Mark a request as being stateful if a cookie for the session is provided at all
This accounts for poorly configured API clients that try to use cookies for authentication purposes. Treat everything with a session cookie as being a stateful request from the front-end.
This commit is contained in:
DaneEveritt
parent
33bafe9277
commit
0fa33e0438
3 changed files with 61 additions and 4 deletions
|
|
@ -179,9 +179,9 @@ class Handler extends ExceptionHandler
|
||||||
)),
|
)),
|
||||||
];
|
];
|
||||||
|
|
||||||
$converted = self::convertToArray($exception)['errors'][0];
|
$converted = $this->convertExceptionToArray($exception)['errors'][0];
|
||||||
$converted['detail'] = $error;
|
$converted['detail'] = $error;
|
||||||
$converted['meta'] = is_array($converted['meta'] ?? null) ? array_merge($converted['meta'], $meta) : $meta;
|
$converted['meta'] = array_merge($converted['meta'] ?? [], $meta);
|
||||||
|
|
||||||
$response[] = $converted;
|
$response[] = $converted;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@ use Illuminate\Routing\Middleware\SubstituteBindings;
|
||||||
use Illuminate\Session\Middleware\AuthenticateSession;
|
use Illuminate\Session\Middleware\AuthenticateSession;
|
||||||
use Illuminate\View\Middleware\ShareErrorsFromSession;
|
use Illuminate\View\Middleware\ShareErrorsFromSession;
|
||||||
use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
|
use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
|
||||||
|
use Pterodactyl\Http\Middleware\EnsureStatefulRequests;
|
||||||
use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
|
use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
|
||||||
use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
|
use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
|
||||||
use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
|
use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
|
||||||
|
|
@ -29,7 +30,6 @@ use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
|
||||||
use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
|
use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
|
||||||
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
|
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
|
||||||
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
|
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
|
||||||
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
|
|
||||||
use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
|
use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
|
||||||
|
|
||||||
class Kernel extends HttpKernel
|
class Kernel extends HttpKernel
|
||||||
|
|
@ -66,7 +66,7 @@ class Kernel extends HttpKernel
|
||||||
],
|
],
|
||||||
'api' => [
|
'api' => [
|
||||||
IsValidJson::class,
|
IsValidJson::class,
|
||||||
EnsureFrontendRequestsAreStateful::class,
|
EnsureStatefulRequests::class,
|
||||||
'auth:sanctum',
|
'auth:sanctum',
|
||||||
RequireTwoFactorAuthentication::class,
|
RequireTwoFactorAuthentication::class,
|
||||||
AuthenticateIPAccess::class,
|
AuthenticateIPAccess::class,
|
||||||
|
|
|
||||||
57
app/Http/Middleware/EnsureStatefulRequests.php
Normal file
57
app/Http/Middleware/EnsureStatefulRequests.php
Normal file
|
|
@ -0,0 +1,57 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Pterodactyl\Http\Middleware;
|
||||||
|
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
use Illuminate\Routing\Pipeline;
|
||||||
|
use Illuminate\Session\Middleware\StartSession;
|
||||||
|
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
|
||||||
|
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
|
||||||
|
|
||||||
|
class EnsureStatefulRequests extends EnsureFrontendRequestsAreStateful
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* {@inheritDoc}
|
||||||
|
*/
|
||||||
|
public function handle($request, $next)
|
||||||
|
{
|
||||||
|
$this->configureSecureCookieSessions();
|
||||||
|
|
||||||
|
return (new Pipeline(app()))
|
||||||
|
->send($request)
|
||||||
|
->through($this->isStateful($request) ? $this->statefulMiddleware() : [])
|
||||||
|
->then(fn ($request) => $next($request));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines if a request is stateful or not. This is determined using the default
|
||||||
|
* Sanctum "fromFrontend" helper method. However, we also check if the request includes
|
||||||
|
* a cookie value for the Pterodactyl session. If so, we assume this is a stateful
|
||||||
|
* request.
|
||||||
|
*
|
||||||
|
* We don't want to support API usage using the cookies, except for requests stemming
|
||||||
|
* from the front-end we control.
|
||||||
|
*/
|
||||||
|
protected function isStateful(Request $request): bool
|
||||||
|
{
|
||||||
|
return static::fromFrontend($request) || $request->hasCookie(config('session.cookie'));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the middleware to be applied to a stateful request to the API.
|
||||||
|
*/
|
||||||
|
protected function statefulMiddleware(): array
|
||||||
|
{
|
||||||
|
return [
|
||||||
|
function ($request, $next) {
|
||||||
|
$request->attributes->set('sanctum', true);
|
||||||
|
|
||||||
|
return $next($request);
|
||||||
|
},
|
||||||
|
config('sanctum.middleware.encrypt_cookies', EncryptCookies::class),
|
||||||
|
AddQueuedCookiesToResponse::class,
|
||||||
|
StartSession::class,
|
||||||
|
config('sanctum.middleware.verify_csrf_token', VerifyCsrfToken::class),
|
||||||
|
];
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue