use u16Secret for mycard auth

33a6b9fc · nanahira · 8e8fbcdc · 33a6b9fc · 33a6b9fc
Commit 33a6b9fc authored Dec 27, 2025 by nanahira
Hide whitespace changes
Inline Side-by-side

Showing with 112 additions and 87 deletions

ygopro-server.coffee ygopro-server.coffee +49 -37

ygopro-server.js ygopro-server.js +63 -50

No files found.
--- a/ygopro-server.coffee
+++ b/ygopro-server.coffee
@@ -212,7 +212,7 @@ real_windbot_server_ip = null
 long_resolve_cards = []
 ReplayParser = null
 athleticChecker = null
-users_cache = {}
+# users_cache = {}
 geoip = null
 dataManager = null
 windbots = []
@@ -471,25 +471,25 @@ init = () ->
    geoip = require('geoip-country-lite')
  if settings.modules.mycard.enabled
-    pgClient = require('pg').Client
+    # pgClient = require('pg').Client
-    pg_client = global.pg_client = new pgClient(settings.modules.mycard.auth_database)
+    # pg_client = global.pg_client = new pgClient(settings.modules.mycard.auth_database)
-    pg_client.on 'error', (err) ->
+    # pg_client.on 'error', (err) ->
-      log.warn "PostgreSQL ERROR: ", err
+    #   log.warn "PostgreSQL ERROR: ", err
-      return
+    #   return
-    pg_query = pg_client.query('SELECT username, id from users')
+    # pg_query = pg_client.query('SELECT username, id from users')
-    pg_query.on 'error', (err) ->
+    # pg_query.on 'error', (err) ->
-      log.warn "PostgreSQL Query ERROR: ", err
+    #   log.warn "PostgreSQL Query ERROR: ", err
-      return
+    #   return
-    pg_query.on 'row', (row) ->
+    # pg_query.on 'row', (row) ->
-      #log.info "load user", row.username, row.id
+    #   #log.info "load user", row.username, row.id
-      users_cache[row.username] = row.id
+    #   users_cache[row.username] = row.id
-      return
+    #   return
-    pg_query.on 'end', (result) ->
+    # pg_query.on 'end', (result) ->
-      log.info "users loaded", result.rowCount
+    #   log.info "users loaded", result.rowCount
-      return
+    #   return
-    pg_client.on 'drain', pg_client.end.bind(pg_client)
+    # pg_client.on 'drain', pg_client.end.bind(pg_client)
-    log.info "loading mycard user..."
+    # log.info "loading mycard user..."
-    pg_client.connect()
+    # pg_client.connect()
    if settings.modules.arena_mode.enabled and settings.modules.arena_mode.init_post.enabled
      postData = qs.stringify({
        ak: settings.modules.arena_mode.init_post.accesskey,
@@ -2422,13 +2422,13 @@ ygopro.ctos_follow 'JOIN_GAME', true, (buffer, info, client, server, datas)->
    decrypted_buffer = null
-    if id = users_cache[client.name]
+    # if id = users_cache[client.name]
-      secret = id % 65535 + 1
+    #   secret = id % 65535 + 1
-      decrypted_buffer = Buffer.allocUnsafe(6)
+    #   decrypted_buffer = Buffer.allocUnsafe(6)
-      for i in [0, 2, 4]
+    #   for i in [0, 2, 4]
-        decrypted_buffer.writeUInt16LE(buffer.readUInt16LE(i) ^ secret, i)
+    #     decrypted_buffer.writeUInt16LE(buffer.readUInt16LE(i) ^ secret, i)
-      if check_buffer_indentity(decrypted_buffer)
+    #   if check_buffer_indentity(decrypted_buffer)
