Add underlying code to handle authenticating websocket credentials

app/Http/Controllers/Api/Client/Servers/WebsocketController.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
+
+use Cake\Chronos\Chronos;
+use Illuminate\Support\Str;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Pterodactyl\Models\Server;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Contracts\Cache\Repository;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
+
+class WebsocketController extends ClientApiController
+{
+    /**
+     * @var \Illuminate\Contracts\Cache\Repository
+     */
+    private $cache;
+
+    /**
+     * WebsocketController constructor.
+     *
+     * @param \Illuminate\Contracts\Cache\Repository $cache
+     */
+    public function __construct(Repository $cache)
+    {
+        parent::__construct();
+
+        $this->cache = $cache;
+    }
+
+    /**
+     * Generates a one-time token that is sent along in the request to the Daemon. The
+     * daemon then connects back to the Panel to verify that the token is valid when it
+     * is used.
+     *
+     * This token is valid for 30 seconds from time of generation, it is not designed
+     * to be stored and used over and over.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Pterodactyl\Models\Server $server
+     * @return \Illuminate\Http\JsonResponse
+     */
+    public function __invoke(Request $request, Server $server)
+    {
+        if (! $request->user()->can('connect-to-ws', $server)) {
+            throw new HttpException(
+                Response::HTTP_FORBIDDEN, 'You do not have permission to connect to this server\'s websocket.'
+            );
+        }
+
+        $token = Str::random(32);
+
+        $this->cache->put('ws:' . $token, [
+            'user_id' => $request->user()->id,
+            'server_id' => $server->id,
+            'request_ip' => $request->ip(),
+            'timestamp' => Chronos::now()->toIso8601String(),
+        ], Chronos::now()->addSeconds(30));
+
+        $socket = str_replace(['https://', 'http://'], ['wss://', 'ws://'], $server->node->getConnectionAddress());
+
+        return JsonResponse::create([
+            'data' => [
+                'socket' => $socket . sprintf('/api/servers/%s/ws/%s', $server->uuid, $token),
+            ],
+        ]);
+    }
+}

app/Http/Controllers/Api/Remote/ValidateWebsocketController.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\Api\Remote;
+
+use Illuminate\Http\Response;
+use Illuminate\Contracts\Cache\Repository;
+use Pterodactyl\Http\Controllers\Controller;
+use Pterodactyl\Repositories\Eloquent\UserRepository;
+use Pterodactyl\Repositories\Eloquent\ServerRepository;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Pterodactyl\Http\Requests\Api\Remote\AuthenticateWebsocketDetailsRequest;
+
+class ValidateWebsocketController extends Controller
+{
+    /**
+     * @var \Illuminate\Contracts\Cache\Repository
+     */
+    private $cache;
+
+    /**
+     * @var \Pterodactyl\Repositories\Eloquent\ServerRepository
+     */
+    private $serverRepository;
+
+    /**
+     * @var \Pterodactyl\Repositories\Eloquent\UserRepository
+     */
+    private $userRepository;
+
+    /**
+     * ValidateWebsocketController constructor.
+     *
+     * @param \Illuminate\Contracts\Cache\Repository $cache
+     * @param \Pterodactyl\Repositories\Eloquent\ServerRepository $serverRepository
+     * @param \Pterodactyl\Repositories\Eloquent\UserRepository $userRepository
+     */
+    public function __construct(Repository $cache, ServerRepository $serverRepository, UserRepository $userRepository)
+    {
+        $this->cache = $cache;
+        $this->serverRepository = $serverRepository;
+        $this->userRepository = $userRepository;
+    }
+
+    /**
+     * Route allowing the Wings daemon to validate that a websocket route request is
+     * valid and that the given user has permission to access the resource.
+     *
+     * @param \Pterodactyl\Http\Requests\Api\Remote\AuthenticateWebsocketDetailsRequest $request
+     * @param string $token
+     * @return \Illuminate\Http\Response
+     *
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function __invoke(AuthenticateWebsocketDetailsRequest $request, string $token)
+    {
+        $server = $this->serverRepository->getByUuid($request->input('server_uuid'));
+        if (! $data = $this->cache->pull('ws:' . $token)) {
+            throw new NotFoundHttpException;
+        }
+
+        /** @var \Pterodactyl\Models\User $user */
+        $user = $this->userRepository->find($data['user_id']);
+        if (! $user->can('connect-to-ws', $server)) {
+            throw new HttpException(Response::HTTP_FORBIDDEN, 'You do not have permission to access this resource.');
+        }
+
+        /** @var \Pterodactyl\Models\Node $node */
+        $node = $request->attributes->get('node');
+
+        if (
+            $data['server_id'] !== $server->id
+            || $node->id !== $server->node_id
+            // @todo this doesn't work well in dev currently, need to look into this way more.
+            // @todo stems from some issue with the way requests are being proxied.
+            // || $data['request_ip'] !== $request->input('originating_request_ip')
+        ) {
+            throw new HttpException(Response::HTTP_BAD_REQUEST, 'The token provided is not valid for the requested resource.');
+        }
+
+        return Response::create('', Response::HTTP_NO_CONTENT);
+    }
+}

app/Http/Requests/Api/Remote/AuthenticateWebsocketDetailsRequest.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Api\Remote;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class AuthenticateWebsocketDetailsRequest extends FormRequest
+{
+    /**
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * @return array
+     */
+    public function rules()
+    {
+        return [
+            'server_uuid' => 'required|string',
+        ];
+    }
+}