First pass at converting websocket to send a token along with every call

Author: DaneEveritt

app/Http/Controllers/Api/Client/Servers/WebsocketController.php

@@ -3,11 +3,13 @@
 namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
 
 use Cake\Chronos\Chronos;
-use Illuminate\Support\Str;
+use Lcobucci\JWT\Builder;
 use Illuminate\Http\Request;
+use Lcobucci\JWT\Signer\Key;
 use Illuminate\Http\Response;
 use Pterodactyl\Models\Server;
 use Illuminate\Http\JsonResponse;
+use Lcobucci\JWT\Signer\Hmac\Sha256;
 use Illuminate\Contracts\Cache\Repository;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
@@ -32,12 +34,10 @@ public function __construct(Repository $cache)
     }
 
     /**
-     * Generates a one-time token that is sent along in the request to the Daemon. The
-     * daemon then connects back to the Panel to verify that the token is valid when it
-     * is used.
-     *
-     * This token is valid for 30 seconds from time of generation, it is not designed
-     * to be stored and used over and over.
+     * Generates a one-time token that is sent along in every websocket call to the Daemon.
+     * This is a signed JWT that the Daemon then uses the verify the user's identity, and
+     * allows us to continually renew this token and avoid users mainitaining sessions wrongly,
+     * as well as ensure that user's only perform actions they're allowed to.
      *
      * @param \Illuminate\Http\Request $request
      * @param \Pterodactyl\Models\Server $server
@@ -51,20 +51,26 @@ public function __invoke(Request $request, Server $server)
             );
         }
 
-        $token = Str::random(32);
+        $now = Chronos::now();
+
+        $signer = new Sha256;
 
-        $this->cache->put('ws:' . $token, [
-            'user_id' => $request->user()->id,
-            'server_id' => $server->id,
-            'request_ip' => $request->ip(),
-            'timestamp' => Chronos::now()->toIso8601String(),
-        ], Chronos::now()->addSeconds(30));
+        $token = (new Builder)->issuedBy(config('app.url'))
+            ->permittedFor($server->node->getConnectionAddress())
+            ->identifiedBy(hash('sha256', $request->user()->id . $server->uuid), true)
+            ->issuedAt($now->getTimestamp())
+            ->canOnlyBeUsedAfter($now->getTimestamp())
+            ->expiresAt($now->addMinutes(15)->getTimestamp())
+            ->withClaim('user_id', $request->user()->id)
+            ->withClaim('server_uuid', $server->uuid)
+            ->getToken($signer, new Key($server->node->daemonSecret));
 
         $socket = str_replace(['https://', 'http://'], ['wss://', 'ws://'], $server->node->getConnectionAddress());
 
         return JsonResponse::create([
             'data' => [
-                'socket' => $socket . sprintf('/api/servers/%s/ws/%s', $server->uuid, $token),
+                'token' => $token->__toString(),
+                'socket' => $socket . sprintf('/api/servers/%s/ws', $server->uuid),
             ],
         ]);
     }

app/Http/Controllers/Api/Remote/ValidateWebsocketController.php

@@ -26,6 +26,7 @@
         "laravel/framework": "^6.0.0",
         "laravel/helpers": "^1.1",
         "laravel/tinker": "^1.0",
+        "lcobucci/jwt": "^3.3",
         "matriphe/iso-639": "^1.2",
         "pragmarx/google2fa": "^5.0",
         "predis/predis": "^1.1",

composer.json

@@ -1,9 +1,17 @@
 import http from '@/api/http';
 
-export default (server: string): Promise<string> => {
+interface Response {
+    token: string;
+    socket: string;
+}
+
+export default (server: string): Promise<Response> => {
     return new Promise((resolve, reject) => {
         http.get(`/api/client/servers/${server}/websocket`)
-            .then(response => resolve(response.data.data.socket))
+            .then(({ data }) => resolve({
+                token: data.data.token,
+                socket: data.data.socket,
+            }))
             .catch(reject);
     });
 };

composer.lock

@@ -1,6 +1,7 @@
 import React, { useEffect } from 'react';
 import { Websocket } from '@/plugins/Websocket';
 import { ServerContext } from '@/state/server';
+import getWebsocketToken from '@/api/server/getWebsocketToken';
 
 export default () => {
     const server = ServerContext.useStoreState(state => state.server.data);
@@ -15,15 +16,18 @@ export default () => {
             return;
         }
 
