pkg/api/api0: Implement server validation for /accounts/write_persistence

1 files changed, 23 insertions, 4 deletions

diff --git a/pkg/api/api0/accounts.go b/pkg/api/api0/accounts.go
index a19a908..76e47b6 100644
--- a/pkg/api/api0/accounts.go
+++ b/pkg/api/api0/accounts.go
@@ -115,9 +115,6 @@ func (h *Handler) handleAccountsWritePersistence(w http.ResponseWriter, r *http.
 	}
 
 	serverID := r.URL.Query().Get("serverId") // blank on listen server
-	if serverID != "" {
-		// TODO: check serverID
-	}
 
 	raddr, err := netip.ParseAddrPort(r.RemoteAddr)
 	if err != nil {
@@ -162,7 +159,29 @@ func (h *Handler) handleAccountsWritePersistence(w http.ResponseWriter, r *http.
 			return
 		}
 	} else {
-		// TODO: check if gameserver ip matches and that account is on it
+		srv := h.ServerList.GetServerByID(serverID)
+		if srv == nil {
+			respJSON(w, r, http.StatusForbidden, map[string]any{
+				"success": false,
+				"error":   ErrorCode_UNAUTHORIZED_GAMESERVER,
+				"msg":     ErrorCode_UNAUTHORIZED_GAMESERVER.Messagef("no such game server"),
+			})
+			return
+		}
+		if srv.Addr.Addr() != raddr.Addr() {
+			respJSON(w, r, http.StatusForbidden, map[string]any{
+				"success": false,
+				"error":   ErrorCode_UNAUTHORIZED_GAMESERVER,
+			})
+			return
+		}
+		if acct.LastServerID != srv.ID {
+			respJSON(w, r, http.StatusForbidden, map[string]any{
+				"success": false,
+				"error":   ErrorCode_UNAUTHORIZED_GAMESERVER,
+			})
+			return
+		}
 	}
 
 	if err := h.PdataStorage.SetPdata(uid, buf); err != nil {