misc_pterodactyl-panel/app/Models/APIKey.php

<?php

namespace Pterodactyl\Models;

use Sofa\Eloquence\Eloquence;
use Sofa\Eloquence\Validable;
use Illuminate\Database\Eloquent\Model;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Illuminate\Contracts\Encryption\Encrypter;
use Sofa\Eloquence\Contracts\CleansAttributes;
use Sofa\Eloquence\Contracts\Validable as ValidableContract;

class APIKey extends Model implements CleansAttributes, ValidableContract
{
    use Eloquence, Validable;

    /**
     * The length of API key identifiers.
     */
    const IDENTIFIER_LENGTH = 16;

    /**
     * The length of the actual API key that is encrypted and stored
     * in the database.
     */
    const KEY_LENGTH = 32;

    /**
     * The table associated with the model.
     *
     * @var string
     */
    protected $table = 'api_keys';

    /**
     * Cast values to correct type.
     *
     * @var array
     */
    protected $casts = [
        'allowed_ips' => 'json',
        'user_id' => 'int',
        'r_' . AdminAcl::RESOURCE_USERS => 'int',
        'r_' . AdminAcl::RESOURCE_ALLOCATIONS => 'int',
        'r_' . AdminAcl::RESOURCE_DATABASES => 'int',
        'r_' . AdminAcl::RESOURCE_EGGS => 'int',
        'r_' . AdminAcl::RESOURCE_LOCATIONS => 'int',
        'r_' . AdminAcl::RESOURCE_NESTS => 'int',
        'r_' . AdminAcl::RESOURCE_NODES => 'int',
        'r_' . AdminAcl::RESOURCE_PACKS => 'int',
        'r_' . AdminAcl::RESOURCE_SERVERS => 'int',
    ];

    /**
     * Fields that are mass assignable.
     *
     * @var array
     */
    protected $fillable = [
        'identifier',
        'token',
        'allowed_ips',
        'memo',
    ];

    /**
     * Fields that should not be included when calling toArray() or toJson()
     * on this model.
     *
     * @var array
     */
    protected $hidden = ['token'];

    /**
     * Rules defining what fields must be passed when making a model.
     *
     * @var array
     */
    protected static $applicationRules = [
        'identifier' => 'required',
        'memo' => 'required',
        'user_id' => 'required',
        'token' => 'required',
    ];

    /**
     * Rules to protect aganist invalid data entry to DB.
     *
     * @var array
     */
    protected static $dataIntegrityRules = [
        'user_id' => 'exists:users,id',
        'identifier' => 'string|size:16|unique:api_keys,identifier',
        'token' => 'string',
        'memo' => 'nullable|string|max:500',
        'allowed_ips' => 'nullable|json',
        'last_used_at' => 'nullable|date',
        'r_' . AdminAcl::RESOURCE_USERS => 'integer|min:0|max:3',
        'r_' . AdminAcl::RESOURCE_ALLOCATIONS => 'integer|min:0|max:3',
        'r_' . AdminAcl::RESOURCE_DATABASES => 'integer|min:0|max:3',
        'r_' . AdminAcl::RESOURCE_EGGS => 'integer|min:0|max:3',
        'r_' . AdminAcl::RESOURCE_LOCATIONS => 'integer|min:0|max:3',
        'r_' . AdminAcl::RESOURCE_NESTS => 'integer|min:0|max:3',
        'r_' . AdminAcl::RESOURCE_NODES => 'integer|min:0|max:3',
        'r_' . AdminAcl::RESOURCE_PACKS => 'integer|min:0|max:3',
        'r_' . AdminAcl::RESOURCE_SERVERS => 'integer|min:0|max:3',
    ];

    /**
     * @var array
     */
    protected $dates = [
        self::CREATED_AT,
        self::UPDATED_AT,
        'last_used_at',
    ];

    /**
     * Return a decrypted version of the token.
     *
     * @return string
     */
    public function getDecryptedTokenAttribute()
    {
        return app()->make(Encrypter::class)->decrypt($this->token);
    }

