2015-12-06 18:58:49 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace Pterodactyl\Http\Middleware;
|
|
|
|
|
|
2021-11-17 04:02:18 +00:00
|
|
|
use Closure;
|
|
|
|
|
use Pterodactyl\Models\ApiKey;
|
2015-12-06 18:58:49 +00:00
|
|
|
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
|
|
|
|
|
|
|
|
|
|
class VerifyCsrfToken extends BaseVerifier
|
|
|
|
|
{
|
|
|
|
|
/**
|
2021-11-17 04:02:18 +00:00
|
|
|
* The URIs that should be excluded from CSRF verification. These are
|
|
|
|
|
* never hit by the front-end, and require specific token validation
|
|
|
|
|
* to work.
|
2015-12-06 18:58:49 +00:00
|
|
|
*
|
2021-11-17 04:02:18 +00:00
|
|
|
* @var string[]
|
2015-12-06 18:58:49 +00:00
|
|
|
*/
|
2021-11-17 04:02:18 +00:00
|
|
|
protected $except = ['remote/*', 'daemon/*'];
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Manually apply CSRF protection to routes depending on the authentication
|
|
|
|
|
* mechanism being used. If the API request is using an API key that exists
|
|
|
|
|
* in the database we can safely ignore CSRF protections, since that would be
|
|
|
|
|
* a manually initiated request by a user or server.
|
|
|
|
|
*
|
|
|
|
|
* All other requests should go through the standard CSRF protections that
|
|
|
|
|
* Laravel affords us. This code will be removed in v2 since we have switched
|
|
|
|
|
* to using Sanctum for the API endpoints, which handles that for us automatically.
|
|
|
|
|
*
|
|
|
|
|
* @param \Illuminate\Http\Request $request
|
2022-05-04 23:01:29 +00:00
|
|
|
*
|
2021-11-17 04:02:18 +00:00
|
|
|
* @return mixed
|
|
|
|
|
*
|
|
|
|
|
* @throws \Illuminate\Session\TokenMismatchException
|
|
|
|
|
*/
|
|
|
|
|
public function handle($request, Closure $next)
|
|
|
|
|
{
|
|
|
|
|
$key = $request->attributes->get('api_key');
|
|
|
|
|
|
|
|
|
|
if ($key instanceof ApiKey && $key->exists) {
|
|
|
|
|
return $next($request);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return parent::handle($request, $next);
|
|
|
|
|
}
|
2015-12-06 18:58:49 +00:00
|
|
|
}
|
