Strip out JWT usage and use cookies to track the currently logged in user

Author: DaneEveritt

app/Http/Controllers/Auth/AbstractLoginController.php

@@ -2,8 +2,6 @@
 
 namespace Pterodactyl\Http\Controllers\Auth;
 
-use Cake\Chronos\Chronos;
-use Lcobucci\JWT\Builder;
 use Illuminate\Http\Request;
 use Pterodactyl\Models\User;
 use Illuminate\Auth\AuthManager;
@@ -16,7 +14,6 @@
 use Illuminate\Contracts\Encryption\Encrypter;
 use Illuminate\Foundation\Auth\AuthenticatesUsers;
 use Pterodactyl\Traits\Helpers\ProvidesJWTServices;
-use Pterodactyl\Transformers\Api\Client\AccountTransformer;
 use Illuminate\Contracts\Cache\Repository as CacheRepository;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 
@@ -29,11 +26,6 @@ abstract class AbstractLoginController extends Controller
      */
     protected $auth;
 
-    /**
-     * @var \Lcobucci\JWT\Builder
-     */
-    protected $builder;
-
     /**
      * @var \Illuminate\Contracts\Cache\Repository
      */
@@ -79,22 +71,19 @@ abstract class AbstractLoginController extends Controller
      * LoginController constructor.
      *
      * @param \Illuminate\Auth\AuthManager                              $auth
-     * @param \Lcobucci\JWT\Builder                                     $builder
      * @param \Illuminate\Contracts\Cache\Repository                    $cache
      * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
      * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
      * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
      */
     public function __construct(
         AuthManager $auth,
-        Builder $builder,
         CacheRepository $cache,
         Encrypter $encrypter,
         Google2FA $google2FA,
         UserRepositoryInterface $repository
     ) {
         $this->auth = $auth;
-        $this->builder = $builder;
         $this->cache = $cache;
         $this->encrypter = $encrypter;
         $this->google2FA = $google2FA;
@@ -143,34 +132,10 @@ protected function sendLoginResponse(User $user, Request $request): JsonResponse
         return response()->json([
             'complete' => true,
             'intended' => $this->redirectPath(),
-            'jwt' => $this->createJsonWebToken($user),
+            'user' => $user->toVueObject(),
         ]);
     }
 
-    /**
-     * Create a new JWT for the request and sign it using the signing key.
-     *
-     * @param User $user
-     * @return string
-     */
-    protected function createJsonWebToken(User $user): string
-    {
-        $now = Chronos::now('utc');
-
-        $token = $this->builder
-            ->setIssuer('Pterodactyl Panel')
-            ->setAudience(config('app.url'))
-            ->setId(str_random(16), true)
-            ->setIssuedAt($now->getTimestamp())
-            ->setNotBefore($now->getTimestamp())
-            ->setExpiration($now->addSeconds(config('jwt.lifetime'))->getTimestamp())
-            ->set('user', (new AccountTransformer())->transform($user))
-            ->sign($this->getJWTSigner(), $this->getJWTSigningKey())
-            ->getToken();
-
-        return $token->__toString();
-    }
-
     /**
      * Determine if the user is logging in using an email or username,.
      *

app/Http/Kernel.php

@@ -49,6 +49,7 @@ class Kernel extends HttpKernel
      */
     protected $middleware = [
         CheckForMaintenanceMode::class,
+        EncryptCookies::class,
         ValidatePostSize::class,
         TrimStrings::class,
         ConvertEmptyStringsToNull::class,
@@ -62,7 +63,6 @@ class Kernel extends HttpKernel
      */
     protected $middlewareGroups = [
         'web' => [
-            EncryptCookies::class,
             AddQueuedCookiesToResponse::class,
             StartSession::class,
             AuthenticateSession::class,
@@ -82,8 +82,10 @@ class Kernel extends HttpKernel
         ],
         'client-api' => [
             'throttle:240,1',
-            SubstituteClientApiBindings::class,
+            StartSession::class,
             SetSessionDriver::class,
+            AuthenticateSession::class,
+            SubstituteClientApiBindings::class,
             'api..key:' . ApiKey::TYPE_ACCOUNT,
             AuthenticateIPAccess::class,
         ],

app/Http/Middleware/Api/AuthenticateKey.php

@@ -3,9 +3,9 @@
 namespace Pterodactyl\Http\Middleware\Api;
 
 use Closure;
-use Lcobucci\JWT\Parser;
 use Cake\Chronos\Chronos;
 use Illuminate\Http\Request;
+use Pterodactyl\Models\User;
 use Pterodactyl\Models\ApiKey;
 use Illuminate\Auth\AuthManager;
 use Illuminate\Contracts\Encryption\Encrypter;
@@ -62,15 +62,19 @@ public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $
      */
     public function handle(Request $request, Closure $next, int $keyType)
     {
-        if (is_null($request->bearerToken())) {
+        if (is_null($request->bearerToken()) && is_null($request->user())) {
             throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
         }
 