    /**
     * Gets the permissions associated with a key.
     *
     * @return \Illuminate\Database\Eloquent\Relations\HasMany
     */
    public function permissions()
    {
        return $this->hasMany(APIPermission::class, 'key_id');
    }
}
Change authentication method for API. 2016-01-16 00:26:50 +00:00			`<?php`
Apply fixes from StyleCI 2016-12-07 22:46:38 +00:00
Change authentication method for API. 2016-01-16 00:26:50 +00:00			`namespace Pterodactyl\Models;`

Add ApiKey service, cleanup old API key methods https://zube.io/pterodactyl/panel/c/525 2017-06-25 20:31:50 +00:00			`use Sofa\Eloquence\Eloquence;`
			`use Sofa\Eloquence\Validable;`
Change authentication method for API. 2016-01-16 00:26:50 +00:00			`use Illuminate\Database\Eloquent\Model;`
First round of changes to API to support simpler permissions. 2018-01-12 04:49:46 +00:00			`use Pterodactyl\Services\Acl\Api\AdminAcl;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`use Illuminate\Contracts\Encryption\Encrypter;`
More repository/service/refactor changes 2017-08-12 20:29:01 +00:00			`use Sofa\Eloquence\Contracts\CleansAttributes;`
Add ApiKey service, cleanup old API key methods https://zube.io/pterodactyl/panel/c/525 2017-06-25 20:31:50 +00:00			`use Sofa\Eloquence\Contracts\Validable as ValidableContract;`
Change authentication method for API. 2016-01-16 00:26:50 +00:00
More repository/service/refactor changes 2017-08-12 20:29:01 +00:00			`class APIKey extends Model implements CleansAttributes, ValidableContract`
Change authentication method for API. 2016-01-16 00:26:50 +00:00			`{`
Add ApiKey service, cleanup old API key methods https://zube.io/pterodactyl/panel/c/525 2017-06-25 20:31:50 +00:00			`use Eloquence, Validable;`
Improved logic for handling permissions on API routes. Still only partially implemented, however this method will allow the inclusion of data that is granted with servers (such as viewing more about the node, node location, allocations, etc) while still limiting someone from doing `?include=node.servers` and listing all servers when they don’t have list-servers as a permission. 2017-04-08 16:05:29 +00:00
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`/**`
			`* The length of API key identifiers.`
			`*/`
			`const IDENTIFIER_LENGTH = 16;`

			`/**`
			`* The length of the actual API key that is encrypted and stored`
			`* in the database.`
			`*/`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`const KEY_LENGTH = 32;`

Change authentication method for API. 2016-01-16 00:26:50 +00:00			`/**`
			`* The table associated with the model.`
			`*`
			`* @var string`
			`*/`
			`protected $table = 'api_keys';`

Initial moves to new API scheme. Implements a better middleware for handling API authentication, as well as cleaner route handling. 2017-04-02 04:11:52 +00:00			`/**`
			`* Cast values to correct type.`
			`*`
			`* @var array`
			`*/`
			`protected $casts = [`
			`'allowed_ips' => 'json',`
First round of changes to API to support simpler permissions. 2018-01-12 04:49:46 +00:00			`'user_id' => 'int',`
			`'r_' . AdminAcl::RESOURCE_USERS => 'int',`
			`'r_' . AdminAcl::RESOURCE_ALLOCATIONS => 'int',`
			`'r_' . AdminAcl::RESOURCE_DATABASES => 'int',`
			`'r_' . AdminAcl::RESOURCE_EGGS => 'int',`
			`'r_' . AdminAcl::RESOURCE_LOCATIONS => 'int',`
			`'r_' . AdminAcl::RESOURCE_NESTS => 'int',`
			`'r_' . AdminAcl::RESOURCE_NODES => 'int',`
			`'r_' . AdminAcl::RESOURCE_PACKS => 'int',`
			`'r_' . AdminAcl::RESOURCE_SERVERS => 'int',`
Initial moves to new API scheme. Implements a better middleware for handling API authentication, as well as cleaner route handling. 2017-04-02 04:11:52 +00:00			`];`

