Merge branch 'dane/sanctum' into v2

This commit is contained in:
Dane Everitt 2021-08-07 16:19:19 -07:00
commit 874e7afce3
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
253 changed files with 1480 additions and 3543 deletions

5
.gitignore vendored
View file

@ -46,7 +46,7 @@ yarn-error.log
# PHP
/vendor
.php_cs.cache
.php-cs-fixer.cache
.phpunit.result.cache
_ide_helper.php
_ide_helper_models.php
@ -80,3 +80,6 @@ _ide_helper_models.php
!.env.example
.env*
*.log
_ide_helper_models.php
_ide_helper.php
.phpstorm.meta.php

View file

@ -21,7 +21,7 @@ return (new Config())
'no_unreachable_default_argument_value' => true,
'no_useless_return' => true,
'ordered_imports' => [
'sortAlgorithm' => 'length',
'sort_algorithm' => 'length',
],
'phpdoc_align' => [
'align' => 'left',

View file

@ -1,13 +0,0 @@
<?php
namespace Pterodactyl\Contracts\Http;
interface ClientPermissionsRequest
{
/**
* Returns the permissions string indicating which permission should be used to
* validate that the authenticated user has permission to perform this action aganist
* the given resource (server).
*/
public function permission(): string;
}

View file

@ -1,29 +0,0 @@
<?php
namespace Pterodactyl\Contracts\Repository;
use Pterodactyl\Models\User;
use Illuminate\Support\Collection;
interface ApiKeyRepositoryInterface extends RepositoryInterface
{
/**
* Get all of the account API keys that exist for a specific user.
*/
public function getAccountKeys(User $user): Collection;
/**
* Get all of the application API keys that exist for a specific user.
*/
public function getApplicationKeys(User $user): Collection;
/**
* Delete an account API key from the panel for a specific user.
*/
public function deleteAccountKey(User $user, string $identifier): int;
/**
* Delete an application API key from the panel for a specific user.
*/
public function deleteApplicationKey(User $user, string $identifier): int;
}

View file

@ -7,6 +7,7 @@ use Throwable;
use PDOException;
use Illuminate\Support\Arr;
use Illuminate\Support\Str;
use Illuminate\Http\Response;
use Swift_TransportException;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Collection;
@ -59,6 +60,16 @@ class Handler extends ExceptionHandler
'password_confirmation',
];
/**
* Maps specific internal exceptions to a valid HTTP status code.
*
* @var array
*/
protected static $statusCodeMap = [
AuthenticationException::class => Response::HTTP_UNAUTHORIZED,
ValidationException::class => Response::HTTP_UNPROCESSABLE_ENTITY,
];
/**
* Registers the exception handling callbacks for the application. This
* will capture specific exception types that we do not want to include
@ -191,7 +202,7 @@ class Handler extends ExceptionHandler
'code' => class_basename($exception),
'status' => method_exists($exception, 'getStatusCode')
? strval($exception->getStatusCode())
: ($exception instanceof ValidationException ? '422' : '500'),
: strval(self::$statusCodeMap[get_class($exception)] ?? 500),
'detail' => $exception instanceof HttpExceptionInterface
? $exception->getMessage()
: 'An unexpected error was encountered while processing this request, please try again.',
@ -212,6 +223,7 @@ class Handler extends ExceptionHandler
'file' => str_replace(Application::getInstance()->basePath(), '', $exception->getFile()),
],
'meta' => [
'class' => get_class($exception),
'trace' => explode("\n", $exception->getTraceAsString()),
],
]);

View file

@ -1,9 +0,0 @@
<?php
namespace Pterodactyl\Exceptions\Transformer;
use Pterodactyl\Exceptions\PterodactylException;
class InvalidTransformerLevelException extends PterodactylException
{
}

View file

@ -0,0 +1,23 @@
<?php
namespace Pterodactyl\Extensions\Laravel\Sanctum;
use Pterodactyl\Models\PersonalAccessToken;
use Laravel\Sanctum\NewAccessToken as SanctumAccessToken;
/**
* @property \Pterodactyl\Models\PersonalAccessToken $accessToken
*/
class NewAccessToken extends SanctumAccessToken
{
/**
* NewAccessToken constructor.
*
* @noinspection PhpMissingParentConstructorInspection
*/
public function __construct(PersonalAccessToken $accessToken, string $plainTextToken)
{
$this->accessToken = $accessToken;
$this->plainTextToken = $plainTextToken;
}
}

View file

@ -2,8 +2,8 @@
namespace Pterodactyl\Extensions\Spatie\Fractalistic;
use League\Fractal\TransformerAbstract;
use Spatie\Fractal\Fractal as SpatieFractal;
use Pterodactyl\Transformers\Api\Transformer;
use Illuminate\Contracts\Pagination\LengthAwarePaginator;
use League\Fractal\Pagination\IlluminatePaginatorAdapter;
use Pterodactyl\Extensions\League\Fractal\Serializers\PterodactylSerializer;
@ -33,12 +33,9 @@ class Fractal extends SpatieFractal
// If the resource name is not set attempt to pull it off the transformer
// itself and set it automatically.
if (
is_null($this->resourceName)
&& $this->transformer instanceof TransformerAbstract
&& method_exists($this->transformer, 'getResourceName')
) {
$this->resourceName = $this->transformer->getResourceName();
$class = is_string($this->transformer) ? new $this->transformer() : $this->transformer;
if (is_null($this->resourceName) && $class instanceof Transformer) {
$this->resourceName = $class->getResourceName();
}
return parent::createData();

View file

@ -9,8 +9,6 @@ class BaseController extends Controller
{
/**
* Return the admin index view.
*
* @return \Illuminate\View\View
*/
public function index(): View
{

View file

@ -3,17 +3,16 @@
namespace Pterodactyl\Http\Controllers\Api\Application;
use Illuminate\Http\Request;
use Webmozart\Assert\Assert;
use Illuminate\Http\Response;
use Illuminate\Support\Collection;
use Illuminate\Container\Container;
use Pterodactyl\Http\Controllers\Controller;
use Pterodactyl\Extensions\Spatie\Fractalistic\Fractal;
use Pterodactyl\Transformers\Api\Application\BaseTransformer;
abstract class ApplicationApiController extends Controller
{
protected Request $request;
protected Fractal $fractal;
/**
@ -45,25 +44,6 @@ abstract class ApplicationApiController extends Controller
$this->request = $request;
}
/**
* Return an instance of an application transformer.
*
* @return \Pterodactyl\Transformers\Api\Application\BaseTransformer
*
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function getTransformer(string $abstract)
{
/** @var \Pterodactyl\Transformers\Api\Application\BaseTransformer $transformer */
$transformer = Container::getInstance()->make($abstract);
$transformer->setRootAdmin($this->request->user()->root_admin);
$transformer->setKey($this->request->attributes->get('api_key'));
Assert::isInstanceOf($transformer, BaseTransformer::class);
return $transformer;
}
/**
* Return a HTTP/201 response for the API.
*/

View file

@ -51,7 +51,7 @@ class DatabaseController extends ApplicationApiController
->paginate($perPage);
return $this->fractal->collection($databases)
->transformWith($this->getTransformer(DatabaseHostTransformer::class))
->transformWith(DatabaseHostTransformer::class)
->toArray();
}
@ -63,7 +63,7 @@ class DatabaseController extends ApplicationApiController
public function view(GetDatabaseRequest $request, DatabaseHost $databaseHost): array
{
return $this->fractal->item($databaseHost)
->transformWith($this->getTransformer(DatabaseHostTransformer::class))
->transformWith(DatabaseHostTransformer::class)
->toArray();
}
@ -77,7 +77,7 @@ class DatabaseController extends ApplicationApiController
$databaseHost = $this->creationService->handle($request->validated());
return $this->fractal->item($databaseHost)
->transformWith($this->getTransformer(DatabaseHostTransformer::class))
->transformWith(DatabaseHostTransformer::class)
->respond(JsonResponse::HTTP_CREATED);
}
@ -91,7 +91,7 @@ class DatabaseController extends ApplicationApiController
$databaseHost = $this->updateService->handle($databaseHost->id, $request->validated());
return $this->fractal->item($databaseHost)
->transformWith($this->getTransformer(DatabaseHostTransformer::class))
->transformWith(DatabaseHostTransformer::class)
->toArray();
}

View file

@ -52,7 +52,7 @@ class EggController extends ApplicationApiController
}
return $this->fractal->collection($eggs)
->transformWith($this->getTransformer(EggTransformer::class))
->transformWith(EggTransformer::class)
->toArray();
}
@ -64,7 +64,7 @@ class EggController extends ApplicationApiController
public function view(GetEggRequest $request, Egg $egg): array
{
return $this->fractal->item($egg)
->transformWith($this->getTransformer(EggTransformer::class))
->transformWith(EggTransformer::class)
->toArray();
}
@ -78,7 +78,7 @@ class EggController extends ApplicationApiController
$egg = Egg::query()->create($request->validated());
return $this->fractal->item($egg)
->transformWith($this->getTransformer(EggTransformer::class))
->transformWith(EggTransformer::class)
->respond(JsonResponse::HTTP_CREATED);
}
@ -92,7 +92,7 @@ class EggController extends ApplicationApiController
$egg->update($request->validated());
return $this->fractal->item($egg)
->transformWith($this->getTransformer(EggTransformer::class))
->transformWith(EggTransformer::class)
->toArray();
}

