Fix file and backup downloading to use URL returned by server

Author: DaneEveritt

app/Http/Controllers/Api/Client/Servers/DownloadBackupController.php

@@ -2,14 +2,10 @@
 
 namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
 
-use Lcobucci\JWT\Builder;
 use Carbon\CarbonImmutable;
-use Illuminate\Support\Str;
-use Lcobucci\JWT\Signer\Key;
 use Pterodactyl\Models\Backup;
 use Pterodactyl\Models\Server;
-use Lcobucci\JWT\Signer\Hmac\Sha256;
-use Illuminate\Http\RedirectResponse;
+use Pterodactyl\Services\Nodes\NodeJWTService;
 use Illuminate\Contracts\Routing\ResponseFactory;
 use Pterodactyl\Repositories\Wings\DaemonBackupRepository;
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
@@ -27,20 +23,28 @@ class DownloadBackupController extends ClientApiController
      */
     private $responseFactory;
 
+    /**
+     * @var \Pterodactyl\Services\Nodes\NodeJWTService
+     */
+    private $jwtService;
+
     /**
      * DownloadBackupController constructor.
      *
      * @param \Pterodactyl\Repositories\Wings\DaemonBackupRepository $daemonBackupRepository
+     * @param \Pterodactyl\Services\Nodes\NodeJWTService $jwtService
      * @param \Illuminate\Contracts\Routing\ResponseFactory $responseFactory
      */
     public function __construct(
         DaemonBackupRepository $daemonBackupRepository,
+        NodeJWTService $jwtService,
         ResponseFactory $responseFactory
     ) {
         parent::__construct();
 
         $this->daemonBackupRepository = $daemonBackupRepository;
         $this->responseFactory = $responseFactory;
+        $this->jwtService = $jwtService;
     }
 
     /**
@@ -51,30 +55,27 @@ public function __construct(
      * @param \Pterodactyl\Http\Requests\Api\Client\Servers\Backups\DownloadBackupRequest $request
      * @param \Pterodactyl\Models\Server $server
      * @param \Pterodactyl\Models\Backup $backup
-     * @return \Illuminate\Http\RedirectResponse
+     * @return array
      */
     public function __invoke(DownloadBackupRequest $request, Server $server, Backup $backup)
     {
-        $signer = new Sha256;
-        $now = CarbonImmutable::now();
-
-        $token = (new Builder)->issuedBy(config('app.url'))
-            ->permittedFor($server->node->getConnectionAddress())
-            ->identifiedBy(hash('sha256', $request->user()->id . $server->uuid), true)
-            ->issuedAt($now->getTimestamp())
-            ->canOnlyBeUsedAfter($now->subMinutes(5)->getTimestamp())
-            ->expiresAt($now->addMinutes(15)->getTimestamp())
-            ->withClaim('unique_id', Str::random(16))
-            ->withClaim('backup_uuid', $backup->uuid)
-            ->withClaim('server_uuid', $server->uuid)
-            ->getToken($signer, new Key($server->node->daemonSecret));
-
-        $location = sprintf(
-            '%s/download/backup?token=%s',
-            $server->node->getConnectionAddress(),
-            $token->__toString()
-        );
+        $token = $this->jwtService
+            ->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
+            ->setClaims([
+                'backup_uuid' => $backup->uuid,
+                'server_uuid' => $server->uuid,
+            ])
+            ->handle($server->node, $request->user()->id . $server->uuid);
 
-        return RedirectResponse::create($location);
+        return [
+            'object' => 'signed_url',
+            'attributes' => [
+                'url' => sprintf(
+                    '%s/download/backup?token=%s',
+                    $server->node->getConnectionAddress(),
+                    $token->__toString()
+                ),
+            ],
+        ];
     }
 }

app/Http/Controllers/Api/Client/Servers/FileController.php

@@ -2,9 +2,11 @@
 
 namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
 
+use Carbon\CarbonImmutable;
 use Illuminate\Http\Response;
 use Pterodactyl\Models\Server;
 use GuzzleHttp\Exception\TransferException;
+use Pterodactyl\Services\Nodes\NodeJWTService;
 use Illuminate\Contracts\Routing\ResponseFactory;
 use Pterodactyl\Repositories\Wings\DaemonFileRepository;
 use Pterodactyl\Transformers\Daemon\FileObjectTransformer;
@@ -30,20 +32,28 @@ class FileController extends ClientApiController
      */
     private $responseFactory;
 
