diff --git a/app/Http/Controllers/Api/Client/Servers/FileController.php b/app/Http/Controllers/Api/Client/Servers/FileController.php
index c2856ff0..68e1ec08 100644
--- a/app/Http/Controllers/Api/Client/Servers/FileController.php
+++ b/app/Http/Controllers/Api/Client/Servers/FileController.php
@@ -93,6 +93,7 @@ class FileController extends ClientApiController
{
$token = $this->jwtService
->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
+ ->setUser($request->user())
->setClaims([
'file_path' => rawurldecode($request->get('file')),
'server_uuid' => $server->uuid,
diff --git a/app/Http/Controllers/Api/Client/Servers/FileUploadController.php b/app/Http/Controllers/Api/Client/Servers/FileUploadController.php
index a3b36252..1701bb0c 100644
--- a/app/Http/Controllers/Api/Client/Servers/FileUploadController.php
+++ b/app/Http/Controllers/Api/Client/Servers/FileUploadController.php
@@ -55,9 +55,8 @@ class FileUploadController extends ClientApiController
{
$token = $this->jwtService
->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
- ->setClaims([
- 'server_uuid' => $server->uuid,
- ])
+ ->setUser($user)
+ ->setClaims(['server_uuid' => $server->uuid])
->handle($server->node, $user->id . $server->uuid);
return sprintf(
diff --git a/app/Http/Controllers/Api/Client/Servers/WebsocketController.php b/app/Http/Controllers/Api/Client/Servers/WebsocketController.php
index 08abee27..5446b22c 100644
--- a/app/Http/Controllers/Api/Client/Servers/WebsocketController.php
+++ b/app/Http/Controllers/Api/Client/Servers/WebsocketController.php
@@ -69,8 +69,8 @@ class WebsocketController extends ClientApiController
$token = $this->jwtService
->setExpiresAt(CarbonImmutable::now()->addMinutes(10))
+ ->setUser($request->user())
->setClaims([
- 'user_id' => $request->user()->id,
'server_uuid' => $server->uuid,
'permissions' => $permissions,
])
diff --git a/app/Services/Backups/DownloadLinkService.php b/app/Services/Backups/DownloadLinkService.php
index 7d5af4ca..1a381296 100644
--- a/app/Services/Backups/DownloadLinkService.php
+++ b/app/Services/Backups/DownloadLinkService.php
@@ -41,6 +41,7 @@ class DownloadLinkService
$token = $this->jwtService
->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
+ ->setUser($user)
->setClaims([
'backup_uuid' => $backup->uuid,
'server_uuid' => $backup->server->uuid,
diff --git a/app/Services/Nodes/NodeJWTService.php b/app/Services/Nodes/NodeJWTService.php
index 1b52479b..d9473d90 100644
--- a/app/Services/Nodes/NodeJWTService.php
+++ b/app/Services/Nodes/NodeJWTService.php
@@ -6,6 +6,7 @@ use DateTimeImmutable;
use Carbon\CarbonImmutable;
use Illuminate\Support\Str;
use Pterodactyl\Models\Node;
+use Pterodactyl\Models\User;
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Lcobucci\JWT\Signer\Key\InMemory;
@@ -13,20 +14,16 @@ use Pterodactyl\Extensions\Lcobucci\JWT\Encoding\TimestampDates;
class NodeJWTService
{
- /**
- * @var array
- */
- private $claims = [];
+ private array $claims = [];
+
+ private ?User $user = null;
/**
* @var \DateTimeImmutable|null
*/
private $expiresAt;
- /**
- * @var string|null
- */
- private $subject;
+ private ?string $subject = null;
/**
* Set the claims to include in this JWT.
@@ -40,6 +37,17 @@ class NodeJWTService
return $this;
}
+ /**
+ * Attaches a user to the JWT being created and will automatically inject the
+ * "user_uuid" key into the final claims array with the user's UUID.
+ */
+ public function setUser(User $user): self
+ {
+ $this->user = $user;
+
+ return $this;
+ }
+
/**
* @return $this
*/
@@ -92,6 +100,17 @@ class NodeJWTService
$builder = $builder->withClaim($key, $value);
}
+ if (!is_null($this->user)) {
+ $builder = $builder
+ ->withClaim('user_uuid', $this->user->uuid)
+ // The "user_id" claim is deprecated and should not be referenced — it remains
+ // here solely to ensure older versions of Wings are unaffected when the Panel
+ // is updated.
+ //
+ // This claim will be removed in Panel@1.11 or later.
+ ->withClaim('user_id', $this->user->id);
+ }
+
return $builder
->withClaim('unique_id', Str::random(16))
->getToken($config->signer(), $config->signingKey());