-        return create_room_with_action(decrypted_buffer, decrypted_buffer)
+    #     return create_room_with_action(decrypted_buffer, decrypted_buffer)
    try
      userUrl = "#{settings.modules.mycard.auth_base_url}/users/#{encodeURIComponent(client.name)}.json"
@@ -2438,8 +2438,8 @@ ygopro.ctos_follow 'JOIN_GAME', true, (buffer, info, client, server, datas)->
        timeout: 4000
        params:
          api_key: settings.modules.mycard.auth_key,
-          api_username: client.name,
+          # api_username: client.name,
-          skip_track_visit: true
+          # skip_track_visit: true
      userData = userDataRes.data
      #console.log userData
    catch e
@@ -2449,14 +2449,26 @@ ygopro.ctos_follow 'JOIN_GAME', true, (buffer, info, client, server, datas)->
      return
    if client.isClosed
      return
-    users_cache[client.name] = userData.user.id
+    # users_cache[client.name] = userData.user.id
-    secret = userData.user.id % 65535 + 1
+    possible_ids = [
-    decrypted_buffer = Buffer.allocUnsafe(6)
+      userData.user.u16Secret,
-    for i in [0, 2, 4]
+      userData.user.u16SecretPrevious,
-      decrypted_buffer.writeUInt16LE(buffer.readUInt16LE(i) ^ secret, i)
+      userData.user.id, # TODO: remove this line after use u16Secret
-    if check_buffer_indentity(decrypted_buffer)
+    ].filter((id) -> id != null)
-      buffer = decrypted_buffer
+    try_decrypt_buffer_with_id = (id) ->
-    if !check_buffer_indentity(buffer)
+      secret = id % 65535 + 1
+      decrypted_buffer = Buffer.allocUnsafe(6)
+      for i in [0, 2, 4]
+        decrypted_buffer.writeUInt16LE(buffer.readUInt16LE(i) ^ secret, i)
+      if check_buffer_indentity(decrypted_buffer)
+        return decrypted_buffer
+      return null
+    decrypted_buffer = null
+    for possible_id in possible_ids
+      decrypted_buffer = try_decrypt_buffer_with_id(possible_id)
+      if decrypted_buffer
+        break
+    if !decrypted_buffer
      ygopro.stoc_die(client, '${invalid_password_checksum}')
      return
    return create_room_with_action(buffer, decrypted_buffer)

--- a/ygopro-server.js
+++ b/ygopro-server.js
 // Generated by CoffeeScript 2.7.0
 (function() {
  // 标准库
-  var Aragami, CLIENT_get_absolute_pos, CLIENT_get_authorize_key, CLIENT_get_kick_reconnect_target, CLIENT_get_partner, CLIENT_heartbeat_register, CLIENT_heartbeat_unregister, CLIENT_import_data, CLIENT_is_able_to_kick_reconnect, CLIENT_is_able_to_reconnect, CLIENT_is_banned_by_mc, CLIENT_is_player, CLIENT_kick, CLIENT_kick_reconnect, CLIENT_pre_reconnect, CLIENT_reconnect, CLIENT_reconnect_register, CLIENT_reconnect_unregister, CLIENT_send_pre_reconnect_info, CLIENT_send_reconnect_info, CLIENT_send_replays, CLIENT_send_replays_and_kick, CLIENT_set_ip, PQueue, Q, ROOM_all, ROOM_bad_ip, ROOM_ban_player, ROOM_clear_disconnect, ROOM_connected_ip, ROOM_find_by_name, ROOM_find_by_pid, ROOM_find_by_port, ROOM_find_by_title, ROOM_find_or_create_ai, ROOM_find_or_create_by_name, ROOM_find_or_create_random, ROOM_kick, ROOM_player_flee, ROOM_player_get_score