diff --git a/app/Http/Middleware/APISecretToken.php b/app/Http/Middleware/APISecretToken.php index 7678a1e89..0ac1fe2db 100644 --- a/app/Http/Middleware/APISecretToken.php +++ b/app/Http/Middleware/APISecretToken.php @@ -2,6 +2,8 @@ namespace Pterodactyl\Http\Middleware; +use Crypt; + use Pterodactyl\Models\APIKey; use Pterodactyl\Models\APIPermission; @@ -12,6 +14,7 @@ use Dingo\Api\Auth\Provider\Authorization; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; // 400 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; // 401 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; // 403 +use Symfony\Component\HttpKernel\Exception\HttpException; //500 class APISecretToken extends Authorization { @@ -63,7 +66,13 @@ class APISecretToken extends Authorization } } - if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $key->secret) !== base64_decode($hashed)) { + try { + $decrypted = Crypt::decrypt($key->secret); + } catch (\Illuminate\Contracts\Encryption\DecryptException $ex) { + throw new HttpException('There was an error while attempting to check your secret key.'); + } + + if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $decrypted) !== base64_decode($hashed)) { throw new BadRequestHttpException('The hashed body was not valid. Potential modification of contents in route.'); } diff --git a/app/Repositories/APIRepository.php b/app/Repositories/APIRepository.php index 92dd876e8..b66cc1a3c 100644 --- a/app/Repositories/APIRepository.php +++ b/app/Repositories/APIRepository.php @@ -3,6 +3,7 @@ namespace Pterodactyl\Repositories; use DB; +use Crypt; use Validator; use IPTools\Network; @@ -100,10 +101,11 @@ class APIRepository DB::beginTransaction(); + $secretKey = str_random(16) . '.' . str_random(15); $key = new Models\APIKey; $key->fill([ 'public' => str_random(16), - 'secret' => str_random(16) . '.' . str_random(15), + 'secret' => Crypt::encrypt($secretKey), 'allowed_ips' => empty($this->allowed) ? null : json_encode($this->allowed) ]); $key->save(); @@ -121,7 +123,7 @@ class APIRepository try { DB::commit(); - return $key->secret; + return $secretKey; } catch (\Exception $ex) { throw $ex; } diff --git a/database/migrations/2016_01_17_005834_modify_api_keys.php b/database/migrations/2016_01_17_005834_modify_api_keys.php new file mode 100644 index 000000000..e1e391940 --- /dev/null +++ b/database/migrations/2016_01_17_005834_modify_api_keys.php @@ -0,0 +1,31 @@ +