Fix JWT Scope Security issue

[parkervcp]

Resolves impact from pterodactyl/wings/security/advisories/GHSA-pfvc-3p5h-x7h6

This is a drop in change

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Fixed authorization error messages for missing or invalid headers.
  • Corrected token scope validation for transfer requests.

• Security Improvements

  • Implemented scope-based authorization across backup downloads, file operations, and transfers.
  • Enhanced token validation requirements for WebSocket connections.
  • Redacted sensitive token information from debug logs.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds scope-based JWT authorization across file uploads/downloads, backup operations, server transfers, and websocket connections. It introduces scope infrastructure, embeds scopes into token payloads, enforces scope validation at handlers, and redacts tokens in debug logs.

Changes

JWT scope-based authorization

Layer / File(s)	Summary
Token scope definition and infrastructure router/tokens/token.go	New JwtScope type with named constants (Websocket, FileUpload, FileDownload, BackupDownload, ServerTransfer) and Scoped struct with Scopes() and HasScope() helper methods.
Token payload schema updates router/tokens/backup.go, router/tokens/file.go, router/tokens/transfer.go, router/tokens/upload.go, router/tokens/websocket.go	All token payload types now embed Scoped field to carry scope information from JWT claims.
File and backup download authorization router/router_download.go, router/router_server_files.go	Download endpoints validate BackupDownload and FileDownload scopes; upload endpoint enforces FileUpload scope; invalid tokens return 404 Not Found.
Websocket connection authorization router/websocket/websocket.go	Websocket validation now requires both PermissionConnect permission and tokens.Websocket scope in token acceptance and connection checks.
Server transfer authorization and log handling router/router_transfer.go	Transfer endpoint enforces ServerTransfer scope, fixes authorization error message ("heads" → "headers"), and refactors install log streaming to create per-server log files with granular error handling.
Request logging improvements router/router.go	Debug log formatter redacts token query parameter values and logs raw request method without ANSI color codes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Scopes take flight through tokens bright,
Each endpoint guarded, sealed just right,
From websockets to transfers grand,
Authorization stands hand in hand!
Logs stay silent, tokens hidden,
Security's new laws now bidden. 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix JWT Scope Security issue' directly relates to the main change in the changeset—implementing JWT scope validation across multiple token types and endpoints to address a security vulnerability (CVE-2026-52855).
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

router/tokens/token.go (1)

21-23: ⚡ Quick win

Use whitespace-tolerant scope parsing in Scopes().

strings.Split(s.Scope, " ") only handles literal spaces and preserves empty tokens. In auth parsing, prefer strings.Fields so any whitespace delimiter is handled consistently and empty entries are dropped.

Proposed patch

 func (s Scoped) Scopes() []string {
-	return strings.Split(s.Scope, " ")
+	return strings.Fields(s.Scope)
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@router/tokens/token.go` around lines 21 - 23, The Scopes() method on type
Scoped currently uses strings.Split(s.Scope, " ") which preserves empty tokens
and only splits on literal spaces; change Scoped.Scopes() to use
strings.Fields(s.Scope) so it splits on any Unicode whitespace and drops empty
entries (update the function body in the Scopes method to return
strings.Fields(s.Scope)).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@router/tokens/token.go`:
- Around line 21-23: The Scopes() method on type Scoped currently uses
strings.Split(s.Scope, " ") which preserves empty tokens and only splits on
literal spaces; change Scoped.Scopes() to use strings.Fields(s.Scope) so it
splits on any Unicode whitespace and drops empty entries (update the function
body in the Scopes method to return strings.Fields(s.Scope)).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eb6b96a2-4f90-4780-a0b1-aff732a51588

📥 Commits

Reviewing files that changed from the base of the PR and between a0306eb and 936000e.

📒 Files selected for processing (11)

• router/router.go
• router/router_download.go
• router/router_server_files.go
• router/router_transfer.go
• router/tokens/backup.go
• router/tokens/file.go
• router/tokens/token.go
• router/tokens/transfer.go
• router/tokens/upload.go
• router/tokens/websocket.go
• router/websocket/websocket.go

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Build and Test (ubuntu-22.04, 1.25.7, linux, amd64)
• GitHub Check: Build and Test (ubuntu-22.04, 1.26.0, linux, amd64)
• GitHub Check: Analyze (go)

🔇 Additional comments (16)

router/tokens/backup.go (1)

13-13: LGTM!

router/tokens/file.go (1)

12-12: LGTM!

router/tokens/transfer.go (1)

9-9: LGTM!

router/tokens/upload.go (1)

13-13: LGTM!

router/tokens/websocket.go (1)

55-55: LGTM!

router/router_download.go (2)

31-36: LGTM!

---

84-90: LGTM!

router/router_server_files.go (2)

243-244: LGTM!

---

601-607: LGTM!

router/router_transfer.go (4)

35-36: LGTM!

---

46-50: LGTM!

---

153-159: LGTM!

---

213-250: LGTM!

router/websocket/websocket.go (2)

77-79: LGTM!

---

216-218: LGTM!

router/router.go (1)

4-4: LGTM!

Also applies to: 15-16, 40-42

[QuintenQVD0]

@parkervcp The Github security advisories linked there mentioned commit (eb65e27) what is not in this PR