         $raw = $request->bearerToken();
 
-        // This is an internal JWT, treat it differently to get the correct user before passing it along.
-        if (strlen($raw) > ApiKey::IDENTIFIER_LENGTH + ApiKey::KEY_LENGTH) {
-            $model = $this->authenticateJWT($raw);
+        // This is a request coming through using cookies, we have an authenticated user not using
+        // an API key. Make some fake API key models and continue on through the process.
+        if (empty($raw) && $request->user() instanceof User) {
+            $model = new ApiKey([
+                'user_id' => $request->user()->id,
+                'key_type' => ApiKey::TYPE_ACCOUNT,
+            ]);
         } else {
             $model = $this->authenticateApiKey($raw, $keyType);
         }
@@ -81,42 +85,6 @@ public function handle(Request $request, Closure $next, int $keyType)
         return $next($request);
     }
 
-    /**
-     * Authenticate an API request using a JWT rather than an API key.
-     *
-     * @param string $token
-     * @return \Pterodactyl\Models\ApiKey
-     */
-    protected function authenticateJWT(string $token): ApiKey
-    {
-        $token = (new Parser)->parse($token);
-
-        // If the key cannot be verified throw an exception to indicate that a bad
-        // authorization header was provided.
-        if (! $token->verify($this->getJWTSigner(), $this->getJWTSigningKey())) {
-            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
-        }
-
-        // Run through the token validation and throw an exception if the token is not valid.
-        //
-        // The issued_at time is used for verification in order to allow rapid changing of session
-        // length on the Panel without having to wait on existing tokens to first expire.
-        $now = Chronos::now('utc');
-        if (
-            Chronos::createFromTimestampUTC($token->getClaim('nbf'))->gt($now)
-            || $token->getClaim('iss') !== 'Pterodactyl Panel'
-            || $token->getClaim('aud') !== config('app.url')
-            || Chronos::createFromTimestampUTC($token->getClaim('iat'))->addMinutes(config('jwt.lifetime'))->lte($now)
-        ) {
-            throw new AccessDeniedHttpException('The authentication parameters provided are not valid for accessing this resource.');
-        }
-
-        return (new ApiKey)->forceFill([
-            'user_id' => object_get($token->getClaim('user'), 'id', 0),
-            'key_type' => ApiKey::TYPE_ACCOUNT,
-        ]);
-    }
-
     /**
      * Authenticate an API key.
      *

app/Models/User.php

@@ -5,6 +5,7 @@
 use Sofa\Eloquence\Eloquence;
 use Sofa\Eloquence\Validable;
 use Pterodactyl\Rules\Username;
+use Illuminate\Support\Collection;
 use Illuminate\Validation\Rules\In;
 use Illuminate\Auth\Authenticatable;
 use Illuminate\Database\Eloquent\Model;
@@ -177,6 +178,16 @@ protected static function gatherRules()
         return $rules;
     }
 
+    /**
+     * Return the user model in a format that can be passed over to Vue templates.
+     *
+     * @return array
+     */
+    public function toVueObject(): array
+    {
+        return (new Collection($this->toArray()))->except(['id', 'external_id'])->toArray();
+    }
+
     /**
      * Send the password reset notification.
      *

resources/assets/scripts/helpers/axios.js

@@ -1,5 +1,3 @@
-import User from './../models/user';
-
 /**
  * We'll load the axios HTTP library which allows us to easily issue requests
  * to our Laravel back-end. This library automatically handles sending the
@@ -9,7 +7,6 @@ import User from './../models/user';
 let axios = require('axios');
 axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
 axios.defaults.headers.common['Accept'] = 'application/json';
-axios.defaults.headers.common['Authorization'] = `Bearer ${User.getToken()}`;
 
 if (typeof phpdebugbar !== 'undefined') {
     axios.interceptors.response.use(function (response) {