-        const socket = new Websocket(server.uuid);
+        const socket = new Websocket();
 
         socket.on('SOCKET_OPEN', () => setConnectionState(true));
         socket.on('SOCKET_CLOSE', () => setConnectionState(false));
         socket.on('SOCKET_ERROR', () => setConnectionState(false));
         socket.on('status', (status) => setServerStatus(status));
 
-        socket.connect()
-            .then(() => setInstance(socket))
+        getWebsocketToken(server.uuid)
+            .then(data => {
+                socket.setToken(data.token).connect(data.socket);
+                setInstance(socket);
+            })
             .catch(error => console.error(error));
 
         return () => {
@@ -36,8 +40,8 @@ export default () => {
     // exist outside of dev? Will need to see how things go.
     if (process.env.NODE_ENV === 'development') {
         useEffect(() => {
-            if (!connected && instance) {
-                instance.connect();
+            if (!connected && instance && instance.getToken() && instance.getSocketUrl()) {
+                instance.connect(instance.getSocketUrl()!);
             }
         }, [ connected ]);
     }

resources/scripts/api/server/getWebsocketToken.ts

@@ -1,5 +1,4 @@
 import Sockette from 'sockette';
-import getWebsocketToken from '@/api/server/getWebsocketToken';
 import { EventEmitter } from 'events';
 
 export const SOCKET_EVENTS = [
@@ -10,37 +9,54 @@ export const SOCKET_EVENTS = [
 ];
 
 export class Websocket extends EventEmitter {
-    private socket: Sockette | null;
-    private readonly uuid: string;
-
-    constructor (uuid: string) {
-        super();
-
-        this.socket = null;
-        this.uuid = uuid;
-    }
-
-    async connect (): Promise<void> {
-        getWebsocketToken(this.uuid)
-            .then(url => {
-                this.socket = new Sockette(url, {
-                    onmessage: e => {
-                        try {
-                            let { event, args } = JSON.parse(e.data);
-                            this.emit(event, ...args);
-                        } catch (ex) {
-                            console.warn('Failed to parse incoming websocket message.', ex);
-                        }
-                    },
-                    onopen: () => this.emit('SOCKET_OPEN'),
-                    onreconnect: () => this.emit('SOCKET_RECONNECT'),
-                    onclose: () => this.emit('SOCKET_CLOSE'),
-                    onerror: () => this.emit('SOCKET_ERROR'),
-                });
-
-                return Promise.resolve();
-            })
-            .catch(error => Promise.reject(error));
+    // The socket instance being tracked.
+    private socket: Sockette | null = null;
+
+    // The URL being connected to for the socket.
+    private url: string | null = null;
+
+    // The authentication token passed along with every request to the Daemon.
+    // By default this token expires every 15 minutes and must therefore be
+    // refreshed at a pretty continuous interval. The socket server will respond
+    // with "token expiring" and "token expired" events when approaching 3 minutes
+    // and 0 minutes to expiry.
+    private token: string = '';
+
+    // Connects to the websocket instance and sets the token for the initial request.
+    connect (url: string) {
+        this.url = url;
+        this.socket = new Sockette(url, {
+            onmessage: e => {
+                try {
+                    let { event, args } = JSON.parse(e.data);
+                    this.emit(event, ...args);
+                } catch (ex) {
+                    console.warn('Failed to parse incoming websocket message.', ex);
+                }
+            },
+            onopen: () => this.emit('SOCKET_OPEN'),
+            onreconnect: () => this.emit('SOCKET_RECONNECT'),
+            onclose: () => this.emit('SOCKET_CLOSE'),
+            onerror: () => this.emit('SOCKET_ERROR'),
+        });
+    }
+
+    // Returns the URL connected to for the socket.
+    getSocketUrl (): string | null {
+        return this.url;
+    }
+
+    // Sets the authentication token to use when sending commands back and forth
+    // between the websocket instance.
+    setToken (token: string): this {
+        this.token = token;
+
+        return this;
+    }
+
+    // Returns the token being used at the current moment.
+    getToken (): string {
+        return this.token;
     }
 
     close (code?: number, reason?: string) {
@@ -57,7 +73,9 @@ export class Websocket extends EventEmitter {
 
     send (event: string, payload?: string | string[]) {
         this.socket && this.socket.send(JSON.stringify({
-            event, args: Array.isArray(payload) ? payload : [ payload ],
+            event,
+            args: Array.isArray(payload) ? payload : [ payload ],
+            token: this.token || '',
         }));
     }
 }