View file

@ -57,7 +57,7 @@ class LocationController extends ApplicationApiController
->paginate($perPage);
return $this->fractal->collection($locations)
->transformWith($this->getTransformer(LocationTransformer::class))
->transformWith(LocationTransformer::class)
->toArray();
}
@ -69,7 +69,7 @@ class LocationController extends ApplicationApiController
public function view(GetLocationRequest $request, Location $location): array
{
return $this->fractal->item($location)
->transformWith($this->getTransformer(LocationTransformer::class))
->transformWith(LocationTransformer::class)
->toArray();
}
@ -85,7 +85,7 @@ class LocationController extends ApplicationApiController
$location = $this->creationService->handle($request->validated());
return $this->fractal->item($location)
->transformWith($this->getTransformer(LocationTransformer::class))
->transformWith(LocationTransformer::class)
->addMeta([
'resource' => route('api.application.locations.view', [
'location' => $location->id,
@ -106,7 +106,7 @@ class LocationController extends ApplicationApiController
$location = $this->updateService->handle($location, $request->validated());
return $this->fractal->item($location)
->transformWith($this->getTransformer(LocationTransformer::class))
->transformWith(LocationTransformer::class)
->toArray();
}

View file

@ -2,8 +2,8 @@
namespace Pterodactyl\Http\Controllers\Api\Application\Mounts;
use Pterodactyl\Models\Mount;
use Illuminate\Http\Response;
use Pterodactyl\Models\Mount;
use Illuminate\Http\JsonResponse;
use Spatie\QueryBuilder\QueryBuilder;
use Pterodactyl\Transformers\Api\Application\MountTransformer;
@ -45,7 +45,7 @@ class MountController extends ApplicationApiController
->paginate($perPage);
return $this->fractal->collection($mounts)
->transformWith($this->getTransformer(MountTransformer::class))
->transformWith(MountTransformer::class)
->toArray();
}
@ -57,7 +57,7 @@ class MountController extends ApplicationApiController
public function view(GetMountRequest $request, Mount $mount): array
{
return $this->fractal->item($mount)
->transformWith($this->getTransformer(MountTransformer::class))
->transformWith(MountTransformer::class)
->toArray();
}
@ -71,7 +71,7 @@ class MountController extends ApplicationApiController
$mount = Mount::query()->create($request->validated());
return $this->fractal->item($mount)
->transformWith($this->getTransformer(MountTransformer::class))
->transformWith(MountTransformer::class)
->respond(JsonResponse::HTTP_CREATED);
}
@ -85,7 +85,7 @@ class MountController extends ApplicationApiController
$mount->update($request->validated());
return $this->fractal->item($mount)
->transformWith($this->getTransformer(MountTransformer::class))
->transformWith(MountTransformer::class)
->toArray();
}
@ -116,7 +116,7 @@ class MountController extends ApplicationApiController
}
return $this->fractal->item($mount)
->transformWith($this->getTransformer(MountTransformer::class))
->transformWith(MountTransformer::class)
->toArray();
}
@ -135,7 +135,7 @@ class MountController extends ApplicationApiController
}
return $this->fractal->item($mount)
->transformWith($this->getTransformer(MountTransformer::class))
->transformWith(MountTransformer::class)
->toArray();
}
@ -154,7 +154,7 @@ class MountController extends ApplicationApiController
}
return $this->fractal->item($mount)
->transformWith($this->getTransformer(MountTransformer::class))
->transformWith(MountTransformer::class)
->toArray();
}
@ -173,7 +173,7 @@ class MountController extends ApplicationApiController
}
return $this->fractal->item($mount)
->transformWith($this->getTransformer(MountTransformer::class))
->transformWith(MountTransformer::class)
->toArray();
}
}

View file

@ -63,7 +63,7 @@ class NestController extends ApplicationApiController
}
return $this->fractal->collection($nests)
->transformWith($this->getTransformer(NestTransformer::class))
->transformWith(NestTransformer::class)
->toArray();
}
@ -75,7 +75,7 @@ class NestController extends ApplicationApiController
public function view(GetNestRequest $request, Nest $nest): array
{
return $this->fractal->item($nest)
->transformWith($this->getTransformer(NestTransformer::class))
->transformWith(NestTransformer::class)
->toArray();
}
@ -90,7 +90,7 @@ class NestController extends ApplicationApiController
$nest = $this->nestCreationService->handle($request->validated());
return $this->fractal->item($nest)
->transformWith($this->getTransformer(NestTransformer::class))
->transformWith(NestTransformer::class)
->toArray();
}
@ -106,7 +106,7 @@ class NestController extends ApplicationApiController
$this->nestUpdateService->handle($nest->id, $request->validated());
return $this->fractal->item($nest)
->transformWith($this->getTransformer(NestTransformer::class))
->transformWith(NestTransformer::class)
->toArray();
}

View file

@ -47,7 +47,7 @@ class AllocationController extends ApplicationApiController
$allocations = $node->allocations()->paginate($perPage);
return $this->fractal->collection($allocations)
->transformWith($this->getTransformer(AllocationTransformer::class))
->transformWith(AllocationTransformer::class)
->toArray();
}

View file

@ -61,7 +61,7 @@ class NodeController extends ApplicationApiController
->paginate($perPage);
return $this->fractal->collection($nodes)
->transformWith($this->getTransformer(NodeTransformer::class))
->transformWith(NodeTransformer::class)
->toArray();
}
@ -73,7 +73,7 @@ class NodeController extends ApplicationApiController
public function view(GetNodeRequest $request, Node $node): array
{
return $this->fractal->item($node)
->transformWith($this->getTransformer(NodeTransformer::class))
->transformWith(NodeTransformer::class)
->toArray();
}
@ -89,7 +89,7 @@ class NodeController extends ApplicationApiController
$node = $this->creationService->handle($request->validated());
return $this->fractal->item($node)
->transformWith($this->getTransformer(NodeTransformer::class))
->transformWith(NodeTransformer::class)
->addMeta([
'resource' => route('api.application.nodes.view', [
'node' => $node->id,
@ -112,7 +112,7 @@ class NodeController extends ApplicationApiController
);
return $this->fractal->item($node)
->transformWith($this->getTransformer(NodeTransformer::class))
->transformWith(NodeTransformer::class)
->toArray();
}

View file

@ -38,7 +38,7 @@ class NodeDeploymentController extends ApplicationApiController
->handle($request->query('per_page'), $request->query('page'));
return $this->fractal->collection($nodes)
->transformWith($this->getTransformer(NodeTransformer::class))
->transformWith(NodeTransformer::class)
->toArray();
}
}

View file

@ -6,8 +6,8 @@ use Illuminate\Http\Response;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Models\AdminRole;
use Spatie\QueryBuilder\QueryBuilder;
use Pterodactyl\Transformers\Api\Application\AdminRoleTransformer;
use Pterodactyl\Exceptions\Http\QueryValueOutOfRangeHttpException;
use Pterodactyl\Transformers\Api\Application\AdminRoleTransformer;
use Pterodactyl\Http\Requests\Api\Application\Roles\GetRoleRequest;
use Pterodactyl\Http\Requests\Api\Application\Roles\GetRolesRequest;
use Pterodactyl\Http\Requests\Api\Application\Roles\StoreRoleRequest;
@ -43,7 +43,7 @@ class RoleController extends ApplicationApiController
->paginate($perPage);
return $this->fractal->collection($roles)
->transformWith($this->getTransformer(AdminRoleTransformer::class))
->transformWith(AdminRoleTransformer::class)
->toArray();
}
@ -55,7 +55,7 @@ class RoleController extends ApplicationApiController
public function view(GetRoleRequest $request, AdminRole $role): array
{
return $this->fractal->item($role)
->transformWith($this->getTransformer(AdminRoleTransformer::class))
->transformWith(AdminRoleTransformer::class)
->toArray();
}
@ -72,7 +72,7 @@ class RoleController extends ApplicationApiController
$role = AdminRole::query()->create($data);
return $this->fractal->item($role)
->transformWith($this->getTransformer(AdminRoleTransformer::class))
->transformWith(AdminRoleTransformer::class)
->respond(JsonResponse::HTTP_CREATED);
}
@ -86,7 +86,7 @@ class RoleController extends ApplicationApiController
$role->update($request->validated());
return $this->fractal->item($role)
->transformWith($this->getTransformer(AdminRoleTransformer::class))
->transformWith(AdminRoleTransformer::class)
->toArray();
}

View file

@ -46,7 +46,7 @@ class DatabaseController extends ApplicationApiController
public function index(GetServerDatabasesRequest $request, Server $server): array
{
return $this->fractal->collection($server->databases)
->transformWith($this->getTransformer(ServerDatabaseTransformer::class))
->transformWith(ServerDatabaseTransformer::class)
->toArray();
}
@ -58,7 +58,7 @@ class DatabaseController extends ApplicationApiController
public function view(GetServerDatabaseRequest $request, Server $server, Database $database): array
{
return $this->fractal->item($database)
->transformWith($this->getTransformer(ServerDatabaseTransformer::class))
->transformWith(ServerDatabaseTransformer::class)
->toArray();
}
@ -86,7 +86,7 @@ class DatabaseController extends ApplicationApiController
]));
return $this->fractal->item($database)
->transformWith($this->getTransformer(ServerDatabaseTransformer::class))
->transformWith(ServerDatabaseTransformer::class)
->addMeta([
'resource' => route('api.application.servers.databases.view', [
'server' => $server->id,

View file

@ -2,6 +2,7 @@
namespace Pterodactyl\Http\Controllers\Api\Application\Servers;
use Pterodactyl\Models\Server;
use Pterodactyl\Transformers\Api\Application\ServerTransformer;
use Pterodactyl\Http\Controllers\Api\Application\ApplicationApiController;
use Pterodactyl\Http\Requests\Api\Application\Servers\GetExternalServerRequest;
@ -13,10 +14,12 @@ class ExternalServerController extends ApplicationApiController
*
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function index(GetExternalServerRequest $request): array
public function index(GetExternalServerRequest $request, string $external_id): array
{
return $this->fractal->item($request->getServerModel())
->transformWith($this->getTransformer(ServerTransformer::class))
$server = Server::query()->where('external_id', $external_id)->firstOrFail();
return $this->fractal->item($server)
->transformWith(ServerTransformer::class)
->toArray();
}
}

