sonot
/
PteroTheme
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Revert use of cookies, go back to using a JWT

This commit is contained in:
Dane Everitt 2018-06-06 22:49:44 -07:00
parent 871147f2d9
commit 03c83c084a
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
8 changed files with 80 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
app/Http/Controllers/Auth/AbstractLoginController.php
View File

@ -2,6 +2,7 @@
namespace Pterodactyl\Http\Controllers\Auth; namespace Pterodactyl\Http\Controllers\Auth;
use Cake\Chronos\Chronos;
use Lcobucci\JWT\Builder; use Lcobucci\JWT\Builder;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Pterodactyl\Models\User; use Pterodactyl\Models\User;
@ -139,19 +140,35 @@ abstract class AbstractLoginController extends Controller
$this->auth->guard()->login($user, true); $this->auth->guard()->login($user, true);
debug($request->cookies->all());
return response()->json([ return response()->json([
'complete' => true, 'complete' => true,
'intended' => $this->redirectPath(), 'intended' => $this->redirectPath(),
'cookie' => [ 'jwt' => $this->createJsonWebToken($user),
'name' => config('session.cookie'),
'value' => $this->encrypter->encrypt($request->cookie(config('session.cookie'))),
],
'user' => (new AccountTransformer())->transform($user),
]); ]);
} }
/**
* Create a new JWT for the request and sign it using the signing key.
*
* @param User $user
* @return string
*/
protected function createJsonWebToken(User $user): string
{
$token = $this->builder
->setIssuer('Pterodactyl Panel')
->setAudience(config('app.url'))
->setId(str_random(16), true)
->setIssuedAt(Chronos::now()->getTimestamp())
->setNotBefore(Chronos::now()->getTimestamp())
->setExpiration(Chronos::now()->addSeconds(config('session.lifetime'))->getTimestamp())
->set('user', (new AccountTransformer())->transform($user))
->sign($this->getJWTSigner(), $this->getJWTSigningKey())
->getToken();
return $token->__toString();
}
/** /**
* Determine if the user is logging in using an email or username,. * Determine if the user is logging in using an email or username,.
* *

2
app/Http/Kernel.php
View File

@ -80,8 +80,6 @@ class Kernel extends HttpKernel
], ],
'client-api' => [ 'client-api' => [
'throttle:240,1', 'throttle:240,1',
EncryptCookies::class,
StartSession::class,
SubstituteClientApiBindings::class, SubstituteClientApiBindings::class,
SetSessionDriver::class, SetSessionDriver::class,
'api..key:' . ApiKey::TYPE_ACCOUNT, 'api..key:' . ApiKey::TYPE_ACCOUNT,

28
app/Http/Middleware/Api/AuthenticateKey.php
View File

@ -5,7 +5,6 @@ namespace Pterodactyl\Http\Middleware\Api;
use Closure; use Closure;
use Lcobucci\JWT\Parser; use Lcobucci\JWT\Parser;
use Cake\Chronos\Chronos; use Cake\Chronos\Chronos;
use Illuminate\Support\Str;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Pterodactyl\Models\ApiKey; use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager; use Illuminate\Auth\AuthManager;
@ -64,24 +63,19 @@ class AuthenticateKey
public function handle(Request $request, Closure $next, int $keyType) public function handle(Request $request, Closure $next, int $keyType)
{ {
if (is_null($request->bearerToken())) { if (is_null($request->bearerToken())) {
if (! Str::startsWith($request->route()->getName(), ['api.client']) && ! $request->user()) {
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']); throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
} }
}
if (is_null($request->bearerToken())) {
$model = (new ApiKey)->forceFill([
'user_id' => $request->user()->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
}
if (! isset($model)) {
$raw = $request->bearerToken(); $raw = $request->bearerToken();
// This is an internal JWT, treat it differently to get the correct user before passing it along.
if (strlen($raw) > ApiKey::IDENTIFIER_LENGTH + ApiKey::KEY_LENGTH) {
$model = $this->authenticateJWT($raw);
} else {
$model = $this->authenticateApiKey($raw, $keyType); $model = $this->authenticateApiKey($raw, $keyType);
$this->auth->guard()->loginUsingId($model->user_id);
} }
$this->auth->guard()->loginUsingId($model->user_id);
$request->attributes->set('api_key', $model); $request->attributes->set('api_key', $model);
return $next($request); return $next($request);
@ -103,6 +97,16 @@ class AuthenticateKey
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']); throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
} }
// Run through the token validation and throw an exception if the token is not valid.
if (
$token->getClaim('nbf') > Chronos::now()->getTimestamp()
|| $token->getClaim('iss') !== 'Pterodactyl Panel'
|| $token->getClaim('aud') !== config('app.url')
|| $token->getClaim('exp') <= Chronos::now()->getTimestamp()
) {
throw new AccessDeniedHttpException;
}
return (new ApiKey)->forceFill([ return (new ApiKey)->forceFill([
'user_id' => object_get($token->getClaim('user'), 'id', 0), 'user_id' => object_get($token->getClaim('user'), 'id', 0),
'key_type' => ApiKey::TYPE_ACCOUNT, 'key_type' => ApiKey::TYPE_ACCOUNT,

