misc_pterodactyl-panel/app/Http/Middleware/Api/AuthenticateKey.php

<?php

namespace Pterodactyl\Http\Middleware\Api;

use Closure;
use Carbon\CarbonImmutable;
use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
use Illuminate\Support\Facades\Session;
use Illuminate\Contracts\Encryption\Encrypter;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

class AuthenticateKey
{
    /**
     * @var \Illuminate\Auth\AuthManager
     */
    private $auth;

    /**
     * @var \Illuminate\Contracts\Encryption\Encrypter
     */
    private $encrypter;

    /**
     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
     */
    private $repository;

    /**
     * AuthenticateKey constructor.
     */
    public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)
    {
        $this->auth = $auth;
        $this->encrypter = $encrypter;
        $this->repository = $repository;
    }

    /**
     * Handle an API request by verifying that the provided API key is in a valid
     * format and exists in the database. If there is currently a user in the session
     * do not even bother to look at the token (they provided a cookie for this to
     * be the case).
     *
     * @return mixed
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
    public function handle(Request $request, Closure $next, int $keyType)
    {
        if (is_null($request->bearerToken()) && is_null($request->user())) {
            throw new HttpException(401, 'A bearer token or valid user session cookie must be provided to access this endpoint.', null, ['WWW-Authenticate' => 'Bearer']);
        }

        // This is a request coming through using cookies, we have an authenticated user
        // not using an API key. Make some fake API key models and continue on through
        // the process.
        if ($request->user() instanceof User) {
            $model = (new ApiKey())->forceFill([
                'user_id' => $request->user()->id,
                'key_type' => ApiKey::TYPE_ACCOUNT,
            ]);
        } else {
            $model = $this->authenticateApiKey($request->bearerToken(), $keyType);

            $this->auth->guard()->loginUsingId($model->user_id);
        }

        $request->attributes->set('api_key', $model);

        return $next($request);
    }

    /**
     * Authenticate an API key.
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
    protected function authenticateApiKey(string $key, int $keyType): ApiKey
    {
        $identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);
        $token = substr($key, ApiKey::IDENTIFIER_LENGTH);

        try {
            $model = $this->repository->findFirstWhere([
                ['identifier', '=', $identifier],
                ['key_type', '=', $keyType],
            ]);
        } catch (RecordNotFoundException $exception) {
            throw new AccessDeniedHttpException();
        }

        if (!hash_equals($this->encrypter->decrypt($model->token), $token)) {
            throw new AccessDeniedHttpException();
        }

        $this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => CarbonImmutable::now()]);

        return $model;
    }
}
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`<?php`

Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`namespace Pterodactyl\Http\Middleware\Api;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00
			`use Closure;`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 20:09:16 +00:00			`use Carbon\CarbonImmutable;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`use Illuminate\Http\Request;`
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-15 05:42:58 +00:00			`use Pterodactyl\Models\User;`
Rename APIKey to ApiKey 2018-01-14 18:06:15 +00:00			`use Pterodactyl\Models\ApiKey;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Illuminate\Auth\AuthManager;`
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints 2021-11-17 04:02:18 +00:00			`use Illuminate\Support\Facades\Session;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`use Illuminate\Contracts\Encryption\Encrypter;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Symfony\Component\HttpKernel\Exception\HttpException;`
			`use Pterodactyl\Exceptions\Repository\RecordNotFoundException;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00
			`class AuthenticateKey`
			`{`
Add new API middleware 2017-11-19 20:05:13 +00:00			`/**`
			`* @var \Illuminate\Auth\AuthManager`
			`*/`
			`private $auth;`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`/**`
			`* @var \Illuminate\Contracts\Encryption\Encrypter`
			`*/`
			`private $encrypter;`

API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`/**`
			`* @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface`
			`*/`
			`private $repository;`

			`/**`
			`* AuthenticateKey constructor.`
			`*/`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)`
			`{`
Add new API middleware 2017-11-19 20:05:13 +00:00			`$this->auth = $auth;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`$this->encrypter = $encrypter;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`$this->repository = $repository;`
			`}`

