From de203125baafca3052a49560452753ab4295a678 Mon Sep 17 00:00:00 2001
From: William Nelson <github-commits.s93hp@aleeas.com>
Date: Sat, 12 Oct 2024 01:04:22 -0400
Subject: [PATCH] Security update

---
 keyauth.py       | 48 ++++++++++++++++++++++--------------------------
 main.py          |  7 +++----
 requirements.txt |  1 +
 3 files changed, 26 insertions(+), 30 deletions(-)

diff --git a/keyauth.py b/keyauth.py
index 3987731..045bcf1 100644
--- a/keyauth.py
+++ b/keyauth.py
@@ -2,11 +2,10 @@
 import json as jsond  # json
 import time  # sleep before exit
 import binascii  # hex encoding
-from uuid import uuid4  # gen random guid
 import platform  # check platform
 import subprocess  # needed for mac device
-import hmac # signature checksum
-import hashlib # signature checksum
+from datetime import datetime
+from discord_interactions import verify_key # used for signature verification
 
 try:
     if os.name == 'nt':
@@ -28,11 +27,11 @@
 
 class api:
 
-    name = ownerid = secret = version = hash_to_check = ""
+    name = ownerid = version = hash_to_check = ""
 
-    def __init__(self, name, ownerid, secret, version, hash_to_check):
-        if len(ownerid) != 10 and len(secret) != 64:
-            print("Go to Manage Applications on dashboard, copy python code, and replace code in main.py with that")
+    def __init__(self, name, ownerid, version, hash_to_check):
+        if len(ownerid) != 10:
+            print("Visit https://keyauth.cc/app/, copy Pthon code, and replace code in main.py with that")
             time.sleep(3)
             os._exit(1)
     
@@ -40,8 +39,6 @@ def __init__(self, name, ownerid, secret, version, hash_to_check):
 
         self.ownerid = ownerid
 
-        self.secret = secret
-
         self.version = version
         self.hash_to_check = hash_to_check
         self.init()
@@ -54,16 +51,11 @@ def init(self):
             print("You've already initialized!")
             time.sleep(3)
             os._exit(1)
-
-        sent_key = str(uuid4())[:16]
-        
-        self.enckey = sent_key + "-" + self.secret
         
         post_data = {
             "type": "init",
             "ver": self.version,
             "hash": self.hash_to_check,
-            "enckey": sent_key,
             "name": self.name,
             "ownerid": self.ownerid
         }
@@ -96,9 +88,6 @@ def init(self):
 
         self.sessionid = json["sessionid"]
         self.initialized = True
-        
-        if json["newSession"]:
-            time.sleep(0.1)
 
     def register(self, user, password, license, hwid=None):
         self.checkinit()
@@ -523,15 +512,23 @@ def logout(self):
     def __do_request(self, post_data):
         try:
             response = requests.post(
-                "https://keyauth.win/api/1.2/", data=post_data, timeout=10
+                "https://keyauth.win/api/1.3/", data=post_data, timeout=10
             )
             
-            key = self.secret if post_data["type"] == "init" else self.enckey
-            if post_data["type"] == "log": return response.text
-                        
-            client_computed = hmac.new(key.encode('utf-8'), response.text.encode('utf-8'), hashlib.sha256).hexdigest()
+            if post_data["type"] == "log" or post_data["type"] == "file": return response.text
             
-            signature = response.headers["signature"]
+            signature = response.headers["x-signature-ed25519"]
+            timestamp = response.headers["x-signature-timestamp"]
+            
+            unix_timestamp = int(timestamp)
+            # Get the current time
+            current_time = datetime.now().timestamp()
+            
+            # Check if the timestamp is older than 15 seconds
+            if current_time - unix_timestamp > 15:
+                print("Timestamp OLD")
+                time.sleep(3)
+                os._exit(1)
 
             if not os.path.exists("C:\\ProgramData\\KeyAuth"):
                 os.makedirs("C:\\ProgramData\\KeyAuth")
@@ -543,11 +540,10 @@ def __do_request(self, post_data):
 
             with open(f"C:\\ProgramData\\KeyAuth\\Debug\\{exe_name}\\log.txt", "a") as log_file:
                 if len(response.text) <= 200:
-                    tampered = not hmac.compare_digest(client_computed, signature)
                     execution_time = time.strftime("%I:%M %p | %m/%d/%Y")
-                    log_file.write(f"\n{execution_time} | {post_data['type']} \nResponse: {response.text}\n Was response tampered with? {tampered}\n")
+                    log_file.write(f"\n{execution_time} | {post_data['type']} \nResponse: {response.text}")
             
-            if not hmac.compare_digest(client_computed, signature):
+            if not verify_key(response.text.encode('utf-8'), signature, timestamp, '5586b4bc69c7a4b487e4563a4cd96afd39140f919bd31cea7d1c6a1e8439422b'):
                 print("Signature checksum failed. Request was tampered with or session ended most likely.")
                 print("Response: " + response.text)
                 time.sleep(3)
diff --git a/main.py b/main.py
index 06e7fac..8aaded8 100644
--- a/main.py
+++ b/main.py
@@ -46,10 +46,9 @@ def getchecksum():
 
 
 keyauthapp = api(
-    name = "",
-    ownerid = "",
-    secret = "",
-    version = "1.0",
+    name = "", # Application Name
+    ownerid = "", # Owner ID
+    version = "1.0", # Application Version
     hash_to_check = getchecksum()
 )
 
diff --git a/requirements.txt b/requirements.txt
index e2c27ec..1778876 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1,3 @@
 requests
 pywin32
+discord-interactions