View file

@ -52,7 +52,7 @@ class ServerController extends ApplicationApiController
->paginate($perPage);
return $this->fractal->collection($servers)
->transformWith($this->getTransformer(ServerTransformer::class))
->transformWith(ServerTransformer::class)
->toArray();
}
@ -71,7 +71,7 @@ class ServerController extends ApplicationApiController
$server = $this->creationService->handle($request->validated(), $request->getDeploymentObject());
return $this->fractal->item($server)
->transformWith($this->getTransformer(ServerTransformer::class))
->transformWith(ServerTransformer::class)
->respond(Response::HTTP_CREATED);
}
@ -83,7 +83,7 @@ class ServerController extends ApplicationApiController
public function view(GetServerRequest $request, Server $server): array
{
return $this->fractal->item($server)
->transformWith($this->getTransformer(ServerTransformer::class))
->transformWith(ServerTransformer::class)
->toArray();
}

View file

@ -41,7 +41,7 @@ class ServerDetailsController extends ApplicationApiController
);
return $this->fractal->item($server)
->transformWith($this->getTransformer(ServerTransformer::class))
->transformWith(ServerTransformer::class)
->toArray();
}
@ -55,7 +55,7 @@ class ServerDetailsController extends ApplicationApiController
$server = $this->buildModificationService->handle($server, $request->validated());
return $this->fractal->item($server)
->transformWith($this->getTransformer(ServerTransformer::class))
->transformWith(ServerTransformer::class)
->toArray();
}
}

View file

@ -35,7 +35,7 @@ class StartupController extends ApplicationApiController
->handle($server, $request->validated());
return $this->fractal->item($server)
->transformWith($this->getTransformer(ServerTransformer::class))
->transformWith(ServerTransformer::class)
->toArray();
}
}

View file

@ -2,6 +2,7 @@
namespace Pterodactyl\Http\Controllers\Api\Application\Users;
use Pterodactyl\Models\User;
use Pterodactyl\Transformers\Api\Application\UserTransformer;
use Pterodactyl\Http\Controllers\Api\Application\ApplicationApiController;
use Pterodactyl\Http\Requests\Api\Application\Users\GetExternalUserRequest;
@ -13,10 +14,12 @@ class ExternalUserController extends ApplicationApiController
*
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function index(GetExternalUserRequest $request): array
public function index(GetExternalUserRequest $request, string $external_id): array
{
return $this->fractal->item($request->getUserModel())
->transformWith($this->getTransformer(UserTransformer::class))
$user = User::query()->where('external_id', $external_id)->firstOrFail();
return $this->fractal->item($user)
->transformWith(UserTransformer::class)
->toArray();
}
}

View file

@ -63,7 +63,7 @@ class UserController extends ApplicationApiController
->paginate($perPage);
return $this->fractal->collection($users)
->transformWith($this->getTransformer(UserTransformer::class))
->transformWith(UserTransformer::class)
->toArray();
}
@ -76,7 +76,7 @@ class UserController extends ApplicationApiController
public function view(GetUserRequest $request, User $user): array
{
return $this->fractal->item($user)
->transformWith($this->getTransformer(UserTransformer::class))
->transformWith(UserTransformer::class)
->toArray();
}
@ -98,7 +98,7 @@ class UserController extends ApplicationApiController
$user = $this->updateService->handle($user, $request->validated());
return $this->fractal->item($user)
->transformWith($this->getTransformer(UserTransformer::class))
->transformWith(UserTransformer::class)
->toArray();
}
@ -114,7 +114,7 @@ class UserController extends ApplicationApiController
$user = $this->creationService->handle($request->validated());
return $this->fractal->item($user)
->transformWith($this->getTransformer(UserTransformer::class))
->transformWith(UserTransformer::class)
->addMeta([
'resource' => route('api.application.users.view', [
'user' => $user->id,

View file

@ -34,7 +34,7 @@ class AccountController extends ClientApiController
public function index(Request $request): array
{
return $this->fractal->item($request->user())
->transformWith($this->getTransformer(AccountTransformer::class))
->transformWith(AccountTransformer::class)
->toArray();
}

View file

@ -3,46 +3,22 @@
namespace Pterodactyl\Http\Controllers\Api\Client;
use Illuminate\Http\Response;
use Pterodactyl\Models\ApiKey;
use Pterodactyl\Exceptions\DisplayException;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Services\Api\KeyCreationService;
use Pterodactyl\Repositories\Eloquent\ApiKeyRepository;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
use Pterodactyl\Transformers\Api\Client\ApiKeyTransformer;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Pterodactyl\Http\Requests\Api\Client\AccountApiRequest;
use Pterodactyl\Http\Requests\Api\Client\Account\StoreApiKeyRequest;
use Pterodactyl\Transformers\Api\Client\PersonalAccessTokenTransformer;
class ApiKeyController extends ClientApiController
{
private Encrypter $encrypter;
private ApiKeyRepository $repository;
private KeyCreationService $keyCreationService;
/**
* ApiKeyController constructor.
*/
public function __construct(
Encrypter $encrypter,
ApiKeyRepository $repository,
KeyCreationService $keyCreationService
) {
parent::__construct();
$this->encrypter = $encrypter;
$this->repository = $repository;
$this->keyCreationService = $keyCreationService;
}
/**
* Returns all of the API keys that exist for the given client.
*
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function index(ClientApiRequest $request): array
public function index(AccountApiRequest $request): array
{
return $this->fractal->collection($request->user()->apiKeys)
->transformWith($this->getTransformer(ApiKeyTransformer::class))
return $this->fractal->collection($request->user()->tokens)
->transformWith(PersonalAccessTokenTransformer::class)
->toArray();
}
@ -50,25 +26,22 @@ class ApiKeyController extends ClientApiController
* Store a new API key for a user's account.
*
* @throws \Pterodactyl\Exceptions\DisplayException
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function store(StoreApiKeyRequest $request): array
{
if ($request->user()->apiKeys->count() >= 5) {
if ($request->user()->tokens->count() >= 10) {
throw new DisplayException('You have reached the account limit for number of API keys.');
}
$key = $this->keyCreationService->setKeyType(ApiKey::TYPE_ACCOUNT)->handle([
'user_id' => $request->user()->id,
'memo' => $request->input('description'),
'allowed_ips' => $request->input('allowed_ips') ?? [],
]);
// TODO: this should accept an array of different scopes to apply as permissions
// for the token. Right now it allows any account level permission.
$token = $request->user()->createToken($request->input('description'));
return $this->fractal->item($key)
->transformWith($this->getTransformer(ApiKeyTransformer::class))
return $this->fractal->item($token->accessToken)
->transformWith(PersonalAccessTokenTransformer::class)
->addMeta([
'secret_token' => $this->encrypter->decrypt($key->token),
'secret_token' => $token->plainTextToken,
])
->toArray();
}
@ -76,17 +49,9 @@ class ApiKeyController extends ClientApiController
/**
* Deletes a given API key.
*/
public function delete(ClientApiRequest $request, string $identifier): Response
public function delete(AccountApiRequest $request, string $id): Response
{
$response = $this->repository->deleteWhere([
'key_type' => ApiKey::TYPE_ACCOUNT,
'user_id' => $request->user()->id,
'identifier' => $identifier,
]);
if (!$response) {
throw new NotFoundHttpException();
}
$request->user()->tokens()->where('token_id', $id)->delete();
return $this->returnNoContent();
}

View file

@ -2,10 +2,7 @@
namespace Pterodactyl\Http\Controllers\Api\Client;
use Webmozart\Assert\Assert;
use Illuminate\Container\Container;
use Pterodactyl\Transformers\Daemon\BaseDaemonTransformer;
use Pterodactyl\Transformers\Api\Client\BaseClientTransformer;
use Pterodactyl\Transformers\Api\Transformer;
use Pterodactyl\Http\Controllers\Api\Application\ApplicationApiController;
abstract class ClientApiController extends ApplicationApiController
@ -15,7 +12,7 @@ abstract class ClientApiController extends ApplicationApiController
*
* @return string[]
*/
protected function getIncludesForTransformer(BaseClientTransformer $transformer, array $merge = []): array
protected function getIncludesForTransformer(Transformer $transformer, array $merge = []): array
{
$filtered = array_filter($this->parseIncludes(), function ($datum) use ($transformer) {
return in_array($datum, $transformer->getAvailableIncludes());
@ -41,28 +38,4 @@ abstract class ClientApiController extends ApplicationApiController
return trim($item);
}, explode(',', $includes));
}
/**
* Return an instance of an application transformer.
*
* @return \Pterodactyl\Transformers\Api\Client\BaseClientTransformer
*
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function getTransformer(string $abstract)
{
/** @var \Pterodactyl\Transformers\Api\Client\BaseClientTransformer $transformer */
$transformer = Container::getInstance()->make($abstract);
Assert::isInstanceOfAny($transformer, [
BaseClientTransformer::class,
BaseDaemonTransformer::class,
]);
if ($transformer instanceof BaseClientTransformer) {
$transformer->setKey($this->request->attributes->get('api_key'));
$transformer->setUser($this->request->user());
}
return $transformer;
}
}