+    /**
+     * @var \Pterodactyl\Services\Nodes\NodeJWTService
+     */
+    private $jwtService;
+
     /**
      * FileController constructor.
      *
      * @param \Illuminate\Contracts\Routing\ResponseFactory $responseFactory
+     * @param \Pterodactyl\Services\Nodes\NodeJWTService $jwtService
      * @param \Pterodactyl\Repositories\Wings\DaemonFileRepository $fileRepository
      */
     public function __construct(
         ResponseFactory $responseFactory,
+        NodeJWTService $jwtService,
         DaemonFileRepository $fileRepository
     ) {
         parent::__construct();
 
         $this->fileRepository = $fileRepository;
         $this->responseFactory = $responseFactory;
+        $this->jwtService = $jwtService;
     }
 
     /**
@@ -90,36 +100,35 @@ public function getFileContents(GetFileContentsRequest $request, Server $server)
     }
 
     /**
+     * Generates a one-time token with a link that the user can use to
+     * download a given file.
+     *
      * @param \Pterodactyl\Http\Requests\Api\Client\Servers\Files\GetFileContentsRequest $request
      * @param \Pterodactyl\Models\Server $server
-     * @return \Symfony\Component\HttpFoundation\StreamedResponse
+     * @return array
      *
      * @throws \Exception
      */
     public function download(GetFileContentsRequest $request, Server $server)
     {
-        set_time_limit(0);
-
-        $request = $this->fileRepository->setServer($server)->streamContent(
-            $request->get('file')
-        );
-
-        $body = $request->getBody();
-
-        preg_match('/filename=(?<name>.*)$/', $request->getHeaderLine('Content-Disposition'), $matches);
-
-        return $this->responseFactory->streamDownload(
-            function () use ($body) {
-                while (! $body->eof()) {
-                    echo $body->read(128);
-                }
-            },
-            $matches['name'] ?? 'download',
-            [
-                'Content-Type' => $request->getHeaderLine('Content-Type'),
-                'Content-Length' => $request->getHeaderLine('Content-Length'),
-            ]
-        );
+        $token = $this->jwtService
+            ->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
+            ->setClaims([
+                'file_path' => $request->get('file'),
+                'server_uuid' => $server->uuid,
+            ])
+            ->handle($server->node, $request->user()->id . $server->uuid);
+
+        return [
+            'object' => 'signed_url',
+            'attributes' => [
+                'url' => sprintf(
+                    '%s/download/file?token=%s',
+                    $server->node->getConnectionAddress(),
+                    $token->__toString()
+                ),
+            ],
+        ];
     }
 
     /**

app/Services/Nodes/NodeJWTService.php

@@ -0,0 +1,74 @@
+<?php
+
+namespace Pterodactyl\Services\Nodes;
+
+use DateTimeInterface;
+use Lcobucci\JWT\Builder;
+use Carbon\CarbonImmutable;
+use Illuminate\Support\Str;
+use Lcobucci\JWT\Signer\Key;
+use Pterodactyl\Models\Node;
+use Lcobucci\JWT\Signer\Hmac\Sha256;
+
+class NodeJWTService
+{
+    /**
+     * @var array
+     */
+    private $claims = [];
+
+    /**
+     * @var int|null
+     */
+    private $expiresAt;
+
+    /**
+     * Set the claims to include in this JWT.
+     *
+     * @param array $claims
+     * @return $this
+     */
+    public function setClaims(array $claims)
+    {
+        $this->claims = $claims;
+
+        return $this;
+    }
+
+    public function setExpiresAt(DateTimeInterface $date)
+    {
+        $this->expiresAt = $date->getTimestamp();
+
+        return $this;
+    }
+
+    /**
+     * Generate a new JWT for a given node.
+     *
+     * @param \Pterodactyl\Models\Node $node
+     * @param string|null $identifiedBy
+     * @return \Lcobucci\JWT\Token
+     */
+    public function handle(Node $node, string $identifiedBy)
+    {
+        $signer = new Sha256;
+
+        $builder = (new Builder)->issuedBy(config('app.url'))
+            ->permittedFor($node->getConnectionAddress())
+            ->identifiedBy(hash('sha256', $identifiedBy), true)
+            ->issuedAt(CarbonImmutable::now()->getTimestamp())
+            ->canOnlyBeUsedAfter(CarbonImmutable::now()->subMinutes(5)->getTimestamp());
+
+        if ($this->expiresAt) {
+            $builder = $builder->expiresAt($this->expiresAt);
+        }
+
+        foreach ($this->claims as $key => $value) {
+            $builder = $builder->withClaim($key, $value);
+        }
+
+        return $builder
+            ->withClaim('unique_id', Str::random(16))
+            ->getToken($signer, new Key($node->daemonSecret));
+    }
+}

