ammds approve

.env.example

@@ -83,6 +83,7 @@ UID_STARTS=10001
 PHP_PATH=
 NAS_TOOLS_KEY=
 IYUU_SECRET=
+AMMDS_SECRET=
 
 MEILISEARCH_SCHEME=http
 MEILISEARCH_HOST=127.0.0.1

app/Console/Commands/Test.php

@@ -103,8 +103,7 @@ class Test extends Command
      */
     public function handle()
     {
-        $with = ["ss" => function($query) {$query->orWhere("mode", 0);}];
+        $r = microtime();
-        $r = SearchBox::query()->with($with)->find(4);
 //        $r = SearchBox::query()->find(4)->ss()->orWhere("mode", 0)->get();
         dd($r);
     }

app/Http/Controllers/AuthenticateController.php

@@ -106,6 +106,26 @@ class AuthenticateController extends Controller
         }
     }
 
+    public function ammdsApprove(Request $request)
+    {
+        try {
+            $request->validate([
+                'uid' => 'required|integer',
+                'timestamp' => 'required|integer',
+                'nonce' => 'required|string',
+                'signature' => 'required|string',
+            ]);
+            $user = $this->repository->ammdsApprove($request);
+            $resource = new UserResource($user);
+            return $this->success($resource);
+        } catch (\Exception $exception) {
+            $msg = $exception->getMessage();
+            $params = $request->all();
+            do_log(sprintf("ammdsApprove fail: %s, params: %s", $msg, nexus_json_encode($params)));
+            return $this->fail($params, $msg);
+        }
+    }
+
     public function addToken(Request $request)
     {
         try {

app/Repositories/AuthenticateRepository.php

@@ -5,6 +5,8 @@ use App\Http\Resources\UserResource;
 use App\Models\User;
 use Carbon\Carbon;
 use Illuminate\Encryption\Encrypter;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Validation\UnauthorizedException;
 
@@ -72,4 +74,31 @@ class AuthenticateRepository extends BaseRepository
         }
         return true;
     }
+
+    public function ammdsApprove(Request $request)
+    {
+        $now = Carbon::now();
+        if (abs($now->getTimestampMs() - $request->timestamp) > 300 * 1000) {
+            throw new \InvalidArgumentException("expired.");
+        }
+        $cacheKey = sprintf("ammdsApprove:%s", $request->nonce);
+        if (Cache::has($cacheKey)) {
+            throw new \InvalidArgumentException("duplicate.");
+        }
+        Cache::put($cacheKey, 1, 600);
+        $user = User::query()->findOrFail($request->uid, User::$commonFields);
+        $user->checkIsNormal();
+        $passkeyHash = hash('sha256', $user->passkey);
+        $dataToSign = sprintf("%s%s%s%s", $user->id, $passkeyHash, $request->timestamp, $request->nonce);
+        $signatureKey = env('AMMDS_SECRET');
+        $serverSignature = hash_hmac('sha256', $dataToSign, $signatureKey);
+        if (!hash_equals($serverSignature, $request->signature)) {
+            do_log(sprintf(
+                "uid: %s, passkey_hash: %s, timestamp: %s, nonce: %s, dataToSign: %s, signatureKey: %s, serverSignature: %s, requestSignature: %s, !hash_equals",
+                $user->id, $passkeyHash, $request->timestamp, $request->nonce, $dataToSign, $signatureKey, $serverSignature, $request->signature
+            ));
+            throw new \InvalidArgumentException("Invalid signature.");
+        }
+        return $user;
+    }
 }

routes/third-party.php

@@ -3,4 +3,5 @@ use Illuminate\Support\Facades\Route;
 
 Route::post('nastools/approve', [\App\Http\Controllers\AuthenticateController::class, 'nasToolsApprove']);
 Route::get('iyuu/approve', [\App\Http\Controllers\AuthenticateController::class, 'iyuuApprove']);
+Route::post('ammds/approve', [\App\Http\Controllers\AuthenticateController::class, 'ammdsApprove']);