1
app/Transformers/Api/Client/AccountTransformer.php
View File

@ -25,6 +25,7 @@ class AccountTransformer extends BaseClientTransformer
public function transform(User $model) public function transform(User $model)
{ {
return [ return [
'id' => $model->id,
'admin' => $model->root_admin, 'admin' => $model->root_admin,
'username' => $model->username, 'username' => $model->username,
'email' => $model->email, 'email' => $model->email,

3
resources/assets/scripts/helpers/axios.js
View File

@ -1,3 +1,5 @@
import User from './../models/user';
/** /**
* We'll load the axios HTTP library which allows us to easily issue requests * We'll load the axios HTTP library which allows us to easily issue requests
* to our Laravel back-end. This library automatically handles sending the * to our Laravel back-end. This library automatically handles sending the
@ -7,6 +9,7 @@
let axios = require('axios'); let axios = require('axios');
axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'; axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
axios.defaults.headers.common['Accept'] = 'application/json'; axios.defaults.headers.common['Accept'] = 'application/json';
axios.defaults.headers.common['Authorization'] = `Bearer ${User.getToken()}`;
if (typeof phpdebugbar !== 'undefined') { if (typeof phpdebugbar !== 'undefined') {
axios.interceptors.response.use(function (response) { axios.interceptors.response.use(function (response) {

40
resources/assets/scripts/models/user.js
View File

@ -1,21 +1,37 @@
import axios from './../helpers/axios'; import isString from 'lodash/isString';
import jwtDecode from 'jwt-decode';
export default class User { export default class User {
/** /**
* Get a new user model by hitting the Panel API using the authentication token * Get a new user model from the JWT.
* provided. If no user can be retrieved null will be returned.
* *
* @return {User|null} * @return {User | null}
*/ */
static fromCookie() { static fromToken(token) {
axios.get('/api/client/account') if (!isString(token)) {
.then(response => { token = localStorage.getItem('token');
return new User(response.data.attributes); }
})
.catch(err => { if (!isString(token) || token.length < 1) {
console.error(err);
return null; return null;
}); }
const data = jwtDecode(token);
if (data.user) {
return new User(data.user);
}
return null;
}
/**
* Return the JWT for the authenticated user.
*
* @returns {string | null}
*/
static getToken()
{
return localStorage.getItem('token');
} }
/** /**

13
resources/assets/scripts/store/modules/auth.js
View File

@ -4,7 +4,7 @@ const route = require('./../../../../../vendor/tightenco/ziggy/src/js/route').de
export default { export default {
namespaced: true, namespaced: true,
state: { state: {
user: null, user: User.fromToken(),
}, },
getters: { getters: {
/** /**
@ -32,7 +32,7 @@ export default {
} }
if (response.data.complete) { if (response.data.complete) {
commit('login', {cookie: response.data.cookie, user: response.data.user}); commit('login', {jwt: response.data.jwt});
return resolve({ return resolve({
complete: true, complete: true,
intended: response.data.intended, intended: response.data.intended,
@ -59,12 +59,9 @@ export default {
}, },
}, },
mutations: { mutations: {
login: function (state, {cookie, user}) { login: function (state, {jwt}) {
state.user = new User(user); localStorage.setItem('token', jwt);
localStorage.setItem('token', JSON.stringify({ state.user = User.fromToken(jwt);
name: cookie.name,
value: cookie.value,
}));
}, },
logout: function (state) { logout: function (state) {
localStorage.removeItem('token'); localStorage.removeItem('token');

2
webpack.config.js
View File

@ -65,7 +65,7 @@ const productionPlugins = [
module.exports = { module.exports = {
mode: process.env.NODE_ENV, mode: process.env.NODE_ENV,
devtool: process.env.NODE_ENV === 'production' ? false : 'eval-source-map', devtool: process.env.NODE_ENV === 'production' ? false : 'source-map',
performance: { performance: {
hints: false, hints: false,
}, },