resources/scripts/api/server/backups/getBackupDownloadUrl.ts

@@ -0,0 +1,9 @@
+import http from '@/api/http';
+
+export default (uuid: string, backup: string): Promise<string> => {
+    return new Promise((resolve, reject) => {
+        http.get(`/api/client/servers/${uuid}/backups/${backup}/download`)
+            .then(({ data }) => resolve(data.attributes.url))
+            .catch(reject);
+    });
+};

resources/scripts/api/server/files/getFileDownloadUrl.ts

@@ -0,0 +1,9 @@
+import http from '@/api/http';
+
+export default (uuid: string, file: string): Promise<string> => {
+    return new Promise((resolve, reject) => {
+        http.get(`/api/client/servers/${uuid}/files/download`, { params: { file } })
+            .then(({ data }) => resolve(data.attributes.url))
+            .catch(reject);
+    });
+};

resources/scripts/components/server/backups/BackupRow.tsx

@@ -9,8 +9,11 @@ import { faCloudDownloadAlt } from '@fortawesome/free-solid-svg-icons/faCloudDow
 import Modal, { RequiredModalProps } from '@/components/elements/Modal';
 import { bytesToHuman } from '@/helpers';
 import Can from '@/components/elements/Can';
-import { join } from "path";
 import useServer from '@/plugins/useServer';
+import getBackupDownloadUrl from '@/api/server/backups/getBackupDownloadUrl';
+import SpinnerOverlay from '@/components/elements/SpinnerOverlay';
+import useFlash from '@/plugins/useFlash';
+import { httpErrorToHuman } from '@/api/http';
 
 interface Props {
     backup: ServerBackup;
@@ -31,10 +34,29 @@ const DownloadModal = ({ checksum, ...props }: RequiredModalProps & { checksum:
 
 export default ({ backup, className }: Props) => {
     const { uuid } = useServer();
+    const { addError, clearFlashes } = useFlash();
+    const [ loading, setLoading ] = useState(false);
     const [ visible, setVisible ] = useState(false);
 
+    const getBackupLink = () => {
+        setLoading(true);
+        clearFlashes('backups');
+        getBackupDownloadUrl(uuid, backup.uuid)
+            .then(url => {
+                // @ts-ignore
+                window.location = url;
+                setVisible(true);
+            })
+            .catch(error => {
+                console.error(error);
+                addError({ key: 'backups', message: httpErrorToHuman(error) });
+            })
+            .then(() => setLoading(false));
+    };
+
     return (
         <div className={`grey-row-box flex items-center ${className}`}>
+            <SpinnerOverlay visible={loading} fixed={true}/>
             {visible &&
             <DownloadModal
                 visible={visible}
@@ -77,16 +99,12 @@ export default ({ backup, className }: Props) => {
                             <FontAwesomeIcon icon={faCloudDownloadAlt}/>
                         </div>
                         :
-                        <a
-                            href={`/api/client/servers/${uuid}/backups/${backup.uuid}/download`}
-                            target={'_blank'}
-                            onClick={() => {
-                                setVisible(true);
-                            }}
+                        <button
+                            onClick={() => getBackupLink()}
                             className={'text-sm text-neutral-300 p-2 transition-colors duration-250 hover:text-cyan-400'}
                         >
                             <FontAwesomeIcon icon={faCloudDownloadAlt}/>
-                        </a>
+                        </button>
                     }
                 </div>
             </Can>