Skynet/misc_pterodactyl-panel
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve client API route model binding and prevent accidental route access without valid model binds

Browse source
This commit is contained in:
Dane Everitt 2021-08-04 22:20:43 -07:00
parent e1089e0b73
commit 4d1a7e6637
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
4 changed files with 119 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/Http/Kernel.php
View file

@ -21,6 +21,7 @@ use Illuminate\View\Middleware\ShareErrorsFromSession;
use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
use Pterodactyl\Http\Middleware\Api\PreventUnboundModels;
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
@ -76,6 +77,7 @@ class Kernel extends HttpKernel
EnsureFrontendRequestsAreStateful::class,
'auth:sanctum',
SubstituteClientApiBindings::class,
PreventUnboundModels::class,
// This is perhaps a little backwards with the Client API, but logically you'd be unable
// to create/get an API key without first enabling 2FA on the account, so I suppose in the
// end it makes sense.