			`/**`
Fix session management on client API requests; closes #3727 Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for requests. That pathway found the current request user before continuing on to other in-app middleware, thus the user was available downstream. Changes introduced in 1.6.3 changed the throttler logic, therefore removing this step. As a result, the client API could not always get the currently authenticated user when cookies were used (aka, requests from the Panel UI, and not API directly). This change corrects the logic to get the session setup correctly before falling through to authenticating as a user using the API key. If a cookie is present and a user is found as a result that session will be used. If an API key is provided it is ignored when a cookie is also present. In order to keep the API stateless any session created for an API request stemming from an API key will have the associated session deleted at the end of the request, and the 'Set-Cookies' header will be stripped from the response. 2021-11-04 03:51:18 +00:00			`* Handle an API request by verifying that the provided API key is in a valid`
			`* format and exists in the database. If there is currently a user in the session`
			`* do not even bother to look at the token (they provided a cookie for this to`
			`* be the case).`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`*`
Add new API middleware 2017-11-19 20:05:13 +00:00			`* @return mixed`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`*`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`* @throws \Pterodactyl\Exceptions\Model\DataValidationException`
			`* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`*/`
Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`public function handle(Request $request, Closure $next, int $keyType)`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`{`
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-15 05:42:58 +00:00			`if (is_null($request->bearerToken()) && is_null($request->user())) {`
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints 2021-11-17 04:02:18 +00:00			`throw new HttpException(401, 'A bearer token or valid user session cookie must be provided to access this endpoint.', null, ['WWW-Authenticate' => 'Bearer']);`
Add new API middleware 2017-11-19 20:05:13 +00:00			`}`

Fix session management on client API requests; closes #3727 Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for requests. That pathway found the current request user before continuing on to other in-app middleware, thus the user was available downstream. Changes introduced in 1.6.3 changed the throttler logic, therefore removing this step. As a result, the client API could not always get the currently authenticated user when cookies were used (aka, requests from the Panel UI, and not API directly). This change corrects the logic to get the session setup correctly before falling through to authenticating as a user using the API key. If a cookie is present and a user is found as a result that session will be used. If an API key is provided it is ignored when a cookie is also present. In order to keep the API stateless any session created for an API request stemming from an API key will have the associated session deleted at the end of the request, and the 'Set-Cookies' header will be stripped from the response. 2021-11-04 03:51:18 +00:00			`// This is a request coming through using cookies, we have an authenticated user`
			`// not using an API key. Make some fake API key models and continue on through`
			`// the process.`
			`if ($request->user() instanceof User) {`
Add test, fix behavior of model creation 2018-07-15 05:58:33 +00:00			`$model = (new ApiKey())->forceFill([`
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-15 05:42:58 +00:00			`'user_id' => $request->user()->id,`
			`'key_type' => ApiKey::TYPE_ACCOUNT,`
			`]);`
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`} else {`
Fix session management on client API requests; closes #3727 Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for requests. That pathway found the current request user before continuing on to other in-app middleware, thus the user was available downstream. Changes introduced in 1.6.3 changed the throttler logic, therefore removing this step. As a result, the client API could not always get the currently authenticated user when cookies were used (aka, requests from the Panel UI, and not API directly). This change corrects the logic to get the session setup correctly before falling through to authenticating as a user using the API key. If a cookie is present and a user is found as a result that session will be used. If an API key is provided it is ignored when a cookie is also present. In order to keep the API stateless any session created for an API request stemming from an API key will have the associated session deleted at the end of the request, and the 'Set-Cookies' header will be stripped from the response. 2021-11-04 03:51:18 +00:00			`$model = $this->authenticateApiKey($request->bearerToken(), $keyType);`

Add test, fix behavior of model creation 2018-07-15 05:58:33 +00:00			`$this->auth->guard()->loginUsingId($model->user_id);`
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`}`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`$request->attributes->set('api_key', $model);`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return $next($request);`
			`}`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`/**`
			`* Authenticate an API key.`
			`*`
			`* @throws \Pterodactyl\Exceptions\Model\DataValidationException`
			`* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException`
			`*/`
			`protected function authenticateApiKey(string $key, int $keyType): ApiKey`
			`{`
			`$identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);`
			`$token = substr($key, ApiKey::IDENTIFIER_LENGTH);`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00
Add new API middleware 2017-11-19 20:05:13 +00:00			`try {`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`$model = $this->repository->findFirstWhere([`
			`['identifier', '=', $identifier],`
Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`['key_type', '=', $keyType],`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`]);`
Add new API middleware 2017-11-19 20:05:13 +00:00			`} catch (RecordNotFoundException $exception) {`
Use more standardized phpcs 2021-01-23 20:33:34 +00:00			`throw new AccessDeniedHttpException();`
Add new API middleware 2017-11-19 20:05:13 +00:00			`}`

Use more standardized phpcs 2021-01-23 20:33:34 +00:00			`if (!hash_equals($this->encrypter->decrypt($model->token), $token)) {`
			`throw new AccessDeniedHttpException();`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`}`

Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 20:09:16 +00:00			`$this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => CarbonImmutable::now()]);`
Add new API middleware 2017-11-19 20:05:13 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return $model;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`}`
			`}`