, $request->timestamp, $request->nonce, $dataToSign, $signatureKey, $serverSignature, $request->signature
+            ));
+            throw new \InvalidArgumentException("Invalid signature.");
+        }
+        return $user;
+    }
 }
diff --git a/routes/third-party.php b/routes/third-party.php
index 320793e1..071e188a 100644
--- a/routes/third-party.php
+++ b/routes/third-party.php
@@ -3,4 +3,5 @@ use Illuminate\Support\Facades\Route;
 
 Route::post('nastools/approve', [\App\Http\Controllers\AuthenticateController::class, 'nasToolsApprove']);
 Route::get('iyuu/approve', [\App\Http\Controllers\AuthenticateController::class, 'iyuuApprove']);
+Route::post('ammds/approve', [\App\Http\Controllers\AuthenticateController::class, 'ammdsApprove']);