Merge pull request #15167 from lichess-org/scanning

Github scanning webhook
lichess-org · Apr 30, 2024 · 906a62c · 906a62c
2 parents 39675e2 + 7c4ad3d
commit 906a62c
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 0 deletions.
diff --git a/app/controllers/Main.scala b/app/controllers/Main.scala
@@ -174,3 +174,11 @@ final class Main(
           .map(url => JsonOk(Json.obj("imageUrl" -> url)))
       case None => JsonBadRequest(jsonError("Image content only"))
   }
+
+  def githubSecretScanning = AnonBodyOf(parse.json): body =>
+    env.oAuth.tokenApi
+      .secretScanning(body)
+      .flatMap:
+        _.traverse: (token, url) =>
+          env.msg.api.systemPost(token.userId, lila.msg.MsgPreset.apiTokenRevoked(url))
+      .as(NoContent)
diff --git a/conf/routes b/conf/routes
@@ -830,6 +830,7 @@ GET   /verify-title                    controllers.Main.verifyTitle
 GET   /InstantChess.com                controllers.Main.instantChess
 GET   /daily-puzzle-slack              controllers.Main.dailyPuzzleSlackApp
 POST  /upload/image/user/:rel          controllers.Main.uploadImage(rel)
+POST  /github/secret-scanning          controllers.Main.githubSecretScanning
 
 # Technical
 GET   /run/captcha/$id<\w{8}>          controllers.Main.captchaCheck(id)

diff --git a/modules/msg/src/main/MsgPreset.scala b/modules/msg/src/main/MsgPreset.scala
@@ -43,3 +43,13 @@ $forumPost
     s"""@${by.name} has changed your leader permissions in the team "${team.name}".
 Your new permissions are: ${perms.mkString(", ")}.
 $baseUrl/team/${team.id}"""
+
+  def apiTokenRevoked(url: String) =
+    s"""Your Lichess API token has been found on GitHub
+
+We detected one of your API tokens in a public code repository on GitHub at the following URL:
+
+$url
+
+We have automatically revoked the token to protect your account.
+    """
diff --git a/modules/oauth/src/main/AccessTokenApi.scala b/modules/oauth/src/main/AccessTokenApi.scala
@@ -1,6 +1,7 @@
 package lila.oauth
 
 import reactivemongo.api.bson.*
+import play.api.libs.json.*
 
 import lila.core.net.Bearer
 import lila.db.dsl.{ *, given }
@@ -211,6 +212,29 @@ final class AccessTokenApi(
           bearers.zip(openTokens).toMap
         }
 
+  def secretScanning(body: JsValue): Fu[List[(AccessToken, String)]] =
+    body
+      .asOpt[List[JsObject]]
+      .map:
+        _.flatMap: obj =>
+          for
+            token <- (obj \ "token").asOpt[String]
+            url   <- (obj \ "url").asOpt[String]
+          yield Bearer(token) -> url
+        .toMap
+      .so: tokensMap =>
+        test(tokensMap.keys.toList)
+          .flatMap:
+            _.toList.traverse: (bearer, token) =>
+              token match
+                case Some(token) =>
+                  logger.branch("github").info(s"revoking token ${token.plain} for user ${token.userId}")
+                  revoke(token.plain).inject(tokensMap.get(bearer).map(token -> _))
+                case None =>
+                  logger.branch("github").info(s"ignoring token $bearer")
+                  fuccess(none)
+          .map(_.flatten)
+
   private val accessTokenCache =
     cacheApi[AccessToken.Id, Option[AccessToken.ForAuth]](1024, "oauth.access_token"):
       _.expireAfterWrite(5 minutes).buildAsyncFuture(fetchAccessToken)