vapour-protocol 0.4.0

Steam client protocol implementation for native Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

use base64::Engine;
use base64::engine::general_purpose::{URL_SAFE, URL_SAFE_NO_PAD};
use serde::Deserialize;

#[derive(Deserialize)]
struct RefreshTokenClaims {
    sub: SubClaim,
}

#[derive(Deserialize)]
#[serde(untagged)]
enum SubClaim {
    String(String),
    Number(u64),
}

pub fn steamid_from_refresh_token(token: &str) -> Option<u64> {
    let mut segments = token.split('.');
    let _header = segments.next()?;
    let payload = segments.next()?;
    let _signature = segments.next()?;

    if segments.next().is_some() || payload.is_empty() {
        return None;
    }

    let decoded_payload = decode_jwt_segment(payload)?;
    let claims: RefreshTokenClaims = serde_json::from_slice(&decoded_payload).ok()?;

    match claims.sub {
        SubClaim::String(value) => parse_steamid(&value),
        SubClaim::Number(value) => Some(value),
    }
}

fn decode_jwt_segment(segment: &str) -> Option<Vec<u8>> {
    URL_SAFE_NO_PAD
        .decode(segment)
        .or_else(|_| URL_SAFE.decode(segment))
        .ok()
}

fn parse_steamid(value: &str) -> Option<u64> {
    if value.is_empty() || !value.bytes().all(|byte| byte.is_ascii_digit()) {
        return None;
    }

    value.parse().ok()
}

#[cfg(test)]
mod tests {
    use super::steamid_from_refresh_token;
    use base64::Engine;
    use base64::engine::general_purpose::URL_SAFE_NO_PAD;

    #[test]
    fn extracts_steamid_from_string_sub_claim() {
        let token = make_token(r#"{"sub":"76561198000000000","aud":["web"]}"#);

        assert_eq!(
            steamid_from_refresh_token(&token),
            Some(76_561_198_000_000_000)
        );
    }

    #[test]
    fn extracts_steamid_from_numeric_sub_claim() {
        let token = make_token(r#"{"sub":76561198000000000}"#);

        assert_eq!(
            steamid_from_refresh_token(&token),
            Some(76_561_198_000_000_000)
        );
    }

    #[test]
    fn rejects_token_with_wrong_segment_count() {
        assert_eq!(steamid_from_refresh_token("header.payload"), None,);
        assert_eq!(
            steamid_from_refresh_token("header.payload.signature.extra"),
            None,
        );
    }

    #[test]
    fn rejects_invalid_base64_payload() {
        assert_eq!(steamid_from_refresh_token("header.@@@.signature"), None);
    }

    #[test]
    fn rejects_non_json_payload() {
        let token = make_token("not-json");

        assert_eq!(steamid_from_refresh_token(&token), None);
    }

    #[test]
    fn rejects_missing_sub_claim() {
        let token = make_token(r#"{"iss":"steam"}"#);

        assert_eq!(steamid_from_refresh_token(&token), None);
    }

    #[test]
    fn rejects_non_numeric_string_sub_claim() {
        let token = make_token(r#"{"sub":"steam-user"}"#);

        assert_eq!(steamid_from_refresh_token(&token), None);
    }

    #[test]
    fn rejects_out_of_range_string_sub_claim() {
        let token = make_token(r#"{"sub":"18446744073709551616"}"#);

        assert_eq!(steamid_from_refresh_token(&token), None);
    }

    fn make_token(payload_json: &str) -> String {
        let header = URL_SAFE_NO_PAD.encode(r#"{"alg":"none","typ":"JWT"}"#);
        let payload = URL_SAFE_NO_PAD.encode(payload_json);
        format!("{header}.{payload}.signature")
    }
}