Strip out JWT usage and use cookies to track the currently logged in user

2018-07-14 22:42:58 -07:00 · 2018-07-14 22:42:58 -07:00 · 6336e5191f
commit 6336e5191f
parent a7fae86e58
9 changed files with 44 additions and 144 deletions
--- a/app/Http/Controllers/Auth/AbstractLoginController.php
+++ b/app/Http/Controllers/Auth/AbstractLoginController.php
@ -2,8 +2,6 @@

 namespace Pterodactyl\Http\Controllers\Auth;

-use Cake\Chronos\Chronos;
-use Lcobucci\JWT\Builder;
 use Illuminate\Http\Request;
 use Pterodactyl\Models\User;
 use Illuminate\Auth\AuthManager;
@ -16,7 +14,6 @@ use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Illuminate\Foundation\Auth\AuthenticatesUsers;
 use Pterodactyl\Traits\Helpers\ProvidesJWTServices;
-use Pterodactyl\Transformers\Api\Client\AccountTransformer;
 use Illuminate\Contracts\Cache\Repository as CacheRepository;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;

@ -29,11 +26,6 @@ abstract class AbstractLoginController extends Controller
     */
    protected $auth;

-    /**
-     * @var \Lcobucci\JWT\Builder
-     */
-    protected $builder;
-
    /**
     * @var \Illuminate\Contracts\Cache\Repository
     */
@ -79,7 +71,6 @@ abstract class AbstractLoginController extends Controller
     * LoginController constructor.
     *
     * @param \Illuminate\Auth\AuthManager                              $auth
-     * @param \Lcobucci\JWT\Builder                                     $builder
     * @param \Illuminate\Contracts\Cache\Repository                    $cache
     * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
     * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
@ -87,14 +78,12 @@ abstract class AbstractLoginController extends Controller
     */
    public function __construct(
        AuthManager $auth,
-        Builder $builder,
        CacheRepository $cache,
        Encrypter $encrypter,
        Google2FA $google2FA,
        UserRepositoryInterface $repository
    ) {
        $this->auth = $auth;
-        $this->builder = $builder;
        $this->cache = $cache;
        $this->encrypter = $encrypter;
        $this->google2FA = $google2FA;
@ -143,34 +132,10 @@ abstract class AbstractLoginController extends Controller
        return response()->json([
            'complete' => true,
            'intended' => $this->redirectPath(),
-            'jwt' => $this->createJsonWebToken($user),
+            'user' => $user->toVueObject(),
        ]);
    }

-    /**
-     * Create a new JWT for the request and sign it using the signing key.
-     *
-     * @param User $user
-     * @return string
-     */
-    protected function createJsonWebToken(User $user): string
-    {
-        $now = Chronos::now('utc');
-
-        $token = $this->builder
-            ->setIssuer('Pterodactyl Panel')
-            ->setAudience(config('app.url'))
-            ->setId(str_random(16), true)
-            ->setIssuedAt($now->getTimestamp())
-            ->setNotBefore($now->getTimestamp())
-            ->setExpiration($now->addSeconds(config('jwt.lifetime'))->getTimestamp())
-            ->set('user', (new AccountTransformer())->transform($user))
-            ->sign($this->getJWTSigner(), $this->getJWTSigningKey())
-            ->getToken();
-
-        return $token->__toString();
-    }
-
    /**
     * Determine if the user is logging in using an email or username,.
     *
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -49,6 +49,7 @@ class Kernel extends HttpKernel
     */
    protected $middleware = [
        CheckForMaintenanceMode::class,
+        EncryptCookies::class,
        ValidatePostSize::class,
        TrimStrings::class,
        ConvertEmptyStringsToNull::class,
@ -62,7 +63,6 @@ class Kernel extends HttpKernel
     */
    protected $middlewareGroups = [
        'web' => [
-            EncryptCookies::class,
            AddQueuedCookiesToResponse::class,
            StartSession::class,
            AuthenticateSession::class,
@ -82,8 +82,10 @@ class Kernel extends HttpKernel
        ],
        'client-api' => [
            'throttle:240,1',
-            SubstituteClientApiBindings::class,
+            StartSession::class,
            SetSessionDriver::class,
+            AuthenticateSession::class,
+            SubstituteClientApiBindings::class,
            'api..key:' . ApiKey::TYPE_ACCOUNT,
            AuthenticateIPAccess::class,
        ],
--- a/app/Http/Middleware/Api/AuthenticateKey.php
+++ b/app/Http/Middleware/Api/AuthenticateKey.php
@ -3,9 +3,9 @@
 namespace Pterodactyl\Http\Middleware\Api;

 use Closure;
-use Lcobucci\JWT\Parser;
 use Cake\Chronos\Chronos;
 use Illuminate\Http\Request;
+use Pterodactyl\Models\User;
 use Pterodactyl\Models\ApiKey;
 use Illuminate\Auth\AuthManager;
 use Illuminate\Contracts\Encryption\Encrypter;
@ -62,15 +62,19 @@ class AuthenticateKey
     */
    public function handle(Request $request, Closure $next, int $keyType)
    {
-        if (is_null($request->bearerToken())) {
+        if (is_null($request->bearerToken()) && is_null($request->user())) {
            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
        }

        $raw = $request->bearerToken();

-        // This is an internal JWT, treat it differently to get the correct user before passing it along.
-        if (strlen($raw) > ApiKey::IDENTIFIER_LENGTH + ApiKey::KEY_LENGTH) {
-            $model = $this->authenticateJWT($raw);
+        // This is a request coming through using cookies, we have an authenticated user not using
+        // an API key. Make some fake API key models and continue on through the process.
+        if (empty($raw) && $request->user() instanceof User) {
+            $model = new ApiKey([
+                'user_id' => $request->user()->id,
+                'key_type' => ApiKey::TYPE_ACCOUNT,
+            ]);
        } else {
            $model = $this->authenticateApiKey($raw, $keyType);
        }
@ -81,42 +85,6 @@ class AuthenticateKey
        return $next($request);
    }

-    /**
-     * Authenticate an API request using a JWT rather than an API key.
-     *
-     * @param string $token
-     * @return \Pterodactyl\Models\ApiKey
-     */
-    protected function authenticateJWT(string $token): ApiKey
-    {
-        $token = (new Parser)->parse($token);
-
-        // If the key cannot be verified throw an exception to indicate that a bad
-        // authorization header was provided.
-        if (! $token->verify($this->getJWTSigner(), $this->getJWTSigningKey())) {
-            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
-        }
-
-        // Run through the token validation and throw an exception if the token is not valid.
-        //
-        // The issued_at time is used for verification in order to allow rapid changing of session
-        // length on the Panel without having to wait on existing tokens to first expire.
-        $now = Chronos::now('utc');
-        if (
-            Chronos::createFromTimestampUTC($token->getClaim('nbf'))->gt($now)
-            || $token->getClaim('iss') !== 'Pterodactyl Panel'
-            || $token->getClaim('aud') !== config('app.url')
-            || Chronos::createFromTimestampUTC($token->getClaim('iat'))->addMinutes(config('jwt.lifetime'))->lte($now)
-        ) {
-            throw new AccessDeniedHttpException('The authentication parameters provided are not valid for accessing this resource.');
-        }
-
-        return (new ApiKey)->forceFill([
-            'user_id' => object_get($token->getClaim('user'), 'id', 0),
-            'key_type' => ApiKey::TYPE_ACCOUNT,
-        ]);
-    }
-
    /**
     * Authenticate an API key.
     *