Include the "user_uuid" claim on JWTs for easier Wings user tracking

Author: DaneEveritt

app/Http/Controllers/Api/Client/Servers/FileController.php

@@ -93,6 +93,7 @@ public function download(GetFileContentsRequest $request, Server $server)
     {
         $token = $this->jwtService
             ->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
+            ->setUser($request->user())
             ->setClaims([
                 'file_path' => rawurldecode($request->get('file')),
                 'server_uuid' => $server->uuid,

app/Http/Controllers/Api/Client/Servers/FileUploadController.php

@@ -55,9 +55,8 @@ protected function getUploadUrl(Server $server, User $user)
     {
         $token = $this->jwtService
             ->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
-            ->setClaims([
-                'server_uuid' => $server->uuid,
-            ])
+            ->setUser($user)
+            ->setClaims(['server_uuid' => $server->uuid])
             ->handle($server->node, $user->id . $server->uuid);
 
         return sprintf(

app/Http/Controllers/Api/Client/Servers/WebsocketController.php

@@ -69,8 +69,8 @@ public function __invoke(ClientApiRequest $request, Server $server)
 
         $token = $this->jwtService
             ->setExpiresAt(CarbonImmutable::now()->addMinutes(10))
+            ->setUser($request->user())
             ->setClaims([
-                'user_id' => $request->user()->id,
                 'server_uuid' => $server->uuid,
                 'permissions' => $permissions,
             ])

app/Services/Backups/DownloadLinkService.php

@@ -41,6 +41,7 @@ public function handle(Backup $backup, User $user): string
 
         $token = $this->jwtService
             ->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
+            ->setUser($user)
             ->setClaims([
                 'backup_uuid' => $backup->uuid,
                 'server_uuid' => $backup->server->uuid,

app/Services/Nodes/NodeJWTService.php

@@ -6,27 +6,24 @@
 use Carbon\CarbonImmutable;
 use Illuminate\Support\Str;
 use Pterodactyl\Models\Node;
+use Pterodactyl\Models\User;
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer\Hmac\Sha256;
 use Lcobucci\JWT\Signer\Key\InMemory;
 use Pterodactyl\Extensions\Lcobucci\JWT\Encoding\TimestampDates;
 
 class NodeJWTService
 {
-    /**
-     * @var array
-     */
-    private $claims = [];
+    private array $claims = [];
+
+    private ?User $user = null;
 
     /**
      * @var \DateTimeImmutable|null
      */
     private $expiresAt;
 
-    /**
-     * @var string|null
-     */
-    private $subject;
+    private ?string $subject = null;
 
     /**
      * Set the claims to include in this JWT.
@@ -40,6 +37,17 @@ public function setClaims(array $claims)
         return $this;
     }
 
+    /**
+     * Attaches a user to the JWT being created and will automatically inject the
+     * "user_uuid" key into the final claims array with the user's UUID.
+     */
+    public function setUser(User $user): self
+    {
+        $this->user = $user;
+
+        return $this;
+    }
+
     /**
      * @return $this
      */
@@ -92,6 +100,17 @@ public function handle(Node $node, string $identifiedBy, string $algo = 'md5')
             $builder = $builder->withClaim($key, $value);
         }
 
+        if (!is_null($this->user)) {
+            $builder = $builder
+                ->withClaim('user_uuid', $this->user->uuid)
+                // The "user_id" claim is deprecated and should not be referenced — it remains
+                // here solely to ensure older versions of Wings are unaffected when the Panel
+                // is updated.
+                //
+                // This claim will be removed in Panel@1.11 or later.
+                ->withClaim('user_id', $this->user->id);
+        }
+
         return $builder
             ->withClaim('unique_id', Str::random(16))
             ->getToken($config->signer(), $config->signingKey());