misc_pterodactyl-panel/app/Http/Controllers/Api/Client/Servers/WebsocketController.php

<?php

namespace Pterodactyl\Http\Controllers\Api\Client\Servers;

use Carbon\CarbonImmutable;
use Illuminate\Http\Response;
use Pterodactyl\Models\Server;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Models\Permission;
use Pterodactyl\Services\Nodes\NodeJWTService;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
use Pterodactyl\Services\Servers\GetUserPermissionsService;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;

class WebsocketController extends ClientApiController
{
    /**
     * @var \Pterodactyl\Services\Nodes\NodeJWTService
     */
    private $jwtService;

    /**
     * @var \Pterodactyl\Services\Servers\GetUserPermissionsService
     */
    private $permissionsService;

    /**
     * WebsocketController constructor.
     *
     * @param \Pterodactyl\Services\Nodes\NodeJWTService $jwtService
     * @param \Pterodactyl\Services\Servers\GetUserPermissionsService $permissionsService
     */
    public function __construct(
        NodeJWTService $jwtService,
        GetUserPermissionsService $permissionsService
    ) {
        parent::__construct();

        $this->jwtService = $jwtService;
        $this->permissionsService = $permissionsService;
    }

    /**
     * Generates a one-time token that is sent along in every websocket call to the Daemon.
     * This is a signed JWT that the Daemon then uses the verify the user's identity, and
     * allows us to continually renew this token and avoid users mainitaining sessions wrongly,
     * as well as ensure that user's only perform actions they're allowed to.
     *
     * @param \Pterodactyl\Http\Requests\Api\Client\ClientApiRequest $request
     * @param \Pterodactyl\Models\Server $server
     * @return \Illuminate\Http\JsonResponse
     */
    public function __invoke(ClientApiRequest $request, Server $server)
    {
        $user = $request->user();
        if ($user->cannot(Permission::ACTION_WEBSOCKET_CONNECT, $server)) {
            throw new HttpException(Response::HTTP_FORBIDDEN, 'You do not have permission to connect to this server\'s websocket.');
        }

        $token = $this->jwtService
            ->setExpiresAt(CarbonImmutable::now()->addMinutes(10))
            ->setClaims([
                'user_id' => $request->user()->id,
                'server_uuid' => $server->uuid,
                'permissions' => $this->permissionsService->handle($server, $user),
            ])
            ->handle($server->node, $user->id . $server->uuid);

        $socket = str_replace(['https://', 'http://'], ['wss://', 'ws://'], $server->node->getConnectionAddress());

        return new JsonResponse([
            'data' => [
                'token' => $token->__toString(),
                'socket' => $socket . sprintf('/api/servers/%s/ws', $server->uuid),
            ],
        ]);
    }
}
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`<?php`

			`namespace Pterodactyl\Http\Controllers\Api\Client\Servers;`

Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`use Carbon\CarbonImmutable;`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`use Illuminate\Http\Response;`
			`use Pterodactyl\Models\Server;`
			`use Illuminate\Http\JsonResponse;`
Update all of the permissions checking to be constant based 2020-03-22 22:31:25 +00:00			`use Pterodactyl\Models\Permission;`
Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`use Pterodactyl\Services\Nodes\NodeJWTService;`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`use Symfony\Component\HttpKernel\Exception\HttpException;`
Update all of the permissions checking to be constant based 2020-03-22 22:31:25 +00:00			`use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;`
Fix display of navbar links to admins, closes #1920 2020-04-17 17:21:15 +00:00			`use Pterodactyl\Services\Servers\GetUserPermissionsService;`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;`

			`class WebsocketController extends ClientApiController`
			`{`
Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`/**`
			`* @var \Pterodactyl\Services\Nodes\NodeJWTService`
			`*/`
			`private $jwtService;`

Fix display of navbar links to admins, closes #1920 2020-04-17 17:21:15 +00:00			`/**`
			`* @var \Pterodactyl\Services\Servers\GetUserPermissionsService`
			`*/`
			`private $permissionsService;`

Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`/**`
			`* WebsocketController constructor.`
			`*`
Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`* @param \Pterodactyl\Services\Nodes\NodeJWTService $jwtService`
Fix display of navbar links to admins, closes #1920 2020-04-17 17:21:15 +00:00			`* @param \Pterodactyl\Services\Servers\GetUserPermissionsService $permissionsService`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`*/`
Fix display of navbar links to admins, closes #1920 2020-04-17 17:21:15 +00:00			`public function __construct(`
			`NodeJWTService $jwtService,`
Add test coverage for generating JWTs to connect to websocket 2020-06-28 17:16:15 +00:00			`GetUserPermissionsService $permissionsService`
Fix display of navbar links to admins, closes #1920 2020-04-17 17:21:15 +00:00			`) {`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`parent::__construct();`

Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`$this->jwtService = $jwtService;`
Fix display of navbar links to admins, closes #1920 2020-04-17 17:21:15 +00:00			`$this->permissionsService = $permissionsService;`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`}`

			`/**`
First pass at converting websocket to send a token along with every call 2019-09-25 03:20:29 +00:00			`* Generates a one-time token that is sent along in every websocket call to the Daemon.`
			`* This is a signed JWT that the Daemon then uses the verify the user's identity, and`
			`* allows us to continually renew this token and avoid users mainitaining sessions wrongly,`
			`* as well as ensure that user's only perform actions they're allowed to.`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`*`
Update all of the permissions checking to be constant based 2020-03-22 22:31:25 +00:00			`* @param \Pterodactyl\Http\Requests\Api\Client\ClientApiRequest $request`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`* @param \Pterodactyl\Models\Server $server`
			`* @return \Illuminate\Http\JsonResponse`
			`*/`
Update all of the permissions checking to be constant based 2020-03-22 22:31:25 +00:00			`public function __invoke(ClientApiRequest $request, Server $server)`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`{`
Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`$user = $request->user();`
Fix display of navbar links to admins, closes #1920 2020-04-17 17:21:15 +00:00			`if ($user->cannot(Permission::ACTION_WEBSOCKET_CONNECT, $server)) {`
Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`throw new HttpException(Response::HTTP_FORBIDDEN, 'You do not have permission to connect to this server\'s websocket.');`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`}`

Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`$token = $this->jwtService`
Revoke JWT JTIs when modifying a subuser's permissions 2020-11-04 05:01:15 +00:00			`->setExpiresAt(CarbonImmutable::now()->addMinutes(10))`
Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`->setClaims([`
			`'user_id' => $request->user()->id,`
			`'server_uuid' => $server->uuid,`
Fix display of navbar links to admins, closes #1920 2020-04-17 17:21:15 +00:00			`'permissions' => $this->permissionsService->handle($server, $user),`
Simplify handling of permissions for websocket, only send permissions the user actually has 2020-04-07 04:03:00 +00:00			`])`
			`->handle($server->node, $user->id . $server->uuid);`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00
			`$socket = str_replace(['https://', 'http://'], ['wss://', 'ws://'], $server->node->getConnectionAddress());`

Add test coverage for generating JWTs to connect to websocket 2020-06-28 17:16:15 +00:00			`return new JsonResponse([`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`'data' => [`
First pass at converting websocket to send a token along with every call 2019-09-25 03:20:29 +00:00			`'token' => $token->__toString(),`
			`'socket' => $socket . sprintf('/api/servers/%s/ws', $server->uuid),`
Add underlying code to handle authenticating websocket credentials 2019-09-09 00:48:37 +00:00			`],`
			`]);`
			`}`
			`}`