add initial api management page 2016-01-16 06:20:27 +00:00			`/**`
First round of changes to API to support simpler permissions. 2018-01-12 04:49:46 +00:00			`* Fields that are mass assignable.`
add initial api management page 2016-01-16 06:20:27 +00:00			`*`
			`* @var array`
			`*/`
First round of changes to API to support simpler permissions. 2018-01-12 04:49:46 +00:00			`protected $fillable = [`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`'identifier',`
First round of changes to API to support simpler permissions. 2018-01-12 04:49:46 +00:00			`'token',`
			`'allowed_ips',`
			`'memo',`
			`];`
API Model updates. 2017-02-10 22:29:10 +00:00
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`/**`
			`* Fields that should not be included when calling toArray() or toJson()`
			`* on this model.`
			`*`
			`* @var array`
			`*/`
			`protected $hidden = ['token'];`

Add ApiKey service, cleanup old API key methods https://zube.io/pterodactyl/panel/c/525 2017-06-25 20:31:50 +00:00			`/**`
			`* Rules defining what fields must be passed when making a model.`
			`*`
			`* @var array`
			`*/`
			`protected static $applicationRules = [`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`'identifier' => 'required',`
Add ApiKey service, cleanup old API key methods https://zube.io/pterodactyl/panel/c/525 2017-06-25 20:31:50 +00:00			`'memo' => 'required',`
			`'user_id' => 'required',`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`'token' => 'required',`
Add ApiKey service, cleanup old API key methods https://zube.io/pterodactyl/panel/c/525 2017-06-25 20:31:50 +00:00			`];`

			`/**`
			`* Rules to protect aganist invalid data entry to DB.`
			`*`
			`* @var array`
			`*/`
			`protected static $dataIntegrityRules = [`
			`'user_id' => 'exists:users,id',`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`'identifier' => 'string\|size:16\|unique:api_keys,identifier',`
			`'token' => 'string',`
Add ApiKey service, cleanup old API key methods https://zube.io/pterodactyl/panel/c/525 2017-06-25 20:31:50 +00:00			`'memo' => 'nullable\|string\|max:500',`
			`'allowed_ips' => 'nullable\|json',`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`'last_used_at' => 'nullable\|date',`
First round of changes to API to support simpler permissions. 2018-01-12 04:49:46 +00:00			`'r_' . AdminAcl::RESOURCE_USERS => 'integer\|min:0\|max:3',`
			`'r_' . AdminAcl::RESOURCE_ALLOCATIONS => 'integer\|min:0\|max:3',`
			`'r_' . AdminAcl::RESOURCE_DATABASES => 'integer\|min:0\|max:3',`
			`'r_' . AdminAcl::RESOURCE_EGGS => 'integer\|min:0\|max:3',`
			`'r_' . AdminAcl::RESOURCE_LOCATIONS => 'integer\|min:0\|max:3',`
			`'r_' . AdminAcl::RESOURCE_NESTS => 'integer\|min:0\|max:3',`
			`'r_' . AdminAcl::RESOURCE_NODES => 'integer\|min:0\|max:3',`
			`'r_' . AdminAcl::RESOURCE_PACKS => 'integer\|min:0\|max:3',`
			`'r_' . AdminAcl::RESOURCE_SERVERS => 'integer\|min:0\|max:3',`
			`];`

			`/**`
			`* @var array`
			`*/`
			`protected $dates = [`
			`self::CREATED_AT,`
			`self::UPDATED_AT,`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`'last_used_at',`
Add ApiKey service, cleanup old API key methods https://zube.io/pterodactyl/panel/c/525 2017-06-25 20:31:50 +00:00			`];`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`/**`
			`* Return a decrypted version of the token.`
			`*`
			`* @return string`
			`*/`
			`public function getDecryptedTokenAttribute()`
			`{`
			`return app()->make(Encrypter::class)->decrypt($this->token);`
			`}`

API Model updates. 2017-02-10 22:29:10 +00:00			`/**`
			`* Gets the permissions associated with a key.`
			`*`
			`* @return \Illuminate\Database\Eloquent\Relations\HasMany`
			`*/`
			`public function permissions()`
			`{`
			`return $this->hasMany(APIPermission::class, 'key_id');`
			`}`
Change authentication method for API. 2016-01-16 00:26:50 +00:00			`}`