View file

@ -34,11 +34,10 @@ class ClientController extends ClientApiController
public function index(GetServersRequest $request): array
{
$user = $request->user();
$transformer = $this->getTransformer(ServerTransformer::class);
// Start the query builder and ensure we eager load any requested relationships from the request.
$builder = QueryBuilder::for(
Server::query()->with($this->getIncludesForTransformer($transformer, ['node']))
Server::query()->with($this->getIncludesForTransformer(new ServerTransformer(), ['node']))
)->allowedFilters([
'uuid',
'name',
@ -69,7 +68,7 @@ class ClientController extends ClientApiController
$servers = $builder->paginate(min($request->query('per_page', 50), 100))->appends($request->query());
return $this->fractal->transformWith($transformer)->collection($servers)->toArray();
return $this->fractal->transformWith(new ServerTransformer())->collection($servers)->toArray();
}
/**

View file

@ -20,13 +20,12 @@ class SSHKeyController extends ClientApiController
public function index(Request $request): \Pterodactyl\Extensions\Spatie\Fractalistic\Fractal
{
return $this->fractal->collection(UserSSHKey::query()->where('user_id', '=', $request->user()->id)->get())
->transformWith($this->getTransformer(UserSSHKeyTransformer::class));
->transformWith(UserSSHKeyTransformer::class);
}
/**
* ?
*
* @return JsonResponse
* @throws \Illuminate\Contracts\Container\BindingResolutionException
* @throws \Pterodactyl\Exceptions\DisplayException
*/
@ -42,7 +41,7 @@ class SSHKeyController extends ClientApiController
$key = UserSSHKey::query()->create($data);
return $this->fractal->item($key)
->transformWith($this->getTransformer(UserSSHKeyTransformer::class))
->transformWith(UserSSHKeyTransformer::class)
->respond(JsonResponse::HTTP_CREATED);
}

View file

@ -12,8 +12,8 @@ use Pterodactyl\Models\Permission;
use Illuminate\Auth\Access\AuthorizationException;
use Pterodactyl\Services\Backups\DeleteBackupService;
use Pterodactyl\Services\Backups\DownloadLinkService;
use Pterodactyl\Services\Backups\InitiateBackupService;
use Pterodactyl\Repositories\Eloquent\BackupRepository;
use Pterodactyl\Services\Backups\InitiateBackupService;
use Pterodactyl\Repositories\Wings\DaemonBackupRepository;
use Pterodactyl\Transformers\Api\Client\BackupTransformer;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
@ -63,7 +63,7 @@ class BackupController extends ClientApiController
$limit = min($request->query('per_page') ?? 20, 50);
return $this->fractal->collection($server->backups()->paginate($limit))
->transformWith($this->getTransformer(BackupTransformer::class))
->transformWith(BackupTransformer::class)
->addMeta([
'backup_count' => $this->repository->getNonFailedBackups($server)->count(),
])
@ -100,7 +100,7 @@ class BackupController extends ClientApiController
});
return $this->fractal->item($backup)
->transformWith($this->getTransformer(BackupTransformer::class))
->transformWith(BackupTransformer::class)
->toArray();
}
@ -126,7 +126,7 @@ class BackupController extends ClientApiController
$backup->refresh();
return $this->fractal->item($backup)
->transformWith($this->getTransformer(BackupTransformer::class))
->transformWith(BackupTransformer::class)
->toArray();
}
@ -142,7 +142,7 @@ class BackupController extends ClientApiController
}
return $this->fractal->item($backup)
->transformWith($this->getTransformer(BackupTransformer::class))
->transformWith(BackupTransformer::class)
->toArray();
}

View file

@ -48,7 +48,7 @@ class DatabaseController extends ClientApiController
public function index(GetDatabasesRequest $request, Server $server): array
{
return $this->fractal->collection($server->databases)
->transformWith($this->getTransformer(DatabaseTransformer::class))
->transformWith(DatabaseTransformer::class)
->toArray();
}
@ -65,7 +65,7 @@ class DatabaseController extends ClientApiController
return $this->fractal->item($database)
->parseIncludes(['password'])
->transformWith($this->getTransformer(DatabaseTransformer::class))
->transformWith(DatabaseTransformer::class)
->toArray();
}
@ -82,7 +82,7 @@ class DatabaseController extends ClientApiController
return $this->fractal->item($database)
->parseIncludes(['password'])
->transformWith($this->getTransformer(DatabaseTransformer::class))
->transformWith(DatabaseTransformer::class)
->toArray();
}

View file

@ -57,7 +57,7 @@ class FileController extends ClientApiController
->getDirectory($request->get('directory') ?? '/');
return $this->fractal->collection($contents)
->transformWith($this->getTransformer(FileObjectTransformer::class))
->transformWith(FileObjectTransformer::class)
->toArray();
}
@ -202,7 +202,7 @@ class FileController extends ClientApiController
});
return $this->fractal->item($file)
->transformWith($this->getTransformer(FileObjectTransformer::class))
->transformWith(FileObjectTransformer::class)
->toArray();
}

View file

@ -47,7 +47,7 @@ class NetworkAllocationController extends ClientApiController
public function index(GetNetworkRequest $request, Server $server): array
{
return $this->fractal->collection($server->allocations)
->transformWith($this->getTransformer(AllocationTransformer::class))
->transformWith(AllocationTransformer::class)
->toArray();
}
@ -65,7 +65,7 @@ class NetworkAllocationController extends ClientApiController
]);
return $this->fractal->item($allocation)
->transformWith($this->getTransformer(AllocationTransformer::class))
->transformWith(AllocationTransformer::class)
->toArray();
}
@ -81,7 +81,7 @@ class NetworkAllocationController extends ClientApiController
$this->serverRepository->update($server->id, ['allocation_id' => $allocation->id]);
return $this->fractal->item($allocation)
->transformWith($this->getTransformer(AllocationTransformer::class))
->transformWith(AllocationTransformer::class)
->toArray();
}
@ -100,7 +100,7 @@ class NetworkAllocationController extends ClientApiController
$allocation = $this->assignableAllocationService->handle($server);
return $this->fractal->item($allocation)
->transformWith($this->getTransformer(AllocationTransformer::class))
->transformWith(AllocationTransformer::class)
->toArray();
}

View file

@ -42,7 +42,7 @@ class ResourceUtilizationController extends ClientApiController
});
return $this->fractal->item($stats)
->transformWith($this->getTransformer(StatsTransformer::class))
->transformWith(StatsTransformer::class)
->toArray();
}
}

View file

@ -14,7 +14,6 @@ use Pterodactyl\Repositories\Eloquent\ScheduleRepository;
use Pterodactyl\Services\Schedules\ProcessScheduleService;
use Pterodactyl\Transformers\Api\Client\ScheduleTransformer;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Pterodactyl\Http\Requests\Api\Client\Servers\Schedules\ViewScheduleRequest;
use Pterodactyl\Http\Requests\Api\Client\Servers\Schedules\StoreScheduleRequest;
@ -49,7 +48,7 @@ class ScheduleController extends ClientApiController
$schedules->loadMissing('tasks');
return $this->fractal->collection($schedules)
->transformWith($this->getTransformer(ScheduleTransformer::class))
->transformWith(ScheduleTransformer::class)
->toArray();
}
@ -77,7 +76,7 @@ class ScheduleController extends ClientApiController
]);
return $this->fractal->item($model)
->transformWith($this->getTransformer(ScheduleTransformer::class))
->transformWith(ScheduleTransformer::class)
->toArray();
}
@ -88,14 +87,10 @@ class ScheduleController extends ClientApiController
*/
public function view(ViewScheduleRequest $request, Server $server, Schedule $schedule): array
{
if ($schedule->server_id !== $server->id) {
throw new NotFoundHttpException();
}
$schedule->loadMissing('tasks');
return $this->fractal->item($schedule)
->transformWith($this->getTransformer(ScheduleTransformer::class))
->transformWith(ScheduleTransformer::class)
->toArray();
}
@ -134,7 +129,7 @@ class ScheduleController extends ClientApiController
$this->repository->update($schedule->id, $data);
return $this->fractal->item($schedule->refresh())
->transformWith($this->getTransformer(ScheduleTransformer::class))
->transformWith(ScheduleTransformer::class)
->toArray();
}

View file

@ -6,15 +6,15 @@ use Pterodactyl\Models\Task;
use Illuminate\Http\Response;
use Pterodactyl\Models\Server;
use Pterodactyl\Models\Schedule;
use Pterodactyl\Models\Permission;
use Pterodactyl\Repositories\Eloquent\TaskRepository;
use Pterodactyl\Exceptions\Http\HttpForbiddenException;
use Pterodactyl\Transformers\Api\Client\TaskTransformer;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
use Pterodactyl\Exceptions\Service\ServiceLimitExceededException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Pterodactyl\Http\Requests\Api\Client\Servers\Schedules\StoreTaskRequest;
use Pterodactyl\Http\Requests\Api\Client\Servers\Schedules\DeleteScheduleRequest;
use Pterodactyl\Http\Requests\Api\Client\Servers\Schedules\UpdateScheduleRequest;
class ScheduleTaskController extends ClientApiController
{
@ -63,7 +63,7 @@ class ScheduleTaskController extends ClientApiController
]);
return $this->fractal->item($task)
->transformWith($this->getTransformer(TaskTransformer::class))
->transformWith(TaskTransformer::class)
->toArray();
}
@ -93,7 +93,7 @@ class ScheduleTaskController extends ClientApiController
]);
return $this->fractal->item($task->refresh())
->transformWith($this->getTransformer(TaskTransformer::class))
->transformWith(TaskTransformer::class)
->toArray();
}
@ -101,18 +101,14 @@ class ScheduleTaskController extends ClientApiController
* Delete a given task for a schedule. If there are subsequent tasks stored in the database
* for this schedule their sequence IDs are decremented properly.
*
* This uses the UpdateScheduleRequest intentionally -- there is no permission specific
* to deleting a given task on a schedule, so we'll assume if you have permission to edit
* a schedule that you can then remove a task from said schedule.
*
* @throws \Exception
*/
public function delete(ClientApiRequest $request, Server $server, Schedule $schedule, Task $task): Response
public function delete(DeleteScheduleRequest $request, Server $server, Schedule $schedule, Task $task): Response
{
if ($task->schedule_id !== $schedule->id || $schedule->server_id !== $server->id) {
throw new NotFoundHttpException();
}
if (!$request->user()->can(Permission::ACTION_SCHEDULE_UPDATE, $server)) {
throw new HttpForbiddenException('You do not have permission to perform this action.');
}
$schedule->tasks()->where('sequence_id', '>', $task->sequence_id)->update([
'sequence_id' => $schedule->tasks()->getConnection()->raw('(sequence_id - 1)'),
]);

