Merge branch 'develop' into issues/1902

Author: matthewpi

app/Http/Controllers/Admin/Nodes/NodeViewController.php

@@ -148,8 +148,8 @@ public function allocations(Request $request, Node $node)
     public function servers(Request $request, Node $node)
     {
         $this->plainInject([
-            'node' => Collection::wrap($node->makeVisible('daemonSecret'))
-                ->only(['scheme', 'fqdn', 'daemonListen', 'daemonSecret']),
+            'node' => Collection::wrap($node->makeVisible(['daemon_token_id', 'daemon_token']))
+                ->only(['scheme', 'fqdn', 'daemonListen', 'daemon_token_id', 'daemon_token']),
         ]);
 
         return $this->view->make('admin.nodes.view.servers', [

app/Http/Controllers/Admin/StatisticsController.php

@@ -67,7 +67,7 @@ public function index()
 
         $tokens = [];
         foreach ($nodes as $node) {
-            $tokens[$node->id] = $node->daemonSecret;
+            $tokens[$node->id] = decrypt($node->daemon_token);
         }
 
         $this->injectJavascript([

app/Http/Controllers/Api/Remote/Servers/ServerTransferController.php

@@ -145,7 +145,7 @@ public function archive(Request $request, string $uuid)
             ->canOnlyBeUsedAfter($now->getTimestamp())
             ->expiresAt($now->addMinutes(15)->getTimestamp())
             ->relatedTo($server->uuid, true)
-            ->getToken($signer, new Key($server->node->daemonSecret));
+            ->getToken($signer, new Key($server->node->getDecryptedKey()));
 
         // On the daemon transfer repository, make sure to set the node after the server
         // because setServer() tells the repository to use the server's node and not the one

app/Http/Controllers/Daemon/ActionController.php

@@ -38,7 +38,6 @@
 use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
 use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientApiBindings;
 use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
-use Pterodactyl\Http\Middleware\DaemonAuthenticate as OldDaemonAuthenticate;
 
 class Kernel extends HttpKernel
 {
@@ -107,7 +106,6 @@ class Kernel extends HttpKernel
         'server' => AccessingValidServer::class,
         'subuser.auth' => AuthenticateAsSubuser::class,
         'admin' => AdminAuthenticate::class,
-        'daemon-old' => OldDaemonAuthenticate::class,
         'csrf' => VerifyCsrfToken::class,
         'throttle' => ThrottleRequests::class,
         'can' => Authorize::class,

app/Http/Controllers/Daemon/PackController.php

@@ -4,6 +4,7 @@
 
 use Closure;
 use Illuminate\Http\Request;
+use Illuminate\Contracts\Encryption\Encrypter;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Pterodactyl\Contracts\Repository\NodeRepositoryInterface;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
@@ -25,14 +26,21 @@ class DaemonAuthenticate
         'daemon.configuration',
     ];
 
+    /**
+     * @var \Illuminate\Contracts\Encryption\Encrypter
+     */
+    private $encrypter;
+
     /**
      * DaemonAuthenticate constructor.
      *
+     * @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
      * @param \Pterodactyl\Contracts\Repository\NodeRepositoryInterface $repository
      */
-    public function __construct(NodeRepositoryInterface $repository)
+    public function __construct(Encrypter $encrypter, NodeRepositoryInterface $repository)
     {
         $this->repository = $repository;
+        $this->encrypter = $encrypter;
     }
 
     /**
@@ -50,20 +58,31 @@ public function handle(Request $request, Closure $next)
             return $next($request);
         }
 
-        $token = $request->bearerToken();
-
-        if (is_null($token)) {
-            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
+        if (is_null($bearer = $request->bearerToken())) {
+            throw new HttpException(
+                401, 'Access this this endpoint must include an Authorization header.', null, ['WWW-Authenticate' => 'Bearer']
+            );
         }
 
+        [$identifier, $token] = explode('.', $bearer);
+
         try {
-            $node = $this->repository->findFirstWhere([['daemonSecret', '=', $token]]);
+            /** @var \Pterodactyl\Models\Node $node */
+            $node = $this->repository->findFirstWhere([
+                'daemon_token_id' => $identifier,
+            ]);
+
+            if (hash_equals((string) $this->encrypter->decrypt($node->daemon_token), $token)) {
+                $request->attributes->set('node', $node);
+
+                return $next($request);
+            }
         } catch (RecordNotFoundException $exception) {
-            throw new AccessDeniedHttpException;
+            // Do nothing, we don't want to expose a node not existing at all.
         }
 
-        $request->attributes->set('node', $node);
-
-        return $next($request);
+        throw new AccessDeniedHttpException(
+            'You are not authorized to access this resource.'
+        );
     }
 }