misc_pterodactyl-panel/app/Http/Middleware/Api/AuthenticateKey.php

<?php

namespace Pterodactyl\Http\Middleware\Api;

use Closure;
use Lcobucci\JWT\Parser;
use Cake\Chronos\Chronos;
use Illuminate\Http\Request;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Traits\Helpers\ProvidesJWTServices;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

class AuthenticateKey
{
    use ProvidesJWTServices;

    /**
     * @var \Illuminate\Auth\AuthManager
     */
    private $auth;

    /**
     * @var \Illuminate\Contracts\Encryption\Encrypter
     */
    private $encrypter;

    /**
     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
     */
    private $repository;

    /**
     * AuthenticateKey constructor.
     *
     * @param \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface $repository
     * @param \Illuminate\Auth\AuthManager                                $auth
     * @param \Illuminate\Contracts\Encryption\Encrypter                  $encrypter
     */
    public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)
    {
        $this->auth = $auth;
        $this->encrypter = $encrypter;
        $this->repository = $repository;
    }

    /**
     * Handle an API request by verifying that the provided API key
     * is in a valid format and exists in the database.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Closure                 $next
     * @param int                      $keyType
     * @return mixed
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
    public function handle(Request $request, Closure $next, int $keyType)
    {
        if (is_null($request->bearerToken())) {
            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
        }

        $raw = $request->bearerToken();

        // This is an internal JWT, treat it differently to get the correct user before passing it along.
        if (strlen($raw) > ApiKey::IDENTIFIER_LENGTH + ApiKey::KEY_LENGTH) {
            $model = $this->authenticateJWT($raw);
        } else {
            $model = $this->authenticateApiKey($raw, $keyType);
        }

        $this->auth->guard()->loginUsingId($model->user_id);
        $request->attributes->set('api_key', $model);

        return $next($request);
    }

    /**
     * Authenticate an API request using a JWT rather than an API key.
     *
     * @param string $token
     * @return \Pterodactyl\Models\ApiKey
     */
    protected function authenticateJWT(string $token): ApiKey
    {
        $token = (new Parser)->parse($token);

        // If the key cannot be verified throw an exception to indicate that a bad
        // authorization header was provided.
        if (! $token->verify($this->getJWTSigner(), $this->getJWTSigningKey())) {
            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
        }

        // Run through the token validation and throw an exception if the token is not valid.
        //
        // The issued_at time is used for verification in order to allow rapid changing of session
        // length on the Panel without having to wait on existing tokens to first expire.
        $now = Chronos::now('utc');
        if (
            Chronos::createFromTimestampUTC($token->getClaim('nbf'))->gt($now)
            || $token->getClaim('iss') !== 'Pterodactyl Panel'
            || $token->getClaim('aud') !== config('app.url')
            || Chronos::createFromTimestampUTC($token->getClaim('iat'))->addMinutes(config('jwt.lifetime'))->lte($now)
        ) {
            throw new AccessDeniedHttpException('The authentication parameters provided are not valid for accessing this resource.');
        }

        return (new ApiKey)->forceFill([
            'user_id' => object_get($token->getClaim('user'), 'id', 0),
            'key_type' => ApiKey::TYPE_ACCOUNT,
        ]);
    }

    /**
     * Authenticate an API key.
     *
     * @param string $key
     * @param int    $keyType
     * @return \Pterodactyl\Models\ApiKey
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
    protected function authenticateApiKey(string $key, int $keyType): ApiKey
    {
        $identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);
        $token = substr($key, ApiKey::IDENTIFIER_LENGTH);

        try {
            $model = $this->repository->findFirstWhere([
                ['identifier', '=', $identifier],
                ['key_type', '=', $keyType],
            ]);
        } catch (RecordNotFoundException $exception) {
            throw new AccessDeniedHttpException;
        }

        if (! hash_equals($this->encrypter->decrypt($model->token), $token)) {
            throw new AccessDeniedHttpException;
        }

        $this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => Chronos::now()]);

        return $model;
    }
}
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`<?php`

Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`namespace Pterodactyl\Http\Middleware\Api;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00
			`use Closure;`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00			`use Lcobucci\JWT\Parser;`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`use Cake\Chronos\Chronos;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`use Illuminate\Http\Request;`
Rename APIKey to ApiKey 2018-01-14 18:06:15 +00:00			`use Pterodactyl\Models\ApiKey;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Illuminate\Auth\AuthManager;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`use Illuminate\Contracts\Encryption\Encrypter;`
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`use Pterodactyl\Traits\Helpers\ProvidesJWTServices;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Symfony\Component\HttpKernel\Exception\HttpException;`
			`use Pterodactyl\Exceptions\Repository\RecordNotFoundException;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00
			`class AuthenticateKey`
			`{`
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`use ProvidesJWTServices;`

Add new API middleware 2017-11-19 20:05:13 +00:00			`/**`
			`* @var \Illuminate\Auth\AuthManager`
			`*/`
			`private $auth;`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`/**`
			`* @var \Illuminate\Contracts\Encryption\Encrypter`
			`*/`
			`private $encrypter;`

