misc_pterodactyl-panel/app/Http/Middleware/Api/Daemon/DaemonAuthenticate.php

<?php

namespace Pterodactyl\Http\Middleware\Api\Daemon;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Repositories\Eloquent\NodeRepository;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

class DaemonAuthenticate
{
    /**
     * @var \Pterodactyl\Repositories\Eloquent\NodeRepository
     */
    private $repository;

    /**
     * @var \Illuminate\Contracts\Encryption\Encrypter
     */
    private $encrypter;

    /**
     * Daemon routes that this middleware should be skipped on.
     *
     * @var array
     */
    protected $except = [
        'daemon.configuration',
    ];

    /**
     * DaemonAuthenticate constructor.
     *
     * @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
     * @param \Pterodactyl\Repositories\Eloquent\NodeRepository $repository
     */
    public function __construct(Encrypter $encrypter, NodeRepository $repository)
    {
        $this->repository = $repository;
        $this->encrypter = $encrypter;
    }

    /**
     * Check if a request from the daemon can be properly attributed back to a single node instance.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Closure $next
     * @return mixed
     *
     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
     */
    public function handle(Request $request, Closure $next)
    {
        if (in_array($request->route()->getName(), $this->except)) {
            return $next($request);
        }

        if (is_null($bearer = $request->bearerToken())) {
            throw new HttpException(
                401, 'Access this this endpoint must include an Authorization header.', null, ['WWW-Authenticate' => 'Bearer']
            );
        }

        $parts = explode('.', $bearer);
        // Ensure that all of the correct parts are provided in the header.
        if (count($parts) !== 2 || empty($parts[0]) || empty($parts[1])) {
            throw new BadRequestHttpException(
                'The Authorization header provided was not in a valid format.'
            );
        }

        try {
            /** @var \Pterodactyl\Models\Node $node */
            $node = $this->repository->findFirstWhere([
                'daemon_token_id' => $parts[0],
            ]);

            if (hash_equals((string) $this->encrypter->decrypt($node->daemon_token), $parts[1])) {
                $request->attributes->set('node', $node);

                return $next($request);
            }
        } catch (RecordNotFoundException $exception) {
            // Do nothing, we don't want to expose a node not existing at all.
        }

        throw new AccessDeniedHttpException(
            'You are not authorized to access this resource.'
        );
    }
}
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`<?php`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`namespace Pterodactyl\Http\Middleware\Api\Daemon;`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00
			`use Closure;`
			`use Illuminate\Http\Request;`
Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`use Illuminate\Contracts\Encryption\Encrypter;`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`use Pterodactyl\Repositories\Eloquent\NodeRepository;`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`use Symfony\Component\HttpKernel\Exception\HttpException;`
			`use Pterodactyl\Exceptions\Repository\RecordNotFoundException;`
Don't throw errors if bad data is sent in the header 2020-04-10 22:53:19 +00:00			`use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;`
Implement fix to allow root admins to view all servers. closes #722 2017-11-05 18:38:39 +00:00			`use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00
			`class DaemonAuthenticate`
			`{`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`/**`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`* @var \Pterodactyl\Repositories\Eloquent\NodeRepository`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`*/`
			`private $repository;`

Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`/**`
			`* @var \Illuminate\Contracts\Encryption\Encrypter`
			`*/`
			`private $encrypter;`

Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`/**`
Update all the middlewares 2017-10-29 17:37:25 +00:00			`* Daemon routes that this middleware should be skipped on.`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`*`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`* @var array`
			`*/`
Update all the middlewares 2017-10-29 17:37:25 +00:00			`protected $except = [`
			`'daemon.configuration',`
			`];`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00
			`/**`
			`* DaemonAuthenticate constructor.`
			`*`
Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`* @param \Illuminate\Contracts\Encryption\Encrypter $encrypter`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`* @param \Pterodactyl\Repositories\Eloquent\NodeRepository $repository`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`*/`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`public function __construct(Encrypter $encrypter, NodeRepository $repository)`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`{`
			`$this->repository = $repository;`
Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`$this->encrypter = $encrypter;`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`}`

			`/**`
			`* Check if a request from the daemon can be properly attributed back to a single node instance.`
			`*`
			`* @param \Illuminate\Http\Request $request`
Format files 2019-09-06 04:32:57 +00:00			`* @param \Closure $next`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`* @return mixed`
			`*`
			`* @throws \Symfony\Component\HttpKernel\Exception\HttpException`
			`*/`
			`public function handle(Request $request, Closure $next)`
			`{`
Update all the middlewares 2017-10-29 17:37:25 +00:00			`if (in_array($request->route()->getName(), $this->except)) {`
			`return $next($request);`
			`}`

Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`if (is_null($bearer = $request->bearerToken())) {`
			`throw new HttpException(`
			`401, 'Access this this endpoint must include an Authorization header.', null, ['WWW-Authenticate' => 'Bearer']`
			`);`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`}`

Don't throw errors if bad data is sent in the header 2020-04-10 22:53:19 +00:00			`$parts = explode('.', $bearer);`
			`// Ensure that all of the correct parts are provided in the header.`
			`if (count($parts) !== 2 \|\| empty($parts[0]) \|\| empty($parts[1])) {`
			`throw new BadRequestHttpException(`
Return all servers for a node as a paginated response Avoids crashing the PHP process and avoids a bad runaway N+1 query issue that previously existed. 2020-10-31 18:14:28 +00:00			`'The Authorization header provided was not in a valid format.'`
Don't throw errors if bad data is sent in the header 2020-04-10 22:53:19 +00:00			`);`
			`}`
Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`try {`
Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`/** @var \Pterodactyl\Models\Node $node */`
			`$node = $this->repository->findFirstWhere([`
Don't throw errors if bad data is sent in the header 2020-04-10 22:53:19 +00:00			`'daemon_token_id' => $parts[0],`
Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`]);`

Don't throw errors if bad data is sent in the header 2020-04-10 22:53:19 +00:00			`if (hash_equals((string) $this->encrypter->decrypt($node->daemon_token), $parts[1])) {`
Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`$request->attributes->set('node', $node);`

			`return $next($request);`
			`}`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`} catch (RecordNotFoundException $exception) {`
Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`// Do nothing, we don't want to expose a node not existing at all.`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`}`

Store node daemon tokens in an encrypted manner 2020-04-10 22:15:38 +00:00			`throw new AccessDeniedHttpException(`
			`'You are not authorized to access this resource.'`
			`);`
Begin implementation of new daemon authentication scheme 2017-09-24 01:45:25 +00:00			`}`
			`}`