misc_pterodactyl-panel/app/Http/Middleware/Api/Daemon/DaemonAuthenticate.php

<?php

namespace Pterodactyl\Http\Middleware\Api\Daemon;

use Closure;
use Illuminate\Http\Request;
use Pterodactyl\Models\Node;
use Illuminate\Contracts\Encryption\Encrypter;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

class DaemonAuthenticate
{
    /**
     * Daemon routes that this middleware should be skipped on.
     */
    protected array $except = [
        'daemon.configuration',
    ];

    /**
     * DaemonAuthenticate constructor.
     */
    public function __construct(private Encrypter $encrypter)
    {
    }

    /**
     * Check if a request from the daemon can be properly attributed back to a single node instance.
     *
     * @throws HttpException
     */
    public function handle(Request $request, Closure $next): mixed
    {
        if (in_array($request->route()->getName(), $this->except)) {
            return $next($request);
        }

        if (is_null($bearer = $request->bearerToken())) {
            throw new HttpException(401, 'Access to this endpoint must include an Authorization header.', null, ['WWW-Authenticate' => 'Bearer']);
        }

        $parts = explode('.', $bearer);
        // Ensure that all the correct parts are provided in the header.
        if (count($parts) !== 2 || empty($parts[0]) || empty($parts[1])) {
            throw new BadRequestHttpException('The Authorization header provided was not in a valid format.');
        }

        /** @var Node $node */
        $node = Node::query()->where('daemon_token_id', $parts[0])->firstOrFail();

        if (hash_equals((string) $this->encrypter->decrypt($node->daemon_token), $parts[1])) {
            $request->attributes->set('node', $node);

            return $next($request);
        }

        throw new AccessDeniedHttpException('You are not authorized to access this resource.');
    }
}
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`<?php`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 16:06:19 -06:00			`namespace Pterodactyl\Http\Middleware\Api\Daemon;`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00
			`use Closure;`
			`use Illuminate\Http\Request;`
Replace node repository 2022-10-23 22:17:24 -04:00			`use Pterodactyl\Models\Node;`
Store node daemon tokens in an encrypted manner 2020-04-10 15:15:38 -07:00			`use Illuminate\Contracts\Encryption\Encrypter;`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`use Symfony\Component\HttpKernel\Exception\HttpException;`
Don't throw errors if bad data is sent in the header 2020-04-10 15:53:19 -07:00			`use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;`
Implement fix to allow root admins to view all servers. closes #722 2017-11-05 12:38:39 -06:00			`use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00
			`class DaemonAuthenticate`
			`{`
			`/**`
Update all the middlewares 2017-10-29 12:37:25 -05:00			`* Daemon routes that this middleware should be skipped on.`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`*/`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`protected array $except = [`
Update all the middlewares 2017-10-29 12:37:25 -05:00			`'daemon.configuration',`
			`];`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00
			`/**`
			`* DaemonAuthenticate constructor.`
			`*/`
Replace node repository 2022-10-23 22:17:24 -04:00			`public function __construct(private Encrypter $encrypter)`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`{`
			`}`

			`/**`
			`* Check if a request from the daemon can be properly attributed back to a single node instance.`
			`*`
Replace node repository 2022-10-23 22:17:24 -04:00			`* @throws HttpException`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`*/`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`public function handle(Request $request, Closure $next): mixed`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`{`
Update all the middlewares 2017-10-29 12:37:25 -05:00			`if (in_array($request->route()->getName(), $this->except)) {`
			`return $next($request);`
			`}`

Store node daemon tokens in an encrypted manner 2020-04-10 15:15:38 -07:00			`if (is_null($bearer = $request->bearerToken())) {`
Fix 401 error typo (#3393) 2021-06-03 23:35:51 +03:00			`throw new HttpException(401, 'Access to this endpoint must include an Authorization header.', null, ['WWW-Authenticate' => 'Bearer']);`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`}`

Don't throw errors if bad data is sent in the header 2020-04-10 15:53:19 -07:00			`$parts = explode('.', $bearer);`
Replace node repository 2022-10-23 22:17:24 -04:00			`// Ensure that all the correct parts are provided in the header.`
Don't throw errors if bad data is sent in the header 2020-04-10 15:53:19 -07:00			`if (count($parts) !== 2 \|\| empty($parts[0]) \|\| empty($parts[1])) {`
Use more standardized phpcs 2021-01-23 12:33:34 -08:00			`throw new BadRequestHttpException('The Authorization header provided was not in a valid format.');`
Don't throw errors if bad data is sent in the header 2020-04-10 15:53:19 -07:00			`}`
Store node daemon tokens in an encrypted manner 2020-04-10 15:15:38 -07:00
Replace node repository 2022-10-23 22:17:24 -04:00			`/** @var Node $node */`
			`$node = Node::query()->where('daemon_token_id', $parts[0])->firstOrFail();`
Store node daemon tokens in an encrypted manner 2020-04-10 15:15:38 -07:00
Replace node repository 2022-10-23 22:17:24 -04:00			`if (hash_equals((string) $this->encrypter->decrypt($node->daemon_token), $parts[1])) {`
			`$request->attributes->set('node', $node);`
Store node daemon tokens in an encrypted manner 2020-04-10 15:15:38 -07:00
Replace node repository 2022-10-23 22:17:24 -04:00			`return $next($request);`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`}`

Use more standardized phpcs 2021-01-23 12:33:34 -08:00			`throw new AccessDeniedHttpException('You are not authorized to access this resource.');`
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00			`}`
			`}`