Revoke JWT JTIs when modifying a subuser's permissions

Author: DaneEveritt

app/Http/Controllers/Api/Client/Servers/SubuserController.php

@@ -3,15 +3,16 @@
 namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
 
 use Illuminate\Http\Request;
-use Pterodactyl\Models\User;
 use Pterodactyl\Models\Server;
-use Pterodactyl\Models\Subuser;
 use Illuminate\Http\JsonResponse;
 use Pterodactyl\Models\Permission;
+use Illuminate\Support\Facades\Log;
 use Pterodactyl\Repositories\Eloquent\SubuserRepository;
 use Pterodactyl\Services\Subusers\SubuserCreationService;
+use Pterodactyl\Repositories\Wings\DaemonServerRepository;
 use Pterodactyl\Transformers\Api\Client\SubuserTransformer;
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
+use Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\GetSubuserRequest;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\StoreSubuserRequest;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest;
@@ -29,20 +30,28 @@ class SubuserController extends ClientApiController
      */
     private $creationService;
 
+    /**
+     * @var \Pterodactyl\Repositories\Wings\DaemonServerRepository
+     */
+    private $serverRepository;
+
     /**
      * SubuserController constructor.
      *
      * @param \Pterodactyl\Repositories\Eloquent\SubuserRepository $repository
      * @param \Pterodactyl\Services\Subusers\SubuserCreationService $creationService
+     * @param \Pterodactyl\Repositories\Wings\DaemonServerRepository $serverRepository
      */
     public function __construct(
         SubuserRepository $repository,
-        SubuserCreationService $creationService
+        SubuserCreationService $creationService,
+        DaemonServerRepository $serverRepository
     ) {
         parent::__construct();
 
         $this->repository = $repository;
         $this->creationService = $creationService;
+        $this->serverRepository = $serverRepository;
     }
 
     /**
@@ -101,19 +110,38 @@ public function store(StoreSubuserRequest $request, Server $server)
      * Update a given subuser in the system for the server.
      *
      * @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\UpdateSubuserRequest $request
+     * @param \Pterodactyl\Models\Server $server
      * @return array
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
-    public function update(UpdateSubuserRequest $request): array
+    public function update(UpdateSubuserRequest $request, Server $server): array
     {
         /** @var \Pterodactyl\Models\Subuser $subuser */
         $subuser = $request->attributes->get('subuser');
 
-        $this->repository->update($subuser->id, [
-            'permissions' => $this->getDefaultPermissions($request),
-        ]);
+        $permissions = $this->getDefaultPermissions($request);
+        $current = $subuser->permissions;
+
+        sort($permissions);
+        sort($current);
+
+        // Only update the database and hit up the Wings instance to invalidate JTI's if the permissions
+        // have actually changed for the user.
+        if ($permissions !== $current) {
+            $this->repository->update($subuser->id, [
+                'permissions' => $this->getDefaultPermissions($request),
+            ]);
+
+            try {
+                $this->serverRepository->setServer($server)->revokeJTIs([md5($subuser->user_id . $server->uuid)]);
+            } catch (DaemonConnectionException $exception) {
+                // Don't block this request if we can't connect to the Wings instance. Chances are it is
+                // offline in this event and the token will be invalid anyways once Wings boots back.
+                Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);
+            }
+        }
 
         return $this->fractal->item($subuser->refresh())
             ->transformWith($this->getTransformer(SubuserTransformer::class))
@@ -124,15 +152,23 @@ public function update(UpdateSubuserRequest $request): array
      * Removes a subusers from a server's assignment.
      *
      * @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest $request
+     * @param \Pterodactyl\Models\Server $server
      * @return \Illuminate\Http\JsonResponse
      */
-    public function delete(DeleteSubuserRequest $request)
+    public function delete(DeleteSubuserRequest $request, Server $server)
     {
         /** @var \Pterodactyl\Models\Subuser $subuser */
         $subuser = $request->attributes->get('subuser');
 
         $this->repository->delete($subuser->id);
 
+        try {
+            $this->serverRepository->revokeJTIs([md5($subuser->user_id . $server->uuid)]);
+        } catch (DaemonConnectionException $exception) {
+            // Don't block this request if we can't connect to the Wings instance.
+            Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);
+        }
+
         return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
     }
 

app/Http/Controllers/Api/Client/Servers/WebsocketController.php

@@ -59,7 +59,7 @@ public function __invoke(ClientApiRequest $request, Server $server)
         }
 
         $token = $this->jwtService
-            ->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
+            ->setExpiresAt(CarbonImmutable::now()->addMinutes(10))
             ->setClaims([
                 'user_id' => $request->user()->id,
                 'server_uuid' => $server->uuid,

app/Repositories/Wings/DaemonServerRepository.php

@@ -126,11 +126,10 @@ public function suspend(bool $unsuspend = false): void
     }
 
     /**
-     * Requests the daemon to create a full archive of the server.
-     * Once the daemon is finished they will send a POST request to
-     * "/api/remote/servers/{uuid}/archive" with a boolean.
+     * Requests the daemon to create a full archive of the server. Once the daemon is finished
+     * they will send a POST request to "/api/remote/servers/{uuid}/archive" with a boolean.
      *
-     * @throws DaemonConnectionException
+     * @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
      */
     public function requestArchive(): void
     {
@@ -144,4 +143,25 @@ public function requestArchive(): void
             throw new DaemonConnectionException($exception);
         }
     }
+
+    /**
+     * Revokes an array of JWT JTI's by marking any token generated before the current time on
+     * the Wings instance as being invalid.
+     *
+     * @param array $jtis
+     * @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
+     */
+    public function revokeJTIs(array $jtis): void
+    {
+        Assert::isInstanceOf($this->server, Server::class);
+
+        try {
+            $this->getHttpClient()
+                ->post(sprintf('/api/servers/%s/ws/deny', $this->server->uuid), [
+                    'json' => ['jtis' => $jtis],
+                ]);
+        } catch (TransferException $exception) {
+            throw new DaemonConnectionException($exception);
+        }
+    }
 }