misc_pterodactyl-panel/app/Http/Middleware/Api/HandleStatelessRequest.php

<?php

namespace Pterodactyl\Http\Middleware\Api;

use Closure;
use Illuminate\Http\Request;

class HandleStatelessRequest
{
    /**
     * Ensure that the 'Set-Cookie' header is removed from the response if
     * a bearer token is present and there is an api_key in the request attributes.
     *
     * This will also delete the session from the database automatically so that
     * it is effectively treated as a stateless request. Any additional requests
     * attempting to use that session will find no data.
     *
     * @return \Illuminate\Http\Response
     */
    public function handle(Request $request, Closure $next)
    {
        /** @var \Illuminate\Http\Response $response */
        $response = $next($request);

        if (!is_null($request->bearerToken()) && $request->isJson()) {
            $request->session()->getHandler()->destroy(
                $request->session()->getId()
            );

            $response->headers->remove('Set-Cookie');
        }

        return $response;
    }
}
Fix session management on client API requests; closes #3727 Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for requests. That pathway found the current request user before continuing on to other in-app middleware, thus the user was available downstream. Changes introduced in 1.6.3 changed the throttler logic, therefore removing this step. As a result, the client API could not always get the currently authenticated user when cookies were used (aka, requests from the Panel UI, and not API directly). This change corrects the logic to get the session setup correctly before falling through to authenticating as a user using the API key. If a cookie is present and a user is found as a result that session will be used. If an API key is provided it is ignored when a cookie is also present. In order to keep the API stateless any session created for an API request stemming from an API key will have the associated session deleted at the end of the request, and the 'Set-Cookies' header will be stripped from the response. 2021-11-04 03:51:18 +00:00			`<?php`

			`namespace Pterodactyl\Http\Middleware\Api;`

			`use Closure;`
			`use Illuminate\Http\Request;`

			`class HandleStatelessRequest`
			`{`
			`/**`
			`* Ensure that the 'Set-Cookie' header is removed from the response if`
			`* a bearer token is present and there is an api_key in the request attributes.`
			`*`
			`* This will also delete the session from the database automatically so that`
			`* it is effectively treated as a stateless request. Any additional requests`
			`* attempting to use that session will find no data.`
			`*`
			`* @return \Illuminate\Http\Response`
			`*/`
			`public function handle(Request $request, Closure $next)`
			`{`
			`/** @var \Illuminate\Http\Response $response */`
			`$response = $next($request);`

			`if (!is_null($request->bearerToken()) && $request->isJson()) {`
			`$request->session()->getHandler()->destroy(`
			`$request->session()->getId()`
			`);`

			`$response->headers->remove('Set-Cookie');`
			`}`

			`return $response;`
			`}`
			`}`