panel icon indicating copy to clipboard operation
panel copied to clipboard
verified publisher icon pterodactyl

[API] Allow /websocket requests from ALLOWED IPS

Open Stantastic opened this issue 2 years ago • 4 comments

Is there an existing feature request for this?

  • [X] I have searched the existing issues before opening this feature request.

Describe the feature you would like to see.

I do work with Pterodactyls API a lot, I tried implementing a websocket console in a 3rd party app without success. Turns out that you're required to adjust the Wings config to accept requests from the origin of the request.

This behaviour doesn't really add any use to the websocket API unless you have direct access to the wings config and therefore adding implementations that utilize 3rd party server hosts are not possible.

Describe the solution you'd like.

A possible solution would be to not only allow whitelisted origins in the Wings config itself but also include the origins supplied via ALLOWED IPS while creating a new API key.

Additional context to this request.

No response

Stantastic avatar Jul 20 '23 12:07 Stantastic

This behaviour doesn't really add any use to the websocket API unless you have direct access to the wings config and therefore adding implementations that utilize 3rd party server hosts are not possible.

This is a security measure to prevent anyone from connecting to server websockets and getting information they otherwise shouldn't have access to. You can "bypass" this by setting the Origin header to your panel's domain when establishing the connection, this is what some API libraries are doing.

A possible solution would be to not only allow whitelisted origins in the Wings config itself but also include the origins supplied via ALLOWED IPS while creating a new API key.

This doesn't sound like a bad suggestion but I am curious about any potential security issues.

devnote-dev avatar Jul 20 '23 13:07 devnote-dev

This is a security measure to prevent anyone from connecting to server websockets and getting information they otherwise shouldn't have access to. You can "bypass" this by setting the Origin header to your panel's domain when establishing the connection, this is what some API libraries are doing.

Afaik you can not modify the header of websocket requests, atleast from what I have read. Which libraries can do that? I initially opted for browser JS tho.

Stantastic avatar Jul 20 '23 17:07 Stantastic

All RFC-compliant websocket libraries provide the ability to change the header. What you're talking about only applies to websocket in a browser environment, in which case: don't connect in the browser.

devnote-dev avatar Jul 20 '23 21:07 devnote-dev

When trying to create custom solutions that would log the console through a websocket (as an example), I can confirm the annoyance at the default behavior. I understand that the security risk is not negligible, but I am sure that through a whitelisted IPs option the same level of security could be achieved, for the cost of added "complexity". Editing the Origin works as a workaround but is less than ideal in my opinion

Luiggi33 avatar Aug 27 '24 19:08 Luiggi33