Store node daemon tokens in an encrypted manner

2020-04-10 15:15:38 -07:00 · 2020-04-10 15:15:38 -07:00 · 7557dddf49
commit 7557dddf49
parent 2ac82af25a
26 changed files with 222 additions and 827 deletions
--- a/app/Http/Middleware/Api/Daemon/DaemonAuthenticate.php
+++ b/app/Http/Middleware/Api/Daemon/DaemonAuthenticate.php
@ -4,6 +4,7 @@ namespace Pterodactyl\Http\Middleware\Api\Daemon;

 use Closure;
 use Illuminate\Http\Request;
+use Illuminate\Contracts\Encryption\Encrypter;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Pterodactyl\Contracts\Repository\NodeRepositoryInterface;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
@ -25,14 +26,21 @@ class DaemonAuthenticate
        'daemon.configuration',
    ];

+    /**
+     * @var \Illuminate\Contracts\Encryption\Encrypter
+     */
+    private $encrypter;
+
    /**
     * DaemonAuthenticate constructor.
     *
+     * @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
     * @param \Pterodactyl\Contracts\Repository\NodeRepositoryInterface $repository
     */
-    public function __construct(NodeRepositoryInterface $repository)
+    public function __construct(Encrypter $encrypter, NodeRepositoryInterface $repository)
    {
        $this->repository = $repository;
+        $this->encrypter = $encrypter;
    }

    /**
@ -50,20 +58,31 @@ class DaemonAuthenticate
            return $next($request);
        }

-        $token = $request->bearerToken();
-
-        if (is_null($token)) {
-            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
+        if (is_null($bearer = $request->bearerToken())) {
+            throw new HttpException(
+                401, 'Access this this endpoint must include an Authorization header.', null, ['WWW-Authenticate' => 'Bearer']
+            );
        }

+        [$identifier, $token] = explode('.', $bearer);
+
        try {
-            $node = $this->repository->findFirstWhere([['daemonSecret', '=', $token]]);
+            /** @var \Pterodactyl\Models\Node $node */
+            $node = $this->repository->findFirstWhere([
+                'daemon_token_id' => $identifier,
+            ]);
+
+            if (hash_equals((string) $this->encrypter->decrypt($node->daemon_token), $token)) {
+                $request->attributes->set('node', $node);
+
+                return $next($request);
+            }
        } catch (RecordNotFoundException $exception) {
-            throw new AccessDeniedHttpException;
+            // Do nothing, we don't want to expose a node not existing at all.
        }

-        $request->attributes->set('node', $node);
-
-        return $next($request);
+        throw new AccessDeniedHttpException(
+            'You are not authorized to access this resource.'
+        );
    }
 }
--- a/app/Http/Middleware/DaemonAuthenticate.php
+++ b/app/Http/Middleware/DaemonAuthenticate.php
@ -1,69 +0,0 @@
-<?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
-
-namespace Pterodactyl\Http\Middleware;
-
-use Closure;
-use Illuminate\Http\Request;
-use Pterodactyl\Contracts\Repository\NodeRepositoryInterface;
-use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
-
-class DaemonAuthenticate
-{
-    /**
-     * An array of route names to not apply this middleware to.
-     *
-     * @var array
-     */
-    private $except = [
-        'daemon.configuration',
-    ];
-
-    /**
-     * @var \Pterodactyl\Contracts\Repository\NodeRepositoryInterface
-     */
-    private $repository;
-
-    /**
-     * Create a new filter instance.
-     *
-     * @param \Pterodactyl\Contracts\Repository\NodeRepositoryInterface $repository
-     * @deprecated
-     */
-    public function __construct(NodeRepositoryInterface $repository)
-    {
-        $this->repository = $repository;
-    }
-
-    /**
-     * Handle an incoming request.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @param \Closure $next
-     * @return mixed
-     *
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
-     * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
-     */
-    public function handle(Request $request, Closure $next)
-    {
-        if (in_array($request->route()->getName(), $this->except)) {
-            return $next($request);
-        }
-
-        if (! $request->header('X-Access-Node')) {
-            throw new AccessDeniedHttpException;
-        }
-
-        $node = $this->repository->findFirstWhere(['daemonSecret' => $request->header('X-Access-Node')]);
-        $request->attributes->set('node', $node);
-
-        return $next($request);
-    }
-}