Implement basic security policy on daemon remote routes

Author: DaneEveritt

app/Http/Kernel.php

@@ -51,6 +51,7 @@ class Kernel extends HttpKernel
         'guest' => \Pterodactyl\Http\Middleware\RedirectIfAuthenticated::class,
         'server' => \Pterodactyl\Http\Middleware\CheckServer::class,
         'admin' => \Pterodactyl\Http\Middleware\AdminAuthenticate::class,
+        'daemon' => \Pterodactyl\Http\Middleware\DaemonAuthenticate::class,
         'csrf' => \Pterodactyl\Http\Middleware\VerifyCsrfToken::class,
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'can' => \Illuminate\Auth\Middleware\Authorize::class,

app/Http/Middleware/DaemonAuthenticate.php

@@ -0,0 +1,71 @@
+<?php
+/**
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Http\Middleware;
+
+use Closure;
+use Pterodactyl\Models\Node;
+use Illuminate\Contracts\Auth\Guard;
+
+class DaemonAuthenticate
+{
+    /**
+     * The Guard implementation.
+     *
+     * @var Guard
+     */
+    protected $auth;
+
+    /**
+     * Create a new filter instance.
+     *
+     * @param  Guard  $auth
+     * @return void
+     */
+    public function __construct(Guard $auth)
+    {
+        $this->auth = $auth;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (! $request->header('X-Access-Node')) {
+            return abort(403);
+        }
+
+        $node = Node::where('daemonSecret', $request->header('X-Access-Node'))->first();
+        if (! $node) {
+            return abort(404);
+        }
+
+        return $next($request);
+    }
+}

app/Http/Middleware/VerifyCsrfToken.php

@@ -13,6 +13,7 @@ class VerifyCsrfToken extends BaseVerifier
      */
     protected $except = [
         'remote/*',
+        'daemon/*',
         'api/*',
     ];
 }

app/Http/Routes/DaemonRoutes.php

@@ -30,7 +30,7 @@ class DaemonRoutes
 {
     public function map(Router $router)
     {
-        $router->group(['prefix' => 'daemon'], function () use ($router) {
+        $router->group(['prefix' => 'daemon', 'middleware' => 'daemon'], function () use ($router) {
             $router->get('services', [
                 'as' => 'daemon.services',
                 'uses' => 'Daemon\ServiceController@list',

app/Http/Routes/RemoteRoutes.php

@@ -42,11 +42,6 @@ public function map(Router $router)
                 'uses' => 'Remote\RemoteController@postInstall',
             ]);
 
-            $router->post('event', [
-                'as' => 'remote.event',
-                'uses' => 'Remote\RemoteController@event',
-            ]);
-
             $router->get('configuration/{token}', [
                 'as' => 'remote.configuration',
                 'uses' => 'Remote\RemoteController@getConfiguration',