Require version 4 UUIDs from clients

src/main/java/net/frozenorb/apiv3/models/User.java

@@ -11,8 +11,8 @@ import net.frozenorb.apiv3.APIv3;
 import net.frozenorb.apiv3.serialization.ExcludeFromReplies;
 import net.frozenorb.apiv3.utils.MojangUtils;
 import net.frozenorb.apiv3.utils.PermissionUtils;
+import net.frozenorb.apiv3.utils.UUIDUtils;
 import org.bson.Document;
-import org.mindrot.jbcrypt.BCrypt;
 import org.mongodb.morphia.annotations.Entity;
 import org.mongodb.morphia.annotations.Id;
 import org.mongodb.morphia.annotations.Indexed;
@@ -46,7 +46,11 @@ public final class  User {
     }
 
     public static User byId(UUID id) {
+        if (UUIDUtils.isAcceptableUUID(id)) {
             return APIv3.getDatastore().createQuery(User.class).field("id").equal(id).get();
+        } else {
+            return null;
+        }
     }
 
     public static User byEmailToken(String name) {

src/main/java/net/frozenorb/apiv3/routes/servers/POSTServerHeartbeat.java

@@ -11,6 +11,7 @@ import net.frozenorb.apiv3.models.ServerGroup;
 import net.frozenorb.apiv3.models.User;
 import net.frozenorb.apiv3.utils.ErrorUtils;
 import net.frozenorb.apiv3.utils.PermissionUtils;
+import net.frozenorb.apiv3.utils.UUIDUtils;
 import org.bson.Document;
 import spark.Request;
 import spark.Response;
@@ -37,12 +38,18 @@ public final class POSTServerHeartbeat implements Route {
 
         for (Object player : (List<Object>) reqJson.get("players")) {
             Document playerJson = (Document) player;
-            User user = User.byId(playerJson.getString("uuid"));
+            UUID uuid = UUID.fromString(playerJson.getString("uuid"));
+
+            if (!UUIDUtils.isAcceptableUUID(uuid)) {
+                continue;
+            }
+
+            User user = User.byId(uuid);
             String username = playerJson.getString("username");
 
             if (user == null) {
                 // Will be saved by the save command a few lines down.
-                user = new User(UUID.fromString(playerJson.getString("uuid")), username);
+                user = new User(uuid, username);
             }
 
             user.seenOnServer(actorServer);

src/main/java/net/frozenorb/apiv3/routes/users/POSTUserLogin.java

@@ -7,6 +7,7 @@ import net.frozenorb.apiv3.models.Server;
 import net.frozenorb.apiv3.models.User;
 import net.frozenorb.apiv3.utils.ErrorUtils;
 import net.frozenorb.apiv3.utils.IPUtils;
+import net.frozenorb.apiv3.utils.UUIDUtils;
 import spark.Request;
 import spark.Response;
 import spark.Route;
@@ -16,7 +17,13 @@ import java.util.UUID;
 public final class POSTUserLogin implements Route {
 
     public Object handle(Request req, Response res) {
-        User user = User.byId(req.params("id"));
+        UUID uuid = UUID.fromString(req.params("id"));
+
+        if (!UUIDUtils.isAcceptableUUID(uuid)) {
+            return ErrorUtils.invalidInput("UUID \"" + uuid + "\" is not valid - must be version 4 UUID.");
+        }
+
+        User user = User.byId(uuid);
         String username = req.queryParams("username");
         String userIp = req.queryParams("userIp");
         Actor actor = req.attribute("actor");
@@ -30,7 +37,7 @@ public final class POSTUserLogin implements Route {
         }
 
         if (user == null) {
-            user = new User(UUID.fromString(req.params("id")), username);
+            user = new User(uuid, username);
             APIv3.getDatastore().save(user);
         }
 

src/main/java/net/frozenorb/apiv3/utils/UUIDUtils.java

@@ -0,0 +1,14 @@
+package net.frozenorb.apiv3.utils;
+
+import lombok.experimental.UtilityClass;
+
+import java.util.UUID;
+
+@UtilityClass
+public class UUIDUtils {
+
+    public static boolean isAcceptableUUID(UUID uuid) {
+        return uuid.version() == 4;
+    }
+
+}