panel
panel copied to clipboard
pterodactyl
Deleted subusers can still access SFTP
Current Behavior
When you delete a subuser while he still has an open SFTP session, he can still view, edit or delete files.
Expected Behavior
When you delete a subuser any active SFTP sessions of this user should be closed.
Steps to Reproduce
- Create a subuser with full permissions
- Connect to SFTP using filezilla using the credentials of the subuser
- Delete the subuser
- Try to edit a file
Panel Version
1.7.0
Wings Version
1.6.1
Games and/or Eggs Affected
No response
Docker Image
No response
Error Logs
No response
Is there an existing issue for this?
- [X] I have searched the existing issues before opening this issue.
- [X] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
- [X] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
I believe this is intentional behavior since we use short-lived JWT's to authenticate users, rather than checking with the panel on every request made. It should technically also try to revoke the token immediately, but that isn't always guaranteed so I'll leave this open until I have time to look closer.
Looked again, the SFTP server doesn't use JWTs to authenticate users, it uses the standard password flows.
I can look into updating things to re-verify users after a set period of time, but there probably isn't a great way to handle the user deletion issue without hooking into the other revocation flows and terminating the open connection when they're hit. The only other way I can think of handling things is making an API request on every action (basically just a DoS vector at that point), or connecting the Wings instances to the database, which I also don't want to do.
Couldn't you have the panel notify wings on revoking access? Or is it not that simple?