resources/assets/scripts/models/user.js

@@ -1,40 +1,4 @@
-import isString from 'lodash/isString';
-import jwtDecode from 'jwt-decode';
-
 export default class User {
-    /**
-     * Get a new user model from the JWT.
-     *
-     * @return {User | null}
-     */
-    static fromToken(token) {
-        if (!isString(token)) {
-            token = this.getToken();
-        }
-
-        if (!isString(token) || token.length < 1) {
-            return null;
-        }
-
-        try {
-            const data = jwtDecode(token);
-            if (data.user) {
-                return new User(data.user);
-            }
-        } catch (ex) {}
-
-        return null;
-    }
-
-    /**
-     * Return the JWT for the authenticated user.
-     *
-     * @returns {string | null}
-     */
-    static getToken() {
-        return localStorage.getItem('token');
-    }
-
     /**
      * Create a new user model.
      *
@@ -46,26 +10,19 @@ export default class User {
      * @param {String} language
      */
     constructor({
-        admin,
+        root_admin,
         username,
         email,
         first_name,
         last_name,
         language,
     }) {
-        this.admin = admin;
+        this.admin = root_admin;
         this.username = username;
         this.email = email;
         this.name = `${first_name} ${last_name}`;
         this.first_name = first_name;
         this.last_name = last_name;
         this.language = language;
     }
-
-    /**
-     * Returns the JWT belonging to the current user.
-     */
-    getJWT() {
-        return jwtDecode(User.getToken());
-    }
 }

resources/assets/scripts/router.js

@@ -10,6 +10,7 @@ import Login from './components/auth/Login';
 import Dashboard from './components/dashboard/Dashboard';
 import Account from './components/dashboard/Account';
 import ResetPassword from './components/auth/ResetPassword';
+import User from './models/user';
 
 const routes = [
     { name: 'login', path: '/auth/login', component: Login },
@@ -52,17 +53,10 @@ router.beforeEach((to, from, next) => {
 
     const user = store.getters['auth/getUser'];
 
-    // If user is trying to access any of the non-authentication endpoints ensure that they have
-    // a valid, non-expired JWT.
-    if (!to.path.startsWith('/auth')) {
-        // Check if the JWT has expired. Don't use the exp field, but rather that issued at time
-        // so that we can adjust how long we want to wait for expiration on both server-side and
-        // client side without having to wait for older tokens to pass their expiration time if
-        // we lower it.
-        if (user === null || compareDate(addHours(dateParse(user.getJWT().iat * 1000), 12), new Date()) < 0) {
-            store.commit('auth/logout');
-            return window.location = route('auth.logout');
-        }
+    // Check that if we're accessing a non-auth route that a user exists on the page.
+    if (!to.path.startsWith('/auth') && !(user instanceof User)) {
+        store.commit('auth/logout');
+        return window.location = route('auth.logout');
     }
 
     // Continue on through the pipeline.

resources/assets/scripts/store/modules/auth.js

@@ -5,7 +5,7 @@ const route = require('./../../../../../vendor/tightenco/ziggy/src/js/route').de
 export default {
     namespaced: true,
     state: {
-        user: User.fromToken(),
+        user: typeof window.PterodactylUser === 'object' ? new User(window.PterodactylUser) : null,
     },
     getters: {
         /**
@@ -41,7 +41,7 @@ export default {
                         }
 
                         if (response.data.complete) {
-                            commit('login', {jwt: response.data.jwt});
+                            commit('login', response.data.user);
                             return resolve({
                                 complete: true,
                                 intended: response.data.intended,
@@ -86,12 +86,10 @@ export default {
         setEmail: function (state, email) {
             state.user.email = email;
         },
-        login: function (state, {jwt}) {
-            localStorage.setItem('token', jwt);
-            state.user = User.fromToken(jwt);
+        login: function (state, data) {
+            state.user = new User(data);
         },
         logout: function (state) {
-            localStorage.removeItem('token');
             state.user = null;
         },
     },

resources/themes/pterodactyl/templates/wrapper.blade.php

@@ -9,6 +9,14 @@
             <meta name="csrf-token" content="{{ csrf_token() }}">
         @show
 
+        @section('user-data')
+            @if(!is_null(Auth::user()))
+                <script>
+                    window.PterodactylUser = {!! json_encode(Auth::user()->toVueObject()) !!}
+                </script>
+            @endif
+        @show
+
         @section('assets')
             {!! $asset->css('main.css') !!}
         @show