View file

@ -34,7 +34,7 @@ class ServerController extends ClientApiController
public function index(GetServerRequest $request, Server $server): array
{
return $this->fractal->item($server)
->transformWith($this->getTransformer(ServerTransformer::class))
->transformWith(ServerTransformer::class)
->addMeta([
'is_server_owner' => $request->user()->id === $server->owner_id,
'user_permissions' => $this->permissionsService->handle($server, $request->user()),

View file

@ -42,7 +42,7 @@ class StartupController extends ClientApiController
return $this->fractal->collection(
$server->variables()->where('user_viewable', true)->get()
)
->transformWith($this->getTransformer(EggVariableTransformer::class))
->transformWith(EggVariableTransformer::class)
->addMeta([
'startup_command' => $startup,
'docker_images' => $server->egg->docker_images,
@ -86,7 +86,7 @@ class StartupController extends ClientApiController
$startup = $this->startupCommandService->handle($server, false);
return $this->fractal->item($variable)
->transformWith($this->getTransformer(EggVariableTransformer::class))
->transformWith(EggVariableTransformer::class)
->addMeta([
'startup_command' => $startup,
'raw_startup_command' => $server->startup,

View file

@ -5,6 +5,7 @@ namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Pterodactyl\Models\Server;
use Pterodactyl\Models\Subuser;
use Pterodactyl\Models\Permission;
use Illuminate\Support\Facades\Log;
use Pterodactyl\Repositories\Eloquent\SubuserRepository;
@ -47,7 +48,7 @@ class SubuserController extends ClientApiController
public function index(GetSubuserRequest $request, Server $server): array
{
return $this->fractal->collection($server->subusers)
->transformWith($this->getTransformer(SubuserTransformer::class))
->transformWith(SubuserTransformer::class)
->toArray();
}
@ -56,12 +57,10 @@ class SubuserController extends ClientApiController
*
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function view(GetSubuserRequest $request): array
public function view(GetSubuserRequest $request, Server $server, Subuser $subuser): array
{
$subuser = $request->attributes->get('subuser');
return $this->fractal->item($subuser)
->transformWith($this->getTransformer(SubuserTransformer::class))
->transformWith(SubuserTransformer::class)
->toArray();
}
@ -82,7 +81,7 @@ class SubuserController extends ClientApiController
);
return $this->fractal->item($response)
->transformWith($this->getTransformer(SubuserTransformer::class))
->transformWith(SubuserTransformer::class)
->toArray();
}
@ -93,11 +92,8 @@ class SubuserController extends ClientApiController
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function update(UpdateSubuserRequest $request, Server $server): array
public function update(UpdateSubuserRequest $request, Server $server, Subuser $subuser): array
{
/** @var \Pterodactyl\Models\Subuser $subuser */
$subuser = $request->attributes->get('subuser');
$permissions = $this->getDefaultPermissions($request);
$current = $subuser->permissions;
@ -121,18 +117,15 @@ class SubuserController extends ClientApiController
}
return $this->fractal->item($subuser->refresh())
->transformWith($this->getTransformer(SubuserTransformer::class))
->transformWith(SubuserTransformer::class)
->toArray();
}
/**
* Removes a subusers from a server's assignment.
*/
public function delete(DeleteSubuserRequest $request, Server $server): Response
public function delete(DeleteSubuserRequest $request, Server $server, Subuser $subuser): Response
{
/** @var \Pterodactyl\Models\Subuser $subuser */
$subuser = $request->attributes->get('subuser');
$this->repository->delete($subuser->id);
try {

View file

@ -5,11 +5,10 @@ namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
use Carbon\CarbonImmutable;
use Pterodactyl\Models\Server;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Models\Permission;
use Pterodactyl\Services\Nodes\NodeJWTService;
use Pterodactyl\Exceptions\Http\HttpForbiddenException;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
use Pterodactyl\Services\Servers\GetUserPermissionsService;
use Pterodactyl\Http\Requests\Api\Client\WebsocketTokenRequest;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
class WebsocketController extends ClientApiController
@ -36,14 +35,9 @@ class WebsocketController extends ClientApiController
* allows us to continually renew this token and avoid users maintaining sessions wrongly,
* as well as ensure that user's only perform actions they're allowed to.
*/
public function __invoke(ClientApiRequest $request, Server $server): JsonResponse
public function __invoke(WebsocketTokenRequest $request, Server $server): JsonResponse
{
$user = $request->user();
if ($user->cannot(Permission::ACTION_WEBSOCKET_CONNECT, $server)) {
throw new HttpForbiddenException('You do not have permission to connect to this server\'s websocket.');
}
$permissions = $this->permissionsService->handle($server, $user);
$permissions = $this->permissionsService->handle($server, $request->user());
$node = $server->node;
if (!is_null($server->transfer)) {
@ -65,7 +59,7 @@ class WebsocketController extends ClientApiController
'server_uuid' => $server->uuid,
'permissions' => $permissions,
])
->handle($node, $user->id . $server->uuid);
->handle($node, $request->user()->id . $server->uuid);
$socket = str_replace(['https://', 'http://'], ['wss://', 'ws://'], $node->getConnectionAddress());

View file

@ -55,8 +55,6 @@ class TwoFactorController extends ClientApiController
/**
* Updates a user's account to have two-factor enabled.
*
* @return \Illuminate\Http\JsonResponse
*
* @throws \Throwable
* @throws \Illuminate\Validation\ValidationException
* @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException

View file

@ -5,8 +5,8 @@ namespace Pterodactyl\Http\Controllers\Api\Client;
use Exception;
use Illuminate\Http\Request;
use Illuminate\Http\JsonResponse;
use LaravelWebauthn\Facades\Webauthn;
use Pterodactyl\Models\WebauthnKey;
use LaravelWebauthn\Facades\Webauthn;
use Webauthn\PublicKeyCredentialCreationOptions;
use Illuminate\Database\Eloquent\ModelNotFoundException;
use Pterodactyl\Transformers\Api\Client\WebauthnKeyTransformer;
@ -24,7 +24,7 @@ class WebauthnController extends ClientApiController
public function index(Request $request): array
{
return $this->fractal->collection(WebauthnKey::query()->where('user_id', '=', $request->user()->id)->get())
->transformWith($this->getTransformer(WebauthnKeyTransformer::class))
->transformWith(WebauthnKeyTransformer::class)
->toArray();
}
@ -88,7 +88,7 @@ class WebauthnController extends ClientApiController
);
return $this->fractal->item($webauthnKey)
->transformWith($this->getTransformer(WebauthnKeyTransformer::class))
->transformWith(WebauthnKeyTransformer::class)
->toArray();
} catch (Exception $e) {
return new JsonResponse([

View file

@ -17,7 +17,6 @@ class LoginCheckpointController extends AbstractLoginController
private Encrypter $encrypter;
private Google2FA $google2FA;
/**
* LoginCheckpointController constructor.
*/
@ -51,6 +50,7 @@ class LoginCheckpointController extends AbstractLoginController
{
if ($this->hasTooManyLoginAttempts($request)) {
$this->sendLockoutResponse($request);
return;
}
@ -66,6 +66,7 @@ class LoginCheckpointController extends AbstractLoginController
null,
'The authentication token provided has expired, please refresh the page and try again.'
);
return;
}

View file

@ -69,6 +69,7 @@ class LoginController extends AbstractLoginController
if ($this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
$this->sendLockoutResponse($request);
return;
}
@ -77,6 +78,7 @@ class LoginController extends AbstractLoginController
$user = $this->repository->findFirstWhere([[$useColumn, '=', $username]]);
} catch (RecordNotFoundException $exception) {
$this->sendFailedLoginResponse($request);
return;
}
@ -86,12 +88,13 @@ class LoginController extends AbstractLoginController
// can proceed to the next step in the login process.
if (!password_verify($request->input('password'), $user->password)) {
$this->sendFailedLoginResponse($request, $user);
return;
}
$webauthnKeys = $user->webauthnKeys()->get();
if (sizeof($webauthnKeys) > 0) {
if (count($webauthnKeys) > 0) {
$token = Str::random(64);
$this->cache->put($token, $user->id, CarbonImmutable::now()->addMinutes(5));
@ -99,7 +102,7 @@ class LoginController extends AbstractLoginController
$request->session()->put(self::SESSION_PUBLICKEY_REQUEST, $publicKey);
$request->session()->save();
$methods = [ self::METHOD_WEBAUTHN ];
$methods = [self::METHOD_WEBAUTHN];
if ($user->use_totp) {
$methods[] = self::METHOD_TOTP;
}
@ -112,19 +115,17 @@ class LoginController extends AbstractLoginController
'public_key' => $publicKey,
],
]);
} else if ($user->use_totp) {
} elseif ($user->use_totp) {
$token = Str::random(64);
$this->cache->put($token, $user->id, CarbonImmutable::now()->addMinutes(5));
return new JsonResponse([
'complete' => false,
'methods' => [ self::METHOD_TOTP ],
'methods' => [self::METHOD_TOTP],
'confirmation_token' => $token,
]);
}
$this->auth->guard()->login($user, true);
return $this->sendLoginResponse($user, $request);
}
}