, ROOM_player_lose, ROOM_player_win, ROOM_players_oppentlist, ROOM_unwelcome, ROOM_validate, ReplayParser, ResolveData, Room, SERVER_clear_disconnect, SERVER_kick, SOCKET_flush_data, YGOProDeck, _, _async, addCallback, aragami, aragami_classes, athleticChecker, auth, axios, badwordR, badwords, ban_user, bunyan, challonge, checkFileExists, createDirectoryIfNotExists, crypto, dataManager, deck_name_match, dialogues, disconnect_list, exec, execFile, extra_mode_list, fs, geoip, getDuelLogQueryFromQs, getRealIp, get_memory_usage, http, httpRequestListener, importOldConfig, import_datas, init, ip6addr, isTrustedProxy, lflists, loadJSON, loadJSONAsync, loadLFList, loadRemoteData, load_dialogues, load_tips, log, long_resolve_cards, memory_usage, merge, moment, moment_long_ago_string, moment_now, moment_now_string, msg_polyfill, neosRequestListener, net, netRequestHandler, os, osu, path, qs, real_windbot_server_ip, release_disconnect, report_to_big_brother, request, roomlist, rooms_count, setting_change, setting_get, setting_save, settings, spawn, spawnSync, spawn_windbot, tips, toIpv4, toIpv6, url, users_cache, util, utility, wait_room_start, wait_room_start_arena, windbot_looplimit, windbot_process, windbots, ygopro, zlib;
+  var Aragami, CLIENT_get_absolute_pos, CLIENT_get_authorize_key, CLIENT_get_kick_reconnect_target, CLIENT_get_partner, CLIENT_heartbeat_register, CLIENT_heartbeat_unregister, CLIENT_import_data, CLIENT_is_able_to_kick_reconnect, CLIENT_is_able_to_reconnect, CLIENT_is_banned_by_mc, CLIENT_is_player, CLIENT_kick, CLIENT_kick_reconnect, CLIENT_pre_reconnect, CLIENT_reconnect, CLIENT_reconnect_register, CLIENT_reconnect_unregister, CLIENT_send_pre_reconnect_info, CLIENT_send_reconnect_info, CLIENT_send_replays, CLIENT_send_replays_and_kick, CLIENT_set_ip, PQueue, Q, ROOM_all, ROOM_bad_ip, ROOM_ban_player, ROOM_clear_disconnect, ROOM_connected_ip, ROOM_find_by_name, ROOM_find_by_pid, ROOM_find_by_port, ROOM_find_by_title, ROOM_find_or_create_ai, ROOM_find_or_create_by_name, ROOM_find_or_create_random, ROOM_kick, ROOM_player_flee, ROOM_player_get_score, ROOM_player_lose, ROOM_player_win, ROOM_players_oppentlist, ROOM_unwelcome, ROOM_validate, ReplayParser, ResolveData, Room, SERVER_clear_disconnect, SERVER_kick, SOCKET_flush_data, YGOProDeck, _, _async, addCallback, aragami, aragami_classes, athleticChecker, auth, axios, badwordR, badwords, ban_user, bunyan, challonge, checkFileExists, createDirectoryIfNotExists, crypto, dataManager, deck_name_match, dialogues, disconnect_list, exec, execFile, extra_mode_list, fs, geoip, getDuelLogQueryFromQs, getRealIp, get_memory_usage, http, httpRequestListener, importOldConfig, import_datas, init, ip6addr, isTrustedProxy, lflists, loadJSON, loadJSONAsync, loadLFList, loadRemoteData, load_dialogues, load_tips, log, long_resolve_cards, memory_usage, merge, moment, moment_long_ago_string, moment_now, moment_now_string, msg_polyfill, neosRequestListener, net, netRequestHandler, os, osu, path, qs, real_windbot_server_ip, release_disconnect, report_to_big_brother, request, roomlist, rooms_count, setting_change, setting_get, setting_save, settings, spawn, spawnSync, spawn_windbot, tips, toIpv4, toIpv6, url, util, utility, wait_room_start, wait_room_start_arena, windbot_looplimit, windbot_process, windbots, ygopro, zlib;
  net = require('net');
@@ -253,8 +253,7 @@
  athleticChecker = null;
-  users_cache = {};
+  // users_cache = {}
  geoip = null;
  dataManager = null;
@@ -321,7 +320,7 @@
  };
  init = async function() {
-    var AthleticChecker, Challonge, DataManager, chat_color, config, cppversion, defaultConfig, default_data, dirPath, dns, e, get_rooms_count, http_server, https, httpsOptions, https_server, imported, j, key, keysFromEnv, l, len, len1, len2, m, main_http_server, mkdirList, neosHttpServer, neosWsServer, pgClient, pg_client, pg_query, plugin_filename, plugin_list, plugin_path, postData, settingKey, val, valFromDefault, ws;
+    var AthleticChecker, Challonge, DataManager, chat_color, config, cppversion, defaultConfig, default_data, dirPath, dns, e, get_rooms_count, http_server, https, httpsOptions, https_server, imported, j, key, keysFromEnv, l, len, len1, len2, m, main_http_server, mkdirList, neosHttpServer, neosWsServer, plugin_filename, plugin_list, plugin_path, postData, settingKey, val, valFromDefault, ws;
    log.info('Reading config.');
    await createDirectoryIfNotExists("./config");
    await importOldConfig();
@@ -597,25 +596,25 @@
      geoip = require('geoip-country-lite');
    }
    if (settings.modules.mycard.enabled) {
-      pgClient = require('pg').Client;
+      // pgClient = require('pg').Client
-      pg_client = global.pg_client = new pgClient(settings.modules.mycard.auth_database);
+      // pg_client = global.pg_client = new pgClient(settings.modules.mycard.auth_database)
-      pg_client.on('error', function(err) {
+      // pg_client.on 'error', (err) ->
-        log.warn("PostgreSQL ERROR: ", err);
+      //   log.warn "PostgreSQL ERROR: ", err
-      });
+      //   return
-      pg_query = pg_client.query('SELECT username, id from users');
+      // pg_query = pg_client.query('SELECT username, id from users')
-      pg_query.on('error', function(err) {
+      // pg_query.on 'error', (err) ->
-        log.warn("PostgreSQL Query ERROR: ", err);
+      //   log.warn "PostgreSQL Query ERROR: ", err
-      });
+      //   return
-      pg_query.on('row', function(row) {
+      // pg_query.on 'row', (row) ->
-        //log.info "load user", row.username, row.id
+      //   #log.info "load user", row.username, row.id
-        users_cache[row.username] = row.id;
+      //   users_cache[row.username] = row.id
-      });
+      //   return
-      pg_query.on('end', function(result) {
+      // pg_query.on 'end', (result) ->
-        log.info("users loaded", result.rowCount);
+      //   log.info "users loaded", result.rowCount
-      });
+      //   return
-      pg_client.on('drain', pg_client.end.bind(pg_client));
+      // pg_client.on 'drain', pg_client.end.bind(pg_client)
-      log.info("loading mycard user...");
+      // log.info "loading mycard user..."
-      pg_client.connect();
+      // pg_client.connect()
      if (settings.modules.arena_mode.enabled && settings.modules.arena_mode.init_post.enabled) {
        postData = qs.stringify({
          ak: settings.modules.arena_mode.init_post.accesskey,
@@ -2888,7 +2887,7 @@
  });
  ygopro.ctos_follow('JOIN_GAME', true, async function(buffer, info, client, server, datas) {
-    var available_logs, check_buffer_indentity, check_version, create_room_name, create_room_with_action, decrypted_buffer, duelLog, e, exactBan, i, id, index, j, l, len, len1, len2, len3, m, matching_match, matching_participant, n, polyfill_version, pre_room, recover_match, ref, ref1, replay, replay_id, replays, room, secret, struct, tournament_data, userData, userDataRes, userUrl;
+    var available_logs, check_buffer_indentity, check_version, create_room_name, create_room_with_action, decrypted_buffer, duelLog, e, exactBan, index, j, l, len, len1, len2, m, matching_match, matching_participant, polyfill_version, possible_id, possible_ids, pre_room, recover_match, replay, replay_id, replays, room, struct, tournament_data, try_decrypt_buffer_with_id, userData, userDataRes, userUrl;
    check_version = async function() {
      var bad_version, blocker_obj, clean_blocker, client_key;
      bad_version = function(msg) {
@@ -3183,30 +3182,25 @@
        }
      };
      decrypted_buffer = null;
-      if (id = users_cache[client.name]) {
-        secret = id % 65535 + 1;
-        decrypted_buffer = Buffer.allocUnsafe(6);
-        ref = [0, 2, 4];
-        for (m = 0, len2 = ref.length; m < len2; m++) {
-          i = ref[m];
-          decrypted_buffer.writeUInt16LE(buffer.readUInt16LE(i) ^ secret, i);
-        }
-        if (check_buffer_indentity(decrypted_buffer)) {
-          return create_room_with_action(decrypted_buffer, decrypted_buffer);
-        }
-      }
      try {
+        // if id = users_cache[client.name]
+        //   secret = id % 65535 + 1
+        //   decrypted_buffer = Buffer.allocUnsafe(6)
+        //   for i in [0, 2, 4]
+        //     decrypted_buffer.writeUInt16LE(buffer.readUInt16LE(i) ^ secret, i)
+        //   if check_buffer_indentity(decrypted_buffer)
+        //     return create_room_with_action(decrypted_buffer, decrypted_buffer)
        userUrl = `${settings.modules.mycard.auth_base_url}/users/${encodeURIComponent(client.name)}.json`;
        //console.log(userUrl)
        userDataRes = (await axios.get(userUrl, {
          responseType: 'json',
          timeout: 4000,
          params: {
-            api_key: settings.modules.mycard.auth_key,
+            api_key: settings.modules.mycard.auth_key
-            api_username: client.name,
-            skip_track_visit: true
          }
        }));
+        // api_username: client.name,
+        // skip_track_visit: true
        userData = userDataRes.data;
      } catch (error1) {
        //console.log userData
@@ -3220,18 +3214,37 @@
      if (client.isClosed) {
        return;
      }
-      users_cache[client.name] = userData.user.id;
+      // users_cache[client.name] = userData.user.id
-      secret = userData.user.id % 65535 + 1;
+      possible_ids = [
-      decrypted_buffer = Buffer.allocUnsafe(6);
+        userData.user.u16Secret,
-      ref1 = [0, 2, 4];
+        userData.user.u16SecretPrevious,
-      for (n = 0, len3 = ref1.length; n < len3; n++) {
+        userData.user.id // TODO: remove this line after use u16Secret
-        i = ref1[n];
+      ].filter(function(id) {
-        decrypted_buffer.writeUInt16LE(buffer.readUInt16LE(i) ^ secret, i);
+        return id !== null;
-      }
+      });
-      if (check_buffer_indentity(decrypted_buffer)) {
+      try_decrypt_buffer_with_id = function(id) {
-        buffer = decrypted_buffer;
+        var i, len2, m, ref, secret;
+        secret = id % 65535 + 1;
+        decrypted_buffer = Buffer.allocUnsafe(6);
+        ref = [0, 2, 4];
+        for (m = 0, len2 = ref.length; m < len2; m++) {
+          i = ref[m];
+          decrypted_buffer.writeUInt16LE(buffer.readUInt16LE(i) ^ secret, i);
+        }
+        if (check_buffer_indentity(decrypted_buffer)) {
+          return decrypted_buffer;
+        }
+        return null;
+      };
+      decrypted_buffer = null;
+      for (m = 0, len2 = possible_ids.length; m < len2; m++) {
+        possible_id = possible_ids[m];
+        decrypted_buffer = try_decrypt_buffer_with_id(possible_id);
+        if (decrypted_buffer) {
+          break;
+        }
      }
-      if (!check_buffer_indentity(buffer)) {
+      if (!decrypted_buffer) {
        ygopro.stoc_die(client, '${invalid_password_checksum}');
        return;
      }