Mark a request as being stateful if a cookie for the session is provided at all
This accounts for poorly configured API clients that try to use cookies for authentication purposes. Treat everything with a session cookie as being a stateful request from the front-end.
This commit is contained in:
DaneEveritt
parent
33bafe9277
commit
0fa33e0438
3 changed files with 61 additions and 4 deletions
|
|
@ -179,9 +179,9 @@ class Handler extends ExceptionHandler
|
|||
)),
|
||||
];
|
||||
|
||||
$converted = self::convertToArray($exception)['errors'][0];
|
||||
$converted = $this->convertExceptionToArray($exception)['errors'][0];
|
||||
$converted['detail'] = $error;
|
||||
$converted['meta'] = is_array($converted['meta'] ?? null) ? array_merge($converted['meta'], $meta) : $meta;
|
||||
$converted['meta'] = array_merge($converted['meta'] ?? [], $meta);
|
||||
|
||||
$response[] = $converted;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ use Illuminate\Routing\Middleware\SubstituteBindings;
|
|||
use Illuminate\Session\Middleware\AuthenticateSession;
|
||||
use Illuminate\View\Middleware\ShareErrorsFromSession;
|
||||
use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
|
||||
use Pterodactyl\Http\Middleware\EnsureStatefulRequests;
|
||||
use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
|
||||
use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
|
||||
use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
|
||||
|
|
@ -29,7 +30,6 @@ use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
|
|||
use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
|
||||
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
|
||||
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
|
||||
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
|
||||
use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
|
||||
|
||||
class Kernel extends HttpKernel
|
||||
|
|
@ -66,7 +66,7 @@ class Kernel extends HttpKernel
|
|||
],
|
||||
'api' => [
|
||||
IsValidJson::class,
|
||||
EnsureFrontendRequestsAreStateful::class,
|
||||
EnsureStatefulRequests::class,
|
||||
'auth:sanctum',
|
||||
RequireTwoFactorAuthentication::class,
|
||||
AuthenticateIPAccess::class,
|
||||
|
|
|
|||
57
app/Http/Middleware/EnsureStatefulRequests.php
Normal file
57
app/Http/Middleware/EnsureStatefulRequests.php
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
<?php
|
||||
|
||||
namespace Pterodactyl\Http\Middleware;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Routing\Pipeline;
|
||||
use Illuminate\Session\Middleware\StartSession;
|
||||
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
|
||||
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
|
||||
|
||||
class EnsureStatefulRequests extends EnsureFrontendRequestsAreStateful
|
||||
{
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function handle($request, $next)
|
||||
{
|
||||
$this->configureSecureCookieSessions();
|
||||
|
||||
return (new Pipeline(app()))
|
||||
->send($request)
|
||||
->through($this->isStateful($request) ? $this->statefulMiddleware() : [])
|
||||
->then(fn ($request) => $next($request));
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if a request is stateful or not. This is determined using the default
|
||||
* Sanctum "fromFrontend" helper method. However, we also check if the request includes
|
||||
* a cookie value for the Pterodactyl session. If so, we assume this is a stateful
|
||||
* request.
|
||||
*
|
||||
* We don't want to support API usage using the cookies, except for requests stemming
|
||||
* from the front-end we control.
|
||||
*/
|
||||
protected function isStateful(Request $request): bool
|
||||
{
|
||||
return static::fromFrontend($request) || $request->hasCookie(config('session.cookie'));
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the middleware to be applied to a stateful request to the API.
|
||||
*/
|
||||
protected function statefulMiddleware(): array
|
||||
{
|
||||
return [
|
||||
function ($request, $next) {
|
||||
$request->attributes->set('sanctum', true);
|
||||
|
||||
return $next($request);
|
||||
},
|
||||
config('sanctum.middleware.encrypt_cookies', EncryptCookies::class),
|
||||
AddQueuedCookiesToResponse::class,
|
||||
StartSession::class,
|
||||
config('sanctum.middleware.verify_csrf_token', VerifyCsrfToken::class),
|
||||
];
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue