From 5ea63273be4e76cbec91343d983af485a0f43665 Mon Sep 17 00:00:00 2001
From: yushijinhun <yushijinhun@gmail.com>
Date: Tue, 5 Feb 2019 01:46:48 +0800
Subject: [PATCH] check validity of YggdrasilSession response

---
 .../hmcl/auth/yggdrasil/YggdrasilAccount.java         | 11 ++++++++++-
 .../hmcl/auth/yggdrasil/YggdrasilService.java         |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/yggdrasil/YggdrasilAccount.java b/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/yggdrasil/YggdrasilAccount.java
index d99189bdc..ea3d066bc 100644
--- a/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/yggdrasil/YggdrasilAccount.java
+++ b/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/yggdrasil/YggdrasilAccount.java
@@ -31,6 +31,7 @@ import org.jackhuang.hmcl.auth.CharacterDeletedException;
 import org.jackhuang.hmcl.auth.CharacterSelector;
 import org.jackhuang.hmcl.auth.CredentialExpiredException;
 import org.jackhuang.hmcl.auth.NoCharacterException;
+import org.jackhuang.hmcl.auth.ServerResponseMalformedException;
 import org.jackhuang.hmcl.util.gson.UUIDTypeAdapter;
 
 public class YggdrasilAccount extends Account {
@@ -65,6 +66,7 @@ public class YggdrasilAccount extends Account {
                     acquiredSession.getAccessToken(),
                     acquiredSession.getClientToken(),
                     characterToSelect);
+            // response validity has been checked in refresh()
         } else {
             session = acquiredSession;
         }
@@ -94,8 +96,9 @@ public class YggdrasilAccount extends Account {
             if (service.validate(session.getAccessToken(), session.getClientToken())) {
                 authenticated = true;
             } else {
+                YggdrasilSession acquiredSession;
                 try {
-                    session = service.refresh(session.getAccessToken(), session.getClientToken(), null);
+                    acquiredSession = service.refresh(session.getAccessToken(), session.getClientToken(), null);
                 } catch (RemoteAuthenticationException e) {
                     if ("ForbiddenOperationException".equals(e.getRemoteName())) {
                         throw new CredentialExpiredException(e);
@@ -103,6 +106,12 @@ public class YggdrasilAccount extends Account {
                         throw e;
                     }
                 }
+                if (acquiredSession.getSelectedProfile() == null ||
+                        !acquiredSession.getSelectedProfile().getId().equals(characterUUID)) {
+                    throw new ServerResponseMalformedException("Selected profile changed");
+                }
+
+                session = acquiredSession;
 
                 authenticated = true;
                 invalidate();
diff --git a/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/yggdrasil/YggdrasilService.java b/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/yggdrasil/YggdrasilService.java
index c3f51fd13..cac9ce7a6 100644
--- a/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/yggdrasil/YggdrasilService.java
+++ b/HMCLCore/src/main/java/org/jackhuang/hmcl/auth/yggdrasil/YggdrasilService.java
@@ -110,7 +110,7 @@ public class YggdrasilService {
         if (characterToSelect != null) {
             if (response.getSelectedProfile() == null ||
                     !response.getSelectedProfile().getId().equals(characterToSelect.getId())) {
-                throw new AuthenticationException("Failed to select character");
+                throw new ServerResponseMalformedException("Failed to select character");
             }
         }