Revert use of cookies, go back to using a JWT

2018-06-06 22:49:44 -07:00 · 2018-06-06 22:49:44 -07:00 · 03c83c084a
commit 03c83c084a
parent 871147f2d9
8 changed files with 80 additions and 44 deletions
--- a/app/Http/Controllers/Auth/AbstractLoginController.php
+++ b/app/Http/Controllers/Auth/AbstractLoginController.php
@ -2,6 +2,7 @@

 namespace Pterodactyl\Http\Controllers\Auth;

+use Cake\Chronos\Chronos;
 use Lcobucci\JWT\Builder;
 use Illuminate\Http\Request;
 use Pterodactyl\Models\User;
@ -139,19 +140,35 @@ abstract class AbstractLoginController extends Controller

        $this->auth->guard()->login($user, true);

-        debug($request->cookies->all());
-
        return response()->json([
            'complete' => true,
            'intended' => $this->redirectPath(),
-            'cookie' => [
-                'name' => config('session.cookie'),
-                'value' => $this->encrypter->encrypt($request->cookie(config('session.cookie'))),
-            ],
-            'user' => (new AccountTransformer())->transform($user),
+            'jwt' => $this->createJsonWebToken($user),
        ]);
    }

+    /**
+     * Create a new JWT for the request and sign it using the signing key.
+     *
+     * @param User $user
+     * @return string
+     */
+    protected function createJsonWebToken(User $user): string
+    {
+        $token = $this->builder
+            ->setIssuer('Pterodactyl Panel')
+            ->setAudience(config('app.url'))
+            ->setId(str_random(16), true)
+            ->setIssuedAt(Chronos::now()->getTimestamp())
+            ->setNotBefore(Chronos::now()->getTimestamp())
+            ->setExpiration(Chronos::now()->addSeconds(config('session.lifetime'))->getTimestamp())
+            ->set('user', (new AccountTransformer())->transform($user))
+            ->sign($this->getJWTSigner(), $this->getJWTSigningKey())
+            ->getToken();
+
+        return $token->__toString();
+    }
+
    /**
     * Determine if the user is logging in using an email or username,.
     *
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -80,8 +80,6 @@ class Kernel extends HttpKernel
        ],
        'client-api' => [
            'throttle:240,1',
-            EncryptCookies::class,
-            StartSession::class,
            SubstituteClientApiBindings::class,
            SetSessionDriver::class,
            'api..key:' . ApiKey::TYPE_ACCOUNT,
--- a/app/Http/Middleware/Api/AuthenticateKey.php
+++ b/app/Http/Middleware/Api/AuthenticateKey.php
@ -5,7 +5,6 @@ namespace Pterodactyl\Http\Middleware\Api;
 use Closure;
 use Lcobucci\JWT\Parser;
 use Cake\Chronos\Chronos;
-use Illuminate\Support\Str;
 use Illuminate\Http\Request;
 use Pterodactyl\Models\ApiKey;
 use Illuminate\Auth\AuthManager;
@ -64,24 +63,19 @@ class AuthenticateKey
    public function handle(Request $request, Closure $next, int $keyType)
    {
        if (is_null($request->bearerToken())) {
-            if (! Str::startsWith($request->route()->getName(), ['api.client']) && ! $request->user()) {
-                throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
-            }
+            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
        }

-        if (is_null($request->bearerToken())) {
-            $model = (new ApiKey)->forceFill([
-                'user_id' => $request->user()->id,
-                'key_type' => ApiKey::TYPE_ACCOUNT,
-            ]);
-        }
+        $raw = $request->bearerToken();

-        if (! isset($model)) {
-            $raw = $request->bearerToken();
+        // This is an internal JWT, treat it differently to get the correct user before passing it along.
+        if (strlen($raw) > ApiKey::IDENTIFIER_LENGTH + ApiKey::KEY_LENGTH) {
+            $model = $this->authenticateJWT($raw);
+        } else {
            $model = $this->authenticateApiKey($raw, $keyType);
-            $this->auth->guard()->loginUsingId($model->user_id);
        }

+        $this->auth->guard()->loginUsingId($model->user_id);
        $request->attributes->set('api_key', $model);

        return $next($request);
@ -103,6 +97,16 @@ class AuthenticateKey
            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
        }

+        // Run through the token validation and throw an exception if the token is not valid.
+        if (
+            $token->getClaim('nbf') > Chronos::now()->getTimestamp()
+            || $token->getClaim('iss') !== 'Pterodactyl Panel'
+            || $token->getClaim('aud') !== config('app.url')
+            || $token->getClaim('exp') <= Chronos::now()->getTimestamp()
+        ) {
+            throw new AccessDeniedHttpException;
+        }
+
        return (new ApiKey)->forceFill([
            'user_id' => object_get($token->getClaim('user'), 'id', 0),
            'key_type' => ApiKey::TYPE_ACCOUNT,