API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`/**`
			`* @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface`
			`*/`
			`private $repository;`

			`/**`
			`* AuthenticateKey constructor.`
			`*`
			`* @param \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface $repository`
Add new API middleware 2017-11-19 20:05:13 +00:00			`* @param \Illuminate\Auth\AuthManager $auth`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`* @param \Illuminate\Contracts\Encryption\Encrypter $encrypter`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`*/`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)`
			`{`
Add new API middleware 2017-11-19 20:05:13 +00:00			`$this->auth = $auth;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`$this->encrypter = $encrypter;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`$this->repository = $repository;`
			`}`

			`/**`
			`* Handle an API request by verifying that the provided API key`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`* is in a valid format and exists in the database.`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`*`
			`* @param \Illuminate\Http\Request $request`
			`* @param \Closure $next`
Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`* @param int $keyType`
Add new API middleware 2017-11-19 20:05:13 +00:00			`* @return mixed`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`*`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`* @throws \Pterodactyl\Exceptions\Model\DataValidationException`
			`* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`*/`
Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`public function handle(Request $request, Closure $next, int $keyType)`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`{`
Add new API middleware 2017-11-19 20:05:13 +00:00			`if (is_null($request->bearerToken())) {`
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);`
Add new API middleware 2017-11-19 20:05:13 +00:00			`}`

Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`$raw = $request->bearerToken();`
Add JWT to login forms 2018-05-28 19:48:42 +00:00
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`// This is an internal JWT, treat it differently to get the correct user before passing it along.`
			`if (strlen($raw) > ApiKey::IDENTIFIER_LENGTH + ApiKey::KEY_LENGTH) {`
			`$model = $this->authenticateJWT($raw);`
			`} else {`
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`$model = $this->authenticateApiKey($raw, $keyType);`
			`}`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`$this->auth->guard()->loginUsingId($model->user_id);`
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`$request->attributes->set('api_key', $model);`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return $next($request);`
			`}`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`/**`
			`* Authenticate an API request using a JWT rather than an API key.`
			`*`
			`* @param string $token`
			`* @return \Pterodactyl\Models\ApiKey`
			`*/`
			`protected function authenticateJWT(string $token): ApiKey`
			`{`
			`$token = (new Parser)->parse($token);`

			`// If the key cannot be verified throw an exception to indicate that a bad`
			`// authorization header was provided.`
			`if (! $token->verify($this->getJWTSigner(), $this->getJWTSigningKey())) {`
			`throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00			`}`

Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`// Run through the token validation and throw an exception if the token is not valid.`
Change login handling to automatically redirect a user if their session will need renewal. 2018-06-16 21:05:39 +00:00			`//`
			`// The issued_at time is used for verification in order to allow rapid changing of session`
			`// length on the Panel without having to wait on existing tokens to first expire.`
			`$now = Chronos::now('utc');`
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`if (`
Change login handling to automatically redirect a user if their session will need renewal. 2018-06-16 21:05:39 +00:00			`Chronos::createFromTimestampUTC($token->getClaim('nbf'))->gt($now)`
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`\|\| $token->getClaim('iss') !== 'Pterodactyl Panel'`
			`\|\| $token->getClaim('aud') !== config('app.url')`
Change login handling to automatically redirect a user if their session will need renewal. 2018-06-16 21:05:39 +00:00			`\|\| Chronos::createFromTimestampUTC($token->getClaim('iat'))->addMinutes(config('jwt.lifetime'))->lte($now)`
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`) {`
Change login handling to automatically redirect a user if their session will need renewal. 2018-06-16 21:05:39 +00:00			`throw new AccessDeniedHttpException('The authentication parameters provided are not valid for accessing this resource.');`
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`}`

Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return (new ApiKey)->forceFill([`
			`'user_id' => object_get($token->getClaim('user'), 'id', 0),`
			`'key_type' => ApiKey::TYPE_ACCOUNT,`
			`]);`
			`}`

			`/**`
			`* Authenticate an API key.`
			`*`
			`* @param string $key`
			`* @param int $keyType`
			`* @return \Pterodactyl\Models\ApiKey`
			`*`
			`* @throws \Pterodactyl\Exceptions\Model\DataValidationException`
			`* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException`
			`*/`
			`protected function authenticateApiKey(string $key, int $keyType): ApiKey`
			`{`
			`$identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);`
			`$token = substr($key, ApiKey::IDENTIFIER_LENGTH);`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00
Add new API middleware 2017-11-19 20:05:13 +00:00			`try {`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`$model = $this->repository->findFirstWhere([`
			`['identifier', '=', $identifier],`
Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`['key_type', '=', $keyType],`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`]);`
Add new API middleware 2017-11-19 20:05:13 +00:00			`} catch (RecordNotFoundException $exception) {`
			`throw new AccessDeniedHttpException;`
			`}`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`if (! hash_equals($this->encrypter->decrypt($model->token), $token)) {`
			`throw new AccessDeniedHttpException;`
			`}`

Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`$this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => Chronos::now()]);`
Add new API middleware 2017-11-19 20:05:13 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return $model;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`}`
			`}`