Mark a request as being stateful if a cookie for the session is provided at all

This accounts for poorly configured API clients that try to use cookies for authentication purposes. Treat everything with a session cookie as being a stateful request from the front-end.
This commit is contained in:
DaneEveritt 2022-05-22 16:50:36 -04:00
parent 33bafe9277
commit 0fa33e0438
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
3 changed files with 61 additions and 4 deletions

View file

@ -179,9 +179,9 @@ class Handler extends ExceptionHandler
)), )),
]; ];
$converted = self::convertToArray($exception)['errors'][0]; $converted = $this->convertExceptionToArray($exception)['errors'][0];
$converted['detail'] = $error; $converted['detail'] = $error;
$converted['meta'] = is_array($converted['meta'] ?? null) ? array_merge($converted['meta'], $meta) : $meta; $converted['meta'] = array_merge($converted['meta'] ?? [], $meta);
$response[] = $converted; $response[] = $converted;
} }

View file

@ -19,6 +19,7 @@ use Illuminate\Routing\Middleware\SubstituteBindings;
use Illuminate\Session\Middleware\AuthenticateSession; use Illuminate\Session\Middleware\AuthenticateSession;
use Illuminate\View\Middleware\ShareErrorsFromSession; use Illuminate\View\Middleware\ShareErrorsFromSession;
use Pterodactyl\Http\Middleware\MaintenanceMiddleware; use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
use Pterodactyl\Http\Middleware\EnsureStatefulRequests;
use Pterodactyl\Http\Middleware\RedirectIfAuthenticated; use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth; use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess; use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
@ -29,7 +30,6 @@ use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode; use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull; use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings; use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser; use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
class Kernel extends HttpKernel class Kernel extends HttpKernel
@ -66,7 +66,7 @@ class Kernel extends HttpKernel
], ],
'api' => [ 'api' => [
IsValidJson::class, IsValidJson::class,
EnsureFrontendRequestsAreStateful::class, EnsureStatefulRequests::class,
'auth:sanctum', 'auth:sanctum',
RequireTwoFactorAuthentication::class, RequireTwoFactorAuthentication::class,
AuthenticateIPAccess::class, AuthenticateIPAccess::class,

View file

@ -0,0 +1,57 @@
<?php
namespace Pterodactyl\Http\Middleware;
use Illuminate\Http\Request;
use Illuminate\Routing\Pipeline;
use Illuminate\Session\Middleware\StartSession;
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
class EnsureStatefulRequests extends EnsureFrontendRequestsAreStateful
{
/**
* {@inheritDoc}
*/
public function handle($request, $next)
{
$this->configureSecureCookieSessions();
return (new Pipeline(app()))
->send($request)
->through($this->isStateful($request) ? $this->statefulMiddleware() : [])
->then(fn ($request) => $next($request));
}
/**
* Determines if a request is stateful or not. This is determined using the default
* Sanctum "fromFrontend" helper method. However, we also check if the request includes
* a cookie value for the Pterodactyl session. If so, we assume this is a stateful
* request.
*
* We don't want to support API usage using the cookies, except for requests stemming
* from the front-end we control.
*/
protected function isStateful(Request $request): bool
{
return static::fromFrontend($request) || $request->hasCookie(config('session.cookie'));
}
/**
* Returns the middleware to be applied to a stateful request to the API.
*/
protected function statefulMiddleware(): array
{
return [
function ($request, $next) {
$request->attributes->set('sanctum', true);
return $next($request);
},
config('sanctum.middleware.encrypt_cookies', EncryptCookies::class),
AddQueuedCookiesToResponse::class,
StartSession::class,
config('sanctum.middleware.verify_csrf_token', VerifyCsrfToken::class),
];
}
}