Core/Authserver: Add auth session timeout - socket is closed after 10s of inactivity if not authenticated or after 1 minute if authenticated

2026-01-23 10:26:28 +01:00 · 2025-07-16 12:57:03 +02:00
parent 4fb3bbe718
commit 7b438d389b
3 changed files with 43 additions and 0 deletions
--- a/src/server/authserver/Server/AuthSession.cpp
+++ b/src/server/authserver/Server/AuthSession.cpp
@@ -26,6 +26,7 @@
 #include "CryptoRandom.h"
 #include "DatabaseEnv.h"
 #include "IPLocation.h"
+#include "IoContext.h"
 #include "Log.h"
 #include "RealmList.h"
 #include "SecretMgr.h"
@@ -199,6 +200,7 @@ void AccountInfo::LoadResult(Field* fields)
 }

 AuthSession::AuthSession(tcp::socket&& socket) : Socket(std::move(socket)),
+    _timeout(*underlying_stream().get_executor().target<boost::asio::io_context::executor_type>()),
    _status(STATUS_CHALLENGE), _locale(LOCALE_enUS), _os(0), _build(0), _expversion(0), _timezoneOffset(0min)
 {
 }
@@ -250,6 +252,7 @@ void AuthSession::CheckIpCallback(PreparedQueryResult result)
    }

    AsyncRead();
+    SetTimeout();
 }

 void AuthSession::ReadHandler()
@@ -290,6 +293,7 @@ void AuthSession::ReadHandler()
        }

        packet.ReadCompleted(size);
+        SetTimeout();
    }

    AsyncRead();
@@ -898,3 +902,34 @@ bool AuthSession::VerifyVersion(std::span<uint8 const> a, Trinity::Crypto::SHA1:

    return versionProof == version.GetDigest();
 }
+
+void AuthSession::SetTimeout()
+{
+    _timeout.cancel();
+
+    switch (_status)
+    {
+        case STATUS_AUTHED:
+        case STATUS_WAITING_FOR_REALM_LIST:
+            _timeout.expires_after(1min);
+            break;
+        case STATUS_XFER:
+            return;
+        default:
+            _timeout.expires_after(10s);
+            break;
+    }
+
+    _timeout.async_wait([selfRef = weak_from_this()](boost::system::error_code const& error)
+    {
+        std::shared_ptr<AuthSession> self = selfRef.lock();
+        if (!self)
+            return;
+
+        if (error == boost::asio::error::operation_aborted)
+            return;
+
+        TC_LOG_DEBUG("server.authserver", "{}:{} session timed out.", self->GetRemoteIpAddress().to_string(), self->GetRemotePort());
+        self->CloseSocket();
+    });
+}
--- a/src/server/authserver/Server/AuthSession.h
+++ b/src/server/authserver/Server/AuthSession.h
@@ -22,6 +22,7 @@
 #include "Common.h"
 #include "CryptoHash.h"
 #include "DatabaseEnvFwd.h"
+#include "DeadlineTimer.h"
 #include "Duration.h"
 #include "Optional.h"
 #include "Socket.h"
@@ -92,11 +93,13 @@ private:
    void RealmListCallback(PreparedQueryResult result);

    bool VerifyVersion(std::span<uint8 const> a, Trinity::Crypto::SHA1::Digest const& versionProof, bool isReconnect);
+    void SetTimeout();

    Optional<Trinity::Crypto::SRP6> _srp6;
    SessionKey _sessionKey = {};
    std::array<uint8, 16> _reconnectProof = {};

+    Trinity::Asio::DeadlineTimer _timeout;
    AuthStatus _status;
    AccountInfo _accountInfo;
    Optional<std::vector<uint8>> _totpSecret;
--- a/src/server/shared/Networking/Socket.h
+++ b/src/server/shared/Networking/Socket.h
@@ -138,6 +138,11 @@ public:

    MessageBuffer& GetReadBuffer() { return _readBuffer; }

+    tcp::socket& underlying_stream()
+    {
+        return _socket;
+    }
+
 protected:
    virtual void OnClose() { }