From 45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sat, 23 Oct 2021 13:00:21 -0700 Subject: [PATCH] (security) use POST for logout rather than GET see https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6 --- SECURITY.md | 2 +- .../scripts/components/NavigationBar.tsx | 19 ++++++++++++++++--- routes/auth.php | 2 +- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a00178658..171a0cb13 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,7 +11,7 @@ The following versions of Pterodactyl are receiving active support and maintenan ## Reporting a Vulnerability -Please reach out directly to any project team member on Discord when reporting a security vulnerability, or you can send an email to `dane [ät] pterodactyl.io`. +Please reach out directly to any project team member on Discord when reporting a security vulnerability, or you can send an email to `dane@pterodactyl.io`. We make every effort to respond as soon as possible, although it may take a day or two for us to sync internally and determine the severity of the report and its impact. Please, _do not_ use a public facing channel or GitHub issues to report sensitive security issues. diff --git a/resources/scripts/components/NavigationBar.tsx b/resources/scripts/components/NavigationBar.tsx index 64845591a..9500d215d 100644 --- a/resources/scripts/components/NavigationBar.tsx +++ b/resources/scripts/components/NavigationBar.tsx @@ -7,6 +7,9 @@ import { ApplicationStore } from '@/state'; import SearchContainer from '@/components/dashboard/search/SearchContainer'; import tw, { theme } from 'twin.macro'; import styled from 'styled-components/macro'; +import http from '@/api/http'; +import SpinnerOverlay from '@/components/elements/SpinnerOverlay'; +import { useState } from 'react'; const Navigation = styled.div` ${tw`w-full bg-neutral-900 shadow-md overflow-x-auto`}; @@ -27,7 +30,7 @@ const Navigation = styled.div` const RightNavigation = styled.div` ${tw`flex h-full items-center justify-center`}; - & > a, & > .navigation-link { + & > a, & > button, & > .navigation-link { ${tw`flex items-center h-full no-underline text-neutral-300 px-6 cursor-pointer transition-all duration-150`}; &:active, &:hover { @@ -43,9 +46,19 @@ const RightNavigation = styled.div` export default () => { const name = useStoreState((state: ApplicationStore) => state.settings.data!.name); const rootAdmin = useStoreState((state: ApplicationStore) => state.user.data!.rootAdmin); + const [ isLoggingOut, setIsLoggingOut ] = useState(false); + + const onTriggerLogout = () => { + setIsLoggingOut(true); + http.post('/auth/logout').finally(() => { + // @ts-ignore + window.location = '/'; + }); + }; return ( +
@@ -65,9 +78,9 @@ export default () => { } - +
diff --git a/routes/auth.php b/routes/auth.php index 2e9a01eaf..0acd9fded 100644 --- a/routes/auth.php +++ b/routes/auth.php @@ -48,4 +48,4 @@ Route::group(['middleware' => 'guest'], function () { | Endpoint: /auth | */ -Route::get('/logout', 'LoginController@logout')->name('auth.logout')->middleware('auth'); +Route::post('/logout', 'LoginController@logout')->name('auth.logout')->middleware('auth', 'csrf');