Add support for multiple Velocity proxies

src/main/java/ua/nanit/limbo/connection/ClientConnection.java

@@ -45,6 +45,8 @@
 import java.net.SocketAddress;
 import java.security.InvalidKeyException;
 import java.security.MessageDigest;
+import java.util.Arrays;
+import java.util.List;
 import java.util.UUID;
 import java.util.concurrent.ThreadLocalRandom;
 import java.util.concurrent.TimeUnit;
@@ -330,18 +332,27 @@ boolean checkVelocityKeyIntegrity(ByteMessage buf) {
         buf.readBytes(signature);
         byte[] data = new byte[buf.readableBytes()];
         buf.getBytes(buf.readerIndex(), data);
-        try {
-            Mac mac = Mac.getInstance("HmacSHA256");
-            mac.init(new SecretKeySpec(server.getConfig().getInfoForwarding().getSecretKey(), "HmacSHA256"));
-            byte[] mySignature = mac.doFinal(data);
-            if (!MessageDigest.isEqual(signature, mySignature))
-                return false;
-        } catch (InvalidKeyException | java.security.NoSuchAlgorithmException e) {
-            throw new AssertionError(e);
+
+        List<byte[]> secretKeys = server.getConfig().getInfoForwarding().getSecretKeys();
+        boolean validKey = false;
+
+        for (byte[] secretKey : secretKeys) {
+            try {
+                Mac mac = Mac.getInstance("HmacSHA256");
+                mac.init(new SecretKeySpec(secretKey, "HmacSHA256"));
+                byte[] mySignature = mac.doFinal(data);
+                if (MessageDigest.isEqual(signature, mySignature)) {
+                    validKey = true;
+                    break;
+                }
+            } catch (InvalidKeyException | java.security.NoSuchAlgorithmException e) {
+                throw new AssertionError(e);
+            }
         }
+
         int version = buf.readVarInt();
         if (version != 1)
             throw new IllegalStateException("Unsupported forwarding version " + version + ", wanted " + '\001');
-        return true;
+        return validKey;
     }
 }

src/main/java/ua/nanit/limbo/server/data/InfoForwarding.java

@@ -23,19 +23,20 @@
 import org.spongepowered.configurate.serialize.TypeSerializer;
 
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.List;
 
 public class InfoForwarding {
 
     private Type type;
-    private byte[] secretKey;
+    private List<byte[]> secretKey;
     private List<String> tokens;
 
     public Type getType() {
         return type;
     }
 
-    public byte[] getSecretKey() {
+    public List<byte[]> getSecretKeys() {
         return secretKey;
     }
 
@@ -83,7 +84,14 @@ public InfoForwarding deserialize(java.lang.reflect.Type type, ConfigurationNode
             }
 
             if (forwarding.type == Type.MODERN) {
-                forwarding.secretKey = node.node("secret").getString("").getBytes(StandardCharsets.UTF_8);
+                List<String> secrets = node.node("secret").getList(String.class);
+                List<byte[]> keys = new ArrayList<>();
+                if (secrets != null) {
+                    for (String secret : secrets) {
+                        keys.add(secret.getBytes(StandardCharsets.UTF_8));
+                    }
+                }
+                forwarding.secretKey = keys;
             }
 
             if (forwarding.type == Type.BUNGEE_GUARD) {

src/main/resources/settings.yml

@@ -90,7 +90,8 @@ title:
 # Don't use secret if you do not use MODERN type
 infoForwarding:
   type: NONE
-  secret: '<YOUR_SECRET_HERE>'
+  secret:
+    - '<YOUR_SECRET_HERE>'
   tokens:
     - '<BUNGEE_GUARD_TOKEN>'