misc_pterodactyl-panel/app/Http/Middleware/Api/AuthenticateKey.php

<?php

namespace Pterodactyl\Http\Middleware\Api;

use Closure;
use Cake\Chronos\Chronos;
use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
use Illuminate\Contracts\Encryption\Encrypter;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

class AuthenticateKey
{
    /**
     * @var \Illuminate\Auth\AuthManager
     */
    private $auth;

    /**
     * @var \Illuminate\Contracts\Encryption\Encrypter
     */
    private $encrypter;

    /**
     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
     */
    private $repository;

    /**
     * AuthenticateKey constructor.
     *
     * @param \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface $repository
     * @param \Illuminate\Auth\AuthManager $auth
     * @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
     */
    public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)
    {
        $this->auth = $auth;
        $this->encrypter = $encrypter;
        $this->repository = $repository;
    }

    /**
     * Handle an API request by verifying that the provided API key
     * is in a valid format and exists in the database.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Closure $next
     * @param int $keyType
     * @return mixed
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
    public function handle(Request $request, Closure $next, int $keyType)
    {
        if (is_null($request->bearerToken()) && is_null($request->user())) {
            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
        }

        $raw = $request->bearerToken();

        // This is a request coming through using cookies, we have an authenticated user not using
        // an API key. Make some fake API key models and continue on through the process.
        if (empty($raw) && $request->user() instanceof User) {
            $model = (new ApiKey())->forceFill([
                'user_id' => $request->user()->id,
                'key_type' => ApiKey::TYPE_ACCOUNT,
            ]);
        } else {
            $model = $this->authenticateApiKey($raw, $keyType);
            $this->auth->guard()->loginUsingId($model->user_id);
        }

        $request->attributes->set('api_key', $model);

        return $next($request);
    }

    /**
     * Authenticate an API key.
     *
     * @param string $key
     * @param int $keyType
     * @return \Pterodactyl\Models\ApiKey
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
    protected function authenticateApiKey(string $key, int $keyType): ApiKey
    {
        $identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);
        $token = substr($key, ApiKey::IDENTIFIER_LENGTH);

        try {
            $model = $this->repository->findFirstWhere([
                ['identifier', '=', $identifier],
                ['key_type', '=', $keyType],
            ]);
        } catch (RecordNotFoundException $exception) {
            throw new AccessDeniedHttpException;
        }

        if (! hash_equals($this->encrypter->decrypt($model->token), $token)) {
            throw new AccessDeniedHttpException;
        }

        $this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => Chronos::now()]);

        return $model;
    }
}
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`<?php`

Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`namespace Pterodactyl\Http\Middleware\Api;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00
			`use Closure;`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`use Cake\Chronos\Chronos;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`use Illuminate\Http\Request;`
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-15 05:42:58 +00:00			`use Pterodactyl\Models\User;`
Rename APIKey to ApiKey 2018-01-14 18:06:15 +00:00			`use Pterodactyl\Models\ApiKey;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Illuminate\Auth\AuthManager;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`use Illuminate\Contracts\Encryption\Encrypter;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Symfony\Component\HttpKernel\Exception\HttpException;`
			`use Pterodactyl\Exceptions\Repository\RecordNotFoundException;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;`
Add new API middleware 2017-11-19 20:05:13 +00:00			`use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00
			`class AuthenticateKey`
			`{`
Add new API middleware 2017-11-19 20:05:13 +00:00			`/**`
			`* @var \Illuminate\Auth\AuthManager`
			`*/`
			`private $auth;`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`/**`
			`* @var \Illuminate\Contracts\Encryption\Encrypter`
			`*/`
			`private $encrypter;`

API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`/**`
			`* @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface`
			`*/`
			`private $repository;`

			`/**`
			`* AuthenticateKey constructor.`
			`*`
			`* @param \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface $repository`
Format files 2019-09-06 04:32:57 +00:00			`* @param \Illuminate\Auth\AuthManager $auth`
			`* @param \Illuminate\Contracts\Encryption\Encrypter $encrypter`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`*/`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)`
			`{`
Add new API middleware 2017-11-19 20:05:13 +00:00			`$this->auth = $auth;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`$this->encrypter = $encrypter;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`$this->repository = $repository;`
			`}`

			`/**`
			`* Handle an API request by verifying that the provided API key`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`* is in a valid format and exists in the database.`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`*`
			`* @param \Illuminate\Http\Request $request`
Format files 2019-09-06 04:32:57 +00:00			`* @param \Closure $next`
			`* @param int $keyType`
Add new API middleware 2017-11-19 20:05:13 +00:00			`* @return mixed`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`*`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`* @throws \Pterodactyl\Exceptions\Model\DataValidationException`
			`* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`*/`
Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`public function handle(Request $request, Closure $next, int $keyType)`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`{`
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-15 05:42:58 +00:00			`if (is_null($request->bearerToken()) && is_null($request->user())) {`
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);`
Add new API middleware 2017-11-19 20:05:13 +00:00			`}`

Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`$raw = $request->bearerToken();`
Add JWT to login forms 2018-05-28 19:48:42 +00:00
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-15 05:42:58 +00:00			`// This is a request coming through using cookies, we have an authenticated user not using`
			`// an API key. Make some fake API key models and continue on through the process.`
			`if (empty($raw) && $request->user() instanceof User) {`
Add test, fix behavior of model creation 2018-07-15 05:58:33 +00:00			`$model = (new ApiKey())->forceFill([`
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-15 05:42:58 +00:00			`'user_id' => $request->user()->id,`
			`'key_type' => ApiKey::TYPE_ACCOUNT,`
			`]);`
Revert use of cookies, go back to using a JWT 2018-06-07 05:49:44 +00:00			`} else {`
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`$model = $this->authenticateApiKey($raw, $keyType);`
Add test, fix behavior of model creation 2018-07-15 05:58:33 +00:00			`$this->auth->guard()->loginUsingId($model->user_id);`
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`}`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`$request->attributes->set('api_key', $model);`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return $next($request);`
			`}`
Use the client API to load servers on the listing page 2018-05-28 20:23:40 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`/**`
			`* Authenticate an API key.`
			`*`
			`* @param string $key`
Format files 2019-09-06 04:32:57 +00:00			`* @param int $keyType`
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`* @return \Pterodactyl\Models\ApiKey`
			`*`
			`* @throws \Pterodactyl\Exceptions\Model\DataValidationException`
			`* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException`
			`*/`
			`protected function authenticateApiKey(string $key, int $keyType): ApiKey`
			`{`
			`$identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);`
			`$token = substr($key, ApiKey::IDENTIFIER_LENGTH);`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00
Add new API middleware 2017-11-19 20:05:13 +00:00			`try {`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`$model = $this->repository->findFirstWhere([`
			`['identifier', '=', $identifier],`
Move everything around as needed to get things setup for the client API 2018-02-25 21:30:56 +00:00			`['key_type', '=', $keyType],`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`]);`
Add new API middleware 2017-11-19 20:05:13 +00:00			`} catch (RecordNotFoundException $exception) {`
			`throw new AccessDeniedHttpException;`
			`}`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`if (! hash_equals($this->encrypter->decrypt($model->token), $token)) {`
			`throw new AccessDeniedHttpException;`
			`}`

Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`$this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => Chronos::now()]);`
Add new API middleware 2017-11-19 20:05:13 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return $model;`
API key UI changes and backend storage of the keys 2017-11-19 19:32:17 +00:00			`}`
			`}`