View file

@ -3,8 +3,8 @@
namespace Pterodactyl\Http\Controllers\Auth;
use Exception;
use Pterodactyl\Models\User;
use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Illuminate\Auth\AuthManager;
use Illuminate\Http\JsonResponse;
use LaravelWebauthn\Facades\Webauthn;
@ -36,6 +36,7 @@ class WebauthnController extends AbstractLoginController
{
if ($this->hasTooManyLoginAttempts($request)) {
$this->sendLockoutResponse($request);
return;
}
@ -51,6 +52,7 @@ class WebauthnController extends AbstractLoginController
null,
'The authentication token provided has expired, please refresh the page and try again.'
);
return;
}
$this->auth->guard()->onceUsingId($user->id);

View file

@ -2,7 +2,6 @@
namespace Pterodactyl\Http;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\Middleware\Authorize;
use Illuminate\Auth\Middleware\Authenticate;
use Pterodactyl\Http\Middleware\TrimStrings;
@ -16,24 +15,23 @@ use Pterodactyl\Http\Middleware\AdminAuthenticate;
use Illuminate\Routing\Middleware\ThrottleRequests;
use Pterodactyl\Http\Middleware\LanguageMiddleware;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
use Pterodactyl\Http\Middleware\Api\AuthenticateKey;
use Illuminate\Routing\Middleware\SubstituteBindings;
use Pterodactyl\Http\Middleware\Api\SetSessionDriver;
use Illuminate\Session\Middleware\AuthenticateSession;
use Illuminate\View\Middleware\ShareErrorsFromSession;
use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
use Pterodactyl\Http\Middleware\Api\PreventUnboundModels;
use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientApiBindings;
use Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance;
use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
use Pterodactyl\Http\Middleware\Api\Application\SubstituteApplicationApiBindings;
class Kernel extends HttpKernel
{
@ -43,12 +41,11 @@ class Kernel extends HttpKernel
* @var array
*/
protected $middleware = [
CheckForMaintenanceMode::class,
EncryptCookies::class,
TrustProxies::class,
PreventRequestsDuringMaintenance::class,
ValidatePostSize::class,
TrimStrings::class,
ConvertEmptyStringsToNull::class,
TrustProxies::class,
];
/**
@ -58,6 +55,7 @@ class Kernel extends HttpKernel
*/
protected $middlewareGroups = [
'web' => [
EncryptCookies::class,
AddQueuedCookiesToResponse::class,
StartSession::class,
AuthenticateSession::class,
@ -69,20 +67,19 @@ class Kernel extends HttpKernel
],
'api' => [
IsValidJson::class,
ApiSubstituteBindings::class,
SetSessionDriver::class,
'api..key:' . ApiKey::TYPE_APPLICATION,
EnsureFrontendRequestsAreStateful::class,
'auth:sanctum',
SubstituteApplicationApiBindings::class,
PreventUnboundModels::class,
AuthenticateApplicationUser::class,
AuthenticateIPAccess::class,
RequireTwoFactorAuthentication::class,
],
'client-api' => [
StartSession::class,
SetSessionDriver::class,
AuthenticateSession::class,
IsValidJson::class,
EnsureFrontendRequestsAreStateful::class,
'auth:sanctum',
SubstituteClientApiBindings::class,
'api..key:' . ApiKey::TYPE_ACCOUNT,
AuthenticateIPAccess::class,
PreventUnboundModels::class,
// This is perhaps a little backwards with the Client API, but logically you'd be unable
// to create/get an API key without first enabling 2FA on the account, so I suppose in the
// end it makes sense.
@ -112,8 +109,5 @@ class Kernel extends HttpKernel
'bindings' => SubstituteBindings::class,
'recaptcha' => VerifyReCaptcha::class,
'node.maintenance' => MaintenanceMiddleware::class,
// API Specific Middleware
'api..key' => AuthenticateKey::class,
];
}

View file

@ -1,87 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Pterodactyl\Models\Egg;
use Pterodactyl\Models\Nest;
use Pterodactyl\Models\Node;
use Pterodactyl\Models\User;
use Pterodactyl\Models\Server;
use Pterodactyl\Models\Database;
use Pterodactyl\Models\Location;
use Pterodactyl\Models\Allocation;
use Illuminate\Routing\Middleware\SubstituteBindings;
use Illuminate\Database\Eloquent\ModelNotFoundException;
class ApiSubstituteBindings extends SubstituteBindings
{
/**
* Mappings to automatically assign route parameters to a model.
*
* @var array
*/
protected static $mappings = [
'allocation' => Allocation::class,
'database' => Database::class,
'egg' => Egg::class,
'location' => Location::class,
'nest' => Nest::class,
'node' => Node::class,
'server' => Server::class,
'user' => User::class,
];
/**
* @var \Illuminate\Routing\Router
*/
protected $router;
/**
* Perform substitution of route parameters without triggering
* a 404 error if a model is not found.
*
* @param \Illuminate\Http\Request $request
*
* @return mixed
*/
public function handle($request, Closure $next)
{
$route = $request->route();
foreach (self::$mappings as $key => $model) {
if (!is_null($this->router->getBindingCallback($key))) {
continue;
}
$this->router->model($key, $model, function () use ($request) {
$request->attributes->set('is_missing_model', true);
});
}
$this->router->substituteBindings($route);
// Attempt to resolve bindings for this route. If one of the models
// cannot be resolved do not immediately return a 404 error. Set a request
// attribute that can be checked in the base API request class to only
// trigger a 404 after validating that the API key making the request is valid
// and even has permission to access the requested resource.
try {
$this->router->substituteImplicitBindings($route);
} catch (ModelNotFoundException $exception) {
$request->attributes->set('is_missing_model', true);
}
return $next($request);
}
/**
* Return the registered mappings.
*
* @return array
*/
public static function getMappings()
{
return self::$mappings;
}
}

View file

@ -0,0 +1,66 @@
<?php
namespace Pterodactyl\Http\Middleware\Api\Application;
use Closure;
use Pterodactyl\Models\Egg;
use Pterodactyl\Models\Nest;
use Pterodactyl\Models\Node;
use Pterodactyl\Models\User;
use Pterodactyl\Models\Server;
use Pterodactyl\Models\Database;
use Pterodactyl\Models\Location;
use Pterodactyl\Models\Allocation;
use Illuminate\Contracts\Routing\Registrar;
use Illuminate\Database\Eloquent\ModelNotFoundException;
class SubstituteApplicationApiBindings
{
protected Registrar $router;
/**
* Mappings to automatically assign route parameters to a model.
*/
protected static array $mappings = [
'allocation' => Allocation::class,
'database' => Database::class,
'egg' => Egg::class,
'location' => Location::class,
'nest' => Nest::class,
'node' => Node::class,
'server' => Server::class,
'user' => User::class,
];
public function __construct(Registrar $router)
{
$this->router = $router;
}
/**
* Perform substitution of route parameters without triggering
* a 404 error if a model is not found.
*
* @param \Illuminate\Http\Request $request
*
* @return mixed
*/
public function handle($request, Closure $next)
{
foreach (self::$mappings as $key => $class) {
$this->router->bind($key, $class);
}
try {
$this->router->substituteImplicitBindings($route = $request->route());
} catch (ModelNotFoundException $exception) {
if (isset($route) && $route->getMissing()) {
$route->getMissing()($request);
}
throw $exception;
}
return $next($request);
}
}

View file

@ -1,38 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use IPTools\IP;
use IPTools\Range;
use Illuminate\Http\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
class AuthenticateIPAccess
{
/**
* Determine if a request IP has permission to access the API.
*
* @return mixed
*
* @throws \Exception
* @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
*/
public function handle(Request $request, Closure $next)
{
$model = $request->attributes->get('api_key');
if (is_null($model->allowed_ips) || empty($model->allowed_ips)) {
return $next($request);
}
$find = new IP($request->ip());
foreach ($model->allowed_ips as $ip) {
if (Range::parse($ip)->contains($find)) {
return $next($request);
}
}
throw new AccessDeniedHttpException('This IP address (' . $request->ip() . ') does not have permission to access the API using these credentials.');
}
}

View file

@ -1,95 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Carbon\CarbonImmutable;
use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
use Illuminate\Contracts\Encryption\Encrypter;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
class AuthenticateKey
{
private AuthManager $auth;
private Encrypter $encrypter;
private ApiKeyRepositoryInterface $repository;
/**
* AuthenticateKey constructor.
*/
public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)
{
$this->auth = $auth;
$this->encrypter = $encrypter;
$this->repository = $repository;
}
/**
* Handle an API request by verifying that the provided API key
* is in a valid format and exists in the database.
*
* @return mixed
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function handle(Request $request, Closure $next, int $keyType)
{
if (is_null($request->bearerToken()) && is_null($request->user())) {
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
}
$raw = $request->bearerToken();
// This is a request coming through using cookies, we have an authenticated user not using
// an API key. Make some fake API key models and continue on through the process.
if (empty($raw) && $request->user() instanceof User) {
$model = (new ApiKey())->forceFill([
'user_id' => $request->user()->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
} else {
$model = $this->authenticateApiKey($raw, $keyType);
$this->auth->guard()->loginUsingId($model->user_id);
}
$request->attributes->set('api_key', $model);
return $next($request);
}
/**
* Authenticate an API key.
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
protected function authenticateApiKey(string $key, int $keyType): ApiKey
{
$identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);
$token = substr($key, ApiKey::IDENTIFIER_LENGTH);
try {
$model = $this->repository->findFirstWhere([
['identifier', '=', $identifier],
['key_type', '=', $keyType],
]);
} catch (RecordNotFoundException $exception) {
throw new AccessDeniedHttpException();
}
if (!hash_equals($this->encrypter->decrypt($model->token), $token)) {
throw new AccessDeniedHttpException();
}
$this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => CarbonImmutable::now()]);
return $model;
}
}

