StarMC/Astral-nook
StarMC/Astral-nook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

First pass at converting websocket to send a token along with every call

Browse source
This commit is contained in:
Dane Everitt 2019-09-24 20:20:29 -07:00
parent 513965dac7
commit 18c4b951e6
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
8 changed files with 143 additions and 135 deletions
Download patch file Download diff file Expand all files Collapse all files

36
app/Http/Controllers/Api/Client/Servers/WebsocketController.php
View file

@ -3,11 +3,13 @@
namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
use Cake\Chronos\Chronos;
use Illuminate\Support\Str;
use Lcobucci\JWT\Builder;
use Illuminate\Http\Request;
use Lcobucci\JWT\Signer\Key;
use Illuminate\Http\Response;
use Pterodactyl\Models\Server;
use Illuminate\Http\JsonResponse;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Illuminate\Contracts\Cache\Repository;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
@ -32,12 +34,10 @@ class WebsocketController extends ClientApiController
}
/**
* Generates a one-time token that is sent along in the request to the Daemon. The
* daemon then connects back to the Panel to verify that the token is valid when it
* is used.
*
* This token is valid for 30 seconds from time of generation, it is not designed
* to be stored and used over and over.
* Generates a one-time token that is sent along in every websocket call to the Daemon.
* This is a signed JWT that the Daemon then uses the verify the user's identity, and
* allows us to continually renew this token and avoid users mainitaining sessions wrongly,
* as well as ensure that user's only perform actions they're allowed to.
*
* @param \Illuminate\Http\Request $request
* @param \Pterodactyl\Models\Server $server
@ -51,20 +51,26 @@ class WebsocketController extends ClientApiController
);
}
$token = Str::random(32);
$now = Chronos::now();
$this->cache->put('ws:' . $token, [
'user_id' => $request->user()->id,
'server_id' => $server->id,
'request_ip' => $request->ip(),
'timestamp' => Chronos::now()->toIso8601String(),
], Chronos::now()->addSeconds(30));
$signer = new Sha256;
$token = (new Builder)->issuedBy(config('app.url'))
->permittedFor($server->node->getConnectionAddress())
->identifiedBy(hash('sha256', $request->user()->id . $server->uuid), true)
->issuedAt($now->getTimestamp())
->canOnlyBeUsedAfter($now->getTimestamp())
->expiresAt($now->addMinutes(15)->getTimestamp())
->withClaim('user_id', $request->user()->id)
->withClaim('server_uuid', $server->uuid)
->getToken($signer, new Key($server->node->daemonSecret));
$socket = str_replace(['https://', 'http://'], ['wss://', 'ws://'], $server->node->getConnectionAddress());
return JsonResponse::create([
'data' => [
'socket' => $socket . sprintf('/api/servers/%s/ws/%s', $server->uuid, $token),
'token' => $token->__toString(),
'socket' => $socket . sprintf('/api/servers/%s/ws', $server->uuid),
],
]);
}

83
app/Http/Controllers/Api/Remote/ValidateWebsocketController.php
View file

@ -1,83 +0,0 @@
<?php
namespace Pterodactyl\Http\Controllers\Api\Remote;
use Illuminate\Http\Response;
use Illuminate\Contracts\Cache\Repository;
use Pterodactyl\Http\Controllers\Controller;
use Pterodactyl\Repositories\Eloquent\UserRepository;
use Pterodactyl\Repositories\Eloquent\ServerRepository;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Pterodactyl\Http\Requests\Api\Remote\AuthenticateWebsocketDetailsRequest;
class ValidateWebsocketController extends Controller
{
/**
* @var \Illuminate\Contracts\Cache\Repository
*/
private $cache;
/**
* @var \Pterodactyl\Repositories\Eloquent\ServerRepository
*/
private $serverRepository;
/**
* @var \Pterodactyl\Repositories\Eloquent\UserRepository
*/
private $userRepository;
/**
* ValidateWebsocketController constructor.
*
* @param \Illuminate\Contracts\Cache\Repository $cache
* @param \Pterodactyl\Repositories\Eloquent\ServerRepository $serverRepository
* @param \Pterodactyl\Repositories\Eloquent\UserRepository $userRepository
*/
public function __construct(Repository $cache, ServerRepository $serverRepository, UserRepository $userRepository)
{
$this->cache = $cache;
$this->serverRepository = $serverRepository;
$this->userRepository = $userRepository;
}
/**
* Route allowing the Wings daemon to validate that a websocket route request is
* valid and that the given user has permission to access the resource.
*
* @param \Pterodactyl\Http\Requests\Api\Remote\AuthenticateWebsocketDetailsRequest $request
* @param string $token
* @return \Illuminate\Http\Response
*
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function __invoke(AuthenticateWebsocketDetailsRequest $request, string $token)
{
$server = $this->serverRepository->getByUuid($request->input('server_uuid'));
if (! $data = $this->cache->pull('ws:' . $token)) {
throw new NotFoundHttpException;
}
/** @var \Pterodactyl\Models\User $user */
$user = $this->userRepository->find($data['user_id']);
if (! $user->can('connect-to-ws', $server)) {
throw new HttpException(Response::HTTP_FORBIDDEN, 'You do not have permission to access this resource.');
}
/** @var \Pterodactyl\Models\Node $node */
$node = $request->attributes->get('node');
if (
$data['server_id'] !== $server->id
|| $node->id !== $server->node_id
// @todo this doesn't work well in dev currently, need to look into this way more.
// @todo stems from some issue with the way requests are being proxied.
// || $data['request_ip'] !== $request->input('originating_request_ip')
) {
throw new HttpException(Response::HTTP_BAD_REQUEST, 'The token provided is not valid for the requested resource.');
}
return Response::create('', Response::HTTP_NO_CONTENT);
}
}