wings/router/middleware.go

package router

import (
	"github.com/gin-gonic/gin"
	"github.com/google/uuid"
	"github.com/pterodactyl/wings/config"
	"github.com/pterodactyl/wings/server"
	"net/http"
	"strings"
)

// Set the access request control headers on all of the requests.
func SetAccessControlHeaders(c *gin.Context) {
	c.Header("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")

	o := c.GetHeader("Origin")
	if o != config.Get().PanelLocation {
		for _, origin := range config.Get().AllowedOrigins {
			if origin != "*" && o != origin {
				continue
			}

			c.Header("Access-Control-Allow-Origin", origin)
			c.Next()
			return
		}
	}

	c.Header("Access-Control-Allow-Origin", config.Get().PanelLocation)
	c.Next()
}

// Authenticates the request token against the given permission string, ensuring that
// if it is a server permission, the token has control over that server. If it is a global
// token, this will ensure that the request is using a properly signed global token.
func AuthorizationMiddleware(c *gin.Context) {
	auth := strings.SplitN(c.GetHeader("Authorization"), " ", 2)

	if len(auth) != 2 || auth[0] != "Bearer" {
		c.Header("WWW-Authenticate", "Bearer")
		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
			"error": "The required authorization heads were not present in the request.",
		})

		return
	}

	// Try to match the request against the global token for the Daemon, regardless
	// of the permission type. If nothing is matched we will fall through to the Panel
	// API to try and validate permissions for a server.
	if auth[1] == config.Get().AuthenticationToken {
		c.Next()

		return
	}

	c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
		"error": "You are not authorized to access this endpoint.",
	})
}

// Helper function to fetch a server out of the servers collection stored in memory.
func GetServer(uuid string) *server.Server {
	return server.GetServers().Find(func(s *server.Server) bool {
		return uuid == s.Id()
	})
}

// Ensure that the requested server exists in this setup. Returns a 404 if we cannot
// locate it.
func ServerExists(c *gin.Context) {
	u, err := uuid.Parse(c.Param("server"))
	if err != nil || GetServer(u.String()) == nil {
		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{
			"error": "The resource you requested does not exist.",
		})
		return
	}

	c.Next()
}
Port most of the HTTP code over to gin 2020-04-06 01:00:33 +00:00			`package router`

			`import (`
			`"github.com/gin-gonic/gin"`
			`"github.com/google/uuid"`
			`"github.com/pterodactyl/wings/config"`
			`"github.com/pterodactyl/wings/server"`
			`"net/http"`
			`"strings"`
			`)`

			`// Set the access request control headers on all of the requests.`
			`func SetAccessControlHeaders(c *gin.Context) {`
			`c.Header("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")`
Add the ability to define additional allowed origins 2020-07-31 22:19:09 +00:00
			`o := c.GetHeader("Origin")`
			`if o != config.Get().PanelLocation {`
			`for _, origin := range config.Get().AllowedOrigins {`
Fix problems with CORS and websocket allowed origins 2020-09-11 03:08:00 +00:00			`if origin != "*" && o != origin {`
Add the ability to define additional allowed origins 2020-07-31 22:19:09 +00:00			`continue`
			`}`

			`c.Header("Access-Control-Allow-Origin", origin)`
			`c.Next()`
			`return`
			`}`
			`}`

			`c.Header("Access-Control-Allow-Origin", config.Get().PanelLocation)`
Port most of the HTTP code over to gin 2020-04-06 01:00:33 +00:00			`c.Next()`
			`}`

			`// Authenticates the request token against the given permission string, ensuring that`
			`// if it is a server permission, the token has control over that server. If it is a global`
			`// token, this will ensure that the request is using a properly signed global token.`
			`func AuthorizationMiddleware(c *gin.Context) {`
			`auth := strings.SplitN(c.GetHeader("Authorization"), " ", 2)`

			`if len(auth) != 2 \|\| auth[0] != "Bearer" {`
			`c.Header("WWW-Authenticate", "Bearer")`
			`c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{`
			`"error": "The required authorization heads were not present in the request.",`
			`})`

			`return`
			`}`

			`// Try to match the request against the global token for the Daemon, regardless`
			`// of the permission type. If nothing is matched we will fall through to the Panel`
			`// API to try and validate permissions for a server.`
			`if auth[1] == config.Get().AuthenticationToken {`
			`c.Next()`

			`return`
			`}`

			`c.AbortWithStatusJSON(http.StatusForbidden, gin.H{`
			`"error": "You are not authorized to access this endpoint.",`
			`})`
			`}`

			`// Helper function to fetch a server out of the servers collection stored in memory.`
Dane caused this monstrosity to occur.. Port over remaining transfer/archive code to gin, delete http.go 2020-04-06 19:49:49 +00:00			`func GetServer(uuid string) *server.Server {`
Port most of the HTTP code over to gin 2020-04-06 01:00:33 +00:00			`return server.GetServers().Find(func(s *server.Server) bool {`
Update all of the old UUID refs to new 2020-07-20 00:53:41 +00:00			`return uuid == s.Id()`
Port most of the HTTP code over to gin 2020-04-06 01:00:33 +00:00			`})`
			`}`

			`// Ensure that the requested server exists in this setup. Returns a 404 if we cannot`
			`// locate it.`
			`func ServerExists(c *gin.Context) {`
			`u, err := uuid.Parse(c.Param("server"))`
			`if err != nil \|\| GetServer(u.String()) == nil {`
			`c.AbortWithStatusJSON(http.StatusNotFound, gin.H{`
Check for server existence when connecting to a websocket 2020-05-04 04:30:07 +00:00			`"error": "The resource you requested does not exist.",`
Port most of the HTTP code over to gin 2020-04-06 01:00:33 +00:00			`})`
			`return`
			`}`

			`c.Next()`
Dane caused this monstrosity to occur.. Port over remaining transfer/archive code to gin, delete http.go 2020-04-06 19:49:49 +00:00			`}`