View file

@ -3,60 +3,102 @@
namespace Pterodactyl\Http\Middleware\Api\Client;
use Closure;
use Pterodactyl\Models\User;
use Pterodactyl\Models\Backup;
use Pterodactyl\Models\Database;
use Illuminate\Support\Str;
use Pterodactyl\Models\Task;
use Illuminate\Routing\Route;
use Pterodactyl\Models\Server;
use Illuminate\Container\Container;
use Illuminate\Database\Query\JoinClause;
use Illuminate\Contracts\Routing\Registrar;
use Pterodactyl\Contracts\Extensions\HashidsInterface;
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ServerRepositoryInterface;
use Illuminate\Database\Eloquent\ModelNotFoundException;
class SubstituteClientApiBindings extends ApiSubstituteBindings
class SubstituteClientApiBindings
{
protected Registrar $router;
public function __construct(Registrar $router)
{
$this->router = $router;
}
/**
* Perform substitution of route parameters without triggering
* a 404 error if a model is not found.
* Perform substitution of route parameters for the Client API.
*
* @param \Illuminate\Http\Request $request
* @param \Illuminate\Http\Request
*
* @return mixed
*/
public function handle($request, Closure $next)
{
// Override default behavior of the model binding to use a specific table
// column rather than the default 'id'.
$this->router->bind('server', function ($value) use ($request) {
try {
$column = 'uuidShort';
if (preg_match('/^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i', $value)) {
$column = 'uuid';
}
return Container::getInstance()->make(ServerRepositoryInterface::class)->findFirstWhere([
[$column, '=', $value],
]);
} catch (RecordNotFoundException $ex) {
$request->attributes->set('is_missing_model', true);
return null;
}
$this->router->bind('server', function ($value) {
return Server::query()->where(Str::length($value) === 8 ? 'uuidShort' : 'uuid', $value)->firstOrFail();
});
$this->router->bind('database', function ($value) {
$this->router->bind('allocation', function ($value, $route) {
return $this->server($route)->allocations()->findOrFail($value);
});
$this->router->bind('schedule', function ($value, $route) {
return $this->server($route)->schedule()->findOrFail($value);
});
$this->router->bind('task', function ($value, $route) {
return Task::query()
->select('tasks.*')
->join('schedules', function (JoinClause $join) use ($route) {
$join->on('schedules.id', 'tasks.schedule_id')
->where('schedules.server_id', $route->parameter('server')->id);
})
->where('schedules.id', $route->parameter('schedule')->id)
->findOrFail($value);
});
$this->router->bind('database', function ($value, $route) {
$id = Container::getInstance()->make(HashidsInterface::class)->decodeFirst($value);
return Database::query()->where('id', $id)->firstOrFail();
return $this->server($route)->databases()->findOrFail($id);
});
$this->router->bind('backup', function ($value) {
return Backup::query()->where('uuid', $value)->firstOrFail();
$this->router->bind('backup', function ($value, $route) {
return $this->server($route)->backups()->where('uuid', $value)->firstOrFail();
});
$this->router->bind('user', function ($value) {
return User::query()->where('uuid', $value)->firstOrFail();
$this->router->bind('subuser', function ($value, $route) {
return $this->server($route)->subusers()
->select('subusers.*')
->join('users', 'subusers.user_id', '=', 'users.id')
->where('users.uuid', $value)
->firstOrFail();
});
return parent::handle($request, $next);
try {
/* @var \Illuminate\Routing\Route $route */
$this->router->substituteBindings($route = $request->route());
} catch (ModelNotFoundException $exception) {
if (isset($route) && $route->getMissing()) {
$route->getMissing()($request);
}
throw $exception;
}
return $next($request);
}
/**
* Plucks the server model off the route. If no server model is present a
* ModelNotFound exception will be thrown.
*
* @throws \Illuminate\Database\Eloquent\ModelNotFoundException
*/
private function server(Route $route): Server
{
$server = $route->parameter('server');
if (!$server instanceof Server) {
throw (new ModelNotFoundException())->setModel(Server::class, [$route->parameter('server')]);
}
return $server;
}
}

View file

@ -0,0 +1,45 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Exception;
use Illuminate\Support\Reflector;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Contracts\Routing\UrlRoutable;
class PreventUnboundModels
{
/**
* Prevents a request from making it to a controller action if there is a model
* injection on the controller that has not been explicitly bound by the request.
* This prevents empty models from being valid in scenarios where a new model is
* added but not properly defined in the substitution middleware.
*
* @param \Illuminate\Http\Request $request
*
* @return mixed
*
* @throws \Exception
*/
public function handle($request, Closure $next)
{
$route = $request->route();
$parameters = $route->parameters() ?? [];
/** @var \ReflectionParameter[] $signatures */
$signatures = $route->signatureParameters(UrlRoutable::class);
foreach ($signatures as $signature) {
$class = Reflector::getParameterClassName($signature);
if (is_null($class) || !is_subclass_of($class, Model::class)) {
continue;
}
if (!$parameters[$signature->getName()] instanceof Model) {
throw new Exception(sprintf('No parameter binding has been defined for model [%s] using route parameter key "%s".', $class, $signature->getName()));
}
}
return $next($request);
}
}

View file

@ -1,35 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Contracts\Config\Repository as ConfigRepository;
class SetSessionDriver
{
/**
* @var \Illuminate\Contracts\Config\Repository
*/
private $config;
/**
* SetSessionDriver constructor.
*/
public function __construct(ConfigRepository $config)
{
$this->config = $config;
}
/**
* Set the session for API calls to only last for the one request.
*
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
$this->config->set('session.driver', 'array');
return $next($request);
}
}

View file

@ -14,6 +14,6 @@ class VerifyCsrfToken extends BaseVerifier
protected $except = [
'remote/*',
'daemon/*',
'api/*',
// 'api/*',
];
}

View file

@ -0,0 +1,83 @@
<?php
namespace Pterodactyl\Http\Requests\Api;
use Illuminate\Foundation\Http\FormRequest;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
/**
* @method \Pterodactyl\Models\User user($guard = null)
*/
abstract class ApiRequest extends FormRequest
{
/**
* Tracks if the request has been validated internally or not to avoid
* making duplicate validation calls.
*/
private bool $hasValidated = false;
/**
* Determine if the current user is authorized to perform the requested
* action against the API.
*/
public function authorize(): bool
{
return false;
}
/**
* Default set of rules to apply to API requests.
*/
public function rules(): array
{
return [];
}
/**
* Validate that the resource exists and can be accessed prior to booting
* the validator and attempting to use the data.
*
* @throws \Illuminate\Auth\Access\AuthorizationException
*/
protected function prepareForValidation()
{
if (!$this->passesAuthorization()) {
$this->failedAuthorization();
}
$this->hasValidated = true;
}
/*
* Determine if the request passes the authorization check as well
* as the exists check.
*
* @return bool
*
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
*/
protected function passesAuthorization()
{
// If we have already validated we do not need to call this function
// again. This is needed to work around Laravel's normal auth validation
// that occurs after validating the request params since we are doing auth
// validation in the prepareForValidation() function.
if ($this->hasValidated) {
return true;
}
if (!parent::passesAuthorization()) {
return false;
}
// Only let the user know that a resource does not exist if they are
// authenticated to access the endpoint. This avoids exposing that
// an item exists (or does not exist) to the user until they can prove
// that they have permission to know about it.
if ($this->attributes->get('is_missing_model', false)) {
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
}
return true;
}
}

View file

@ -2,31 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Allocations;
use Pterodactyl\Models\Node;
use Pterodactyl\Models\Allocation;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class DeleteAllocationRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_ALLOCATIONS;
protected int $permission = AdminAcl::WRITE;
/**
* Determine if the requested allocation exists and belongs to the node that
* is being passed in the URL.
*/
public function resourceExists(): bool
{
$node = $this->route()->parameter('node');
$allocation = $this->route()->parameter('allocation');
if ($node instanceof Node && $node->exists) {
if ($allocation instanceof Allocation && $allocation->exists && $allocation->node_id === $node->id) {
return true;
}
}
return false;
}
}

View file

@ -2,23 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Allocations;
use Pterodactyl\Models\Node;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetAllocationsRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_ALLOCATIONS;
protected int $permission = AdminAcl::READ;
/**
* Determine if the node that we are requesting the allocations
* for exists on the Panel.
*/
public function resourceExists(): bool
{
$node = $this->route()->parameter('node');
return $node instanceof Node && $node->exists;
}
}

View file

@ -2,14 +2,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Allocations;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreAllocationRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_ALLOCATIONS;
protected int $permission = AdminAcl::WRITE;
public function rules(): array
{
return [

