Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

encrypt API keys

Browse source
This commit is contained in:
Dane Everitt 2016-01-16 20:11:31 -05:00
parent 3e595ca856
commit 317698a84a
3 changed files with 45 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
app/Http/Middleware/APISecretToken.php
View file

@ -2,6 +2,8 @@
namespace Pterodactyl\Http\Middleware; namespace Pterodactyl\Http\Middleware;
use Crypt;
use Pterodactyl\Models\APIKey; use Pterodactyl\Models\APIKey;
use Pterodactyl\Models\APIPermission; use Pterodactyl\Models\APIPermission;
@ -12,6 +14,7 @@ use Dingo\Api\Auth\Provider\Authorization;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; // 400 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; // 400
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; // 401 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; // 401
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; // 403 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; // 403
use Symfony\Component\HttpKernel\Exception\HttpException; //500
class APISecretToken extends Authorization class APISecretToken extends Authorization
{ {
@ -63,7 +66,13 @@ class APISecretToken extends Authorization
} }
} }
if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $key->secret) !== base64_decode($hashed)) { try {
$decrypted = Crypt::decrypt($key->secret);
} catch (\Illuminate\Contracts\Encryption\DecryptException $ex) {
throw new HttpException('There was an error while attempting to check your secret key.');
}
if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $decrypted) !== base64_decode($hashed)) {
throw new BadRequestHttpException('The hashed body was not valid. Potential modification of contents in route.'); throw new BadRequestHttpException('The hashed body was not valid. Potential modification of contents in route.');
} }

6
app/Repositories/APIRepository.php
View file

@ -3,6 +3,7 @@
namespace Pterodactyl\Repositories; namespace Pterodactyl\Repositories;
use DB; use DB;
use Crypt;
use Validator; use Validator;
use IPTools\Network; use IPTools\Network;
@ -100,10 +101,11 @@ class APIRepository
DB::beginTransaction(); DB::beginTransaction();
$secretKey = str_random(16) . '.' . str_random(15);
$key = new Models\APIKey; $key = new Models\APIKey;
$key->fill([ $key->fill([
'public' => str_random(16), 'public' => str_random(16),
'secret' => str_random(16) . '.' . str_random(15), 'secret' => Crypt::encrypt($secretKey),
'allowed_ips' => empty($this->allowed) ? null : json_encode($this->allowed) 'allowed_ips' => empty($this->allowed) ? null : json_encode($this->allowed)
]); ]);
$key->save(); $key->save();
@ -121,7 +123,7 @@ class APIRepository
try { try {
DB::commit(); DB::commit();
return $key->secret; return $secretKey;
} catch (\Exception $ex) { } catch (\Exception $ex) {
throw $ex; throw $ex;
} }

31
database/migrations/2016_01_17_005834_modify_api_keys.php Normal file
View file

@ -0,0 +1,31 @@
<?php
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;
class ModifyApiKeys extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('api_keys', function (Blueprint $table) {
DB::statement('ALTER TABLE `api_keys` MODIFY `secret` TINYTEXT NOT NULL');
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('api_keys', function (Blueprint $table) {
DB::statement('ALTER TABLE `api_keys` MODIFY `secret` TINYTEXT NOT NULL');
});
}
}