View file

@ -2,147 +2,16 @@
namespace Pterodactyl\Http\Requests\Api\Application;
use Pterodactyl\Models\ApiKey;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Illuminate\Foundation\Http\FormRequest;
use Pterodactyl\Exceptions\PterodactylException;
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Exception\InvalidParameterException;
use Pterodactyl\Http\Requests\Api\ApiRequest;
abstract class ApplicationApiRequest extends FormRequest
abstract class ApplicationApiRequest extends ApiRequest
{
/**
* Tracks if the request has been validated internally or not to avoid
* making duplicate validation calls.
*/
private bool $hasValidated = false;
/**
* The resource that should be checked when performing the authorization
* function for this request.
*
* @var string|null
*/
protected string $resource;
/**
* The permission level that a given API key should have for accessing
* the defined $resource during the request cycle.
*
* @var int
*/
protected int $permission = AdminAcl::NONE;
/**
* Determine if the current user is authorized to perform
* the requested action against the API.
*
* @throws \Pterodactyl\Exceptions\PterodactylException
* This will eventually be replaced with per-request permissions checking
* on the API key and for the user.
*/
public function authorize(): bool
{
if (is_null($this->resource)) {
throw new PterodactylException('An ACL resource must be defined on API requests.');
}
if ($this->key()->key_type === ApiKey::TYPE_ACCOUNT) {
return $this->user()->root_admin;
}
return AdminAcl::check($this->key(), $this->resource, $this->permission);
}
/**
* Determine if the requested resource exists on the server.
*/
public function resourceExists(): bool
{
return true;
}
/**
* Default set of rules to apply to API requests.
*/
public function rules(): array
{
return [];
}
/**
* Return the API key being used for the request.
*/
public function key(): ApiKey
{
return $this->attributes->get('api_key');
}
/**
* Grab a model from the route parameters. If no model is found in the
* binding mappings an exception will be thrown.
*
* @return mixed
*
* @deprecated
*
* @throws \Symfony\Component\Routing\Exception\InvalidParameterException
*/
public function getModel(string $model)
{
$parameterKey = array_get(array_flip(ApiSubstituteBindings::getMappings()), $model);
if (is_null($parameterKey)) {
throw new InvalidParameterException();
}
return $this->route()->parameter($parameterKey);
}
/**
* Validate that the resource exists and can be accessed prior to booting
* the validator and attempting to use the data.
*
* @throws \Illuminate\Auth\Access\AuthorizationException
*/
protected function prepareForValidation()
{
if (!$this->passesAuthorization()) {
$this->failedAuthorization();
}
$this->hasValidated = true;
}
/*
* Determine if the request passes the authorization check as well
* as the exists check.
*
* @return bool
*
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
*/
protected function passesAuthorization()
{
// If we have already validated we do not need to call this function
// again. This is needed to work around Laravel's normal auth validation
// that occurs after validating the request params since we are doing auth
// validation in the prepareForValidation() function.
if ($this->hasValidated) {
return true;
}
if (!parent::passesAuthorization()) {
return false;
}
// Only let the user know that a resource does not exist if they are
// authenticated to access the endpoint. This avoids exposing that
// an item exists (or does not exist) to the user until they can prove
// that they have permission to know about it.
if ($this->attributes->get('is_missing_model', false) || !$this->resourceExists()) {
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
}
return true;
}
}

View file

@ -2,19 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Databases;
use Pterodactyl\Models\DatabaseHost;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class DeleteDatabaseRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_DATABASE_HOSTS;
protected int $permission = AdminAcl::WRITE;
public function resourceExists(): bool
{
$databaseHost = $this->route()->parameter('databaseHost');
return $databaseHost instanceof DatabaseHost && $databaseHost->exists;
}
}

View file

@ -2,14 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Databases;
use Pterodactyl\Models\DatabaseHost;
class GetDatabaseRequest extends GetDatabasesRequest
{
public function resourceExists(): bool
{
$databaseHost = $this->route()->parameter('databaseHost');
return $databaseHost instanceof DatabaseHost && $databaseHost->exists;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Databases;
use Pterodactyl\Services\Acl\Api\AdminAcl as Acl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetDatabasesRequest extends ApplicationApiRequest
{
protected string $resource = Acl::RESOURCE_DATABASE_HOSTS;
protected int $permission = Acl::READ;
}

View file

@ -3,14 +3,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Databases;
use Pterodactyl\Models\DatabaseHost;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreDatabaseRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_DATABASE_HOSTS;
protected int $permission = AdminAcl::WRITE;
public function rules(array $rules = null): array
{
return $rules ?? DatabaseHost::getRules();

View file

@ -3,14 +3,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Eggs;
use Pterodactyl\Models\Egg;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class DeleteEggRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_EGGS;
protected int $permission = AdminAcl::WRITE;
public function resourceExists(): bool
{
$egg = $this->route()->parameter('egg');

View file

@ -2,14 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Eggs;
use Pterodactyl\Models\Egg;
class GetEggRequest extends GetEggsRequest
{
public function resourceExists(): bool
{
$egg = $this->route()->parameter('egg');
return $egg instanceof Egg && $egg->exists;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Eggs;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetEggsRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_EGGS;
protected int $permission = AdminAcl::READ;
}

View file

@ -3,14 +3,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Eggs;
use Pterodactyl\Models\Egg;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreEggRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_EGGS;
protected int $permission = AdminAcl::WRITE;
public function rules(array $rules = null): array
{
return $rules ?? Egg::getRules();

View file

@ -2,19 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Locations;
use Pterodactyl\Models\Location;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class DeleteLocationRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_LOCATIONS;
protected int $permission = AdminAcl::WRITE;
public function resourceExists(): bool
{
$location = $this->route()->parameter('location');
return $location instanceof Location && $location->exists;
}
}

View file

@ -2,14 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Locations;
use Pterodactyl\Models\Location;
class GetLocationRequest extends GetLocationsRequest
{
public function resourceExists(): bool
{
$location = $this->route()->parameter('location');
return $location instanceof Location && $location->exists;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Locations;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetLocationsRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_LOCATIONS;
protected int $permission = AdminAcl::READ;
}

View file

@ -3,14 +3,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Locations;
use Pterodactyl\Models\Location;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreLocationRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_LOCATIONS;
protected int $permission = AdminAcl::WRITE;
public function rules(): array
{
return collect(Location::getRules())->only([

View file

@ -6,13 +6,6 @@ use Pterodactyl\Models\Location;
class UpdateLocationRequest extends StoreLocationRequest
{
public function resourceExists(): bool
{
$location = $this->route()->parameter('location');
return $location instanceof Location && $location->exists;
}
public function rules(): array
{
$locationId = $this->route()->parameter('location')->id;

View file

@ -2,19 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Mounts;
use Pterodactyl\Models\Mount;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class DeleteMountRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_MOUNTS;
protected int $permission = AdminAcl::WRITE;
public function resourceExists(): bool
{
$mount = $this->route()->parameter('mount');
return $mount instanceof Mount && $mount->exists;
}
}

View file

@ -2,14 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Mounts;
use Pterodactyl\Models\Mount;
class GetMountRequest extends GetMountsRequest
{
public function resourceExists(): bool
{
$mount = $this->route()->parameter('mount');
return $mount instanceof Mount && $mount->exists;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Mounts;
use Pterodactyl\Services\Acl\Api\AdminAcl as Acl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetMountsRequest extends ApplicationApiRequest
{
protected string $resource = Acl::RESOURCE_MOUNTS;
protected int $permission = Acl::READ;
}

View file

@ -2,14 +2,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Mounts;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class MountEggsRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_MOUNTS;
protected int $permission = AdminAcl::WRITE;
public function rules(array $rules = null): array
{
return $rules ?? ['eggs' => 'required|exists:eggs,id'];

View file

@ -2,14 +2,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Mounts;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class MountNodesRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_MOUNTS;
protected int $permission = AdminAcl::WRITE;
public function rules(array $rules = null): array
{
return $rules ?? ['nodes' => 'required|exists:nodes,id'];

View file

@ -3,14 +3,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Mounts;
use Pterodactyl\Models\Mount;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreMountRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_MOUNTS;
protected int $permission = AdminAcl::WRITE;
public function rules(array $rules = null): array
{
return $rules ?? Mount::getRules();

View file

@ -2,19 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Nests;
use Pterodactyl\Models\Nest;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class DeleteNestRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_NESTS;
protected int $permission = AdminAcl::WRITE;
public function resourceExists(): bool
{
$nest = $this->route()->parameter('nest');
return $nest instanceof Nest && $nest->exists;
}
}

View file

@ -2,14 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Nests;
use Pterodactyl\Models\Nest;
class GetNestRequest extends GetNestsRequest
{
public function resourceExists(): bool
{
$nest = $this->route()->parameter('nest');
return $nest instanceof Nest && $nest->exists;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Nests;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetNestsRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_NESTS;
protected int $permission = AdminAcl::READ;
}

View file

@ -2,17 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Nests;
use Pterodactyl\Models\Nest;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreNestRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_NESTS;
protected int $permission = AdminAcl::WRITE;
public function rules(array $rules = null): array
{
return $rules ?? Nest::getRules();
}
}

View file

@ -2,19 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Nodes;
use Pterodactyl\Models\Node;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class DeleteNodeRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_NODES;
protected int $permission = AdminAcl::WRITE;
public function resourceExists(): bool
{
$node = $this->route()->parameter('node');
return $node instanceof Node && $node->exists;
}
}

View file

@ -2,14 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Nodes;
use Pterodactyl\Models\Node;
class GetNodeRequest extends GetNodesRequest
{
public function resourceExists(): bool
{
$node = $this->route()->parameter('node');
return $node instanceof Node && $node->exists;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Nodes;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetNodesRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_NODES;
protected int $permission = AdminAcl::READ;
}

View file

@ -3,14 +3,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Nodes;
use Pterodactyl\Models\Node;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreNodeRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_NODES;
protected int $permission = AdminAcl::WRITE;
/**
* Validation rules to apply to this request.
*/

View file

@ -2,19 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Roles;
use Pterodactyl\Models\AdminRole;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class DeleteRoleRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_ROLES;
protected int $permission = AdminAcl::WRITE;
public function resourceExists(): bool
{
$role = $this->route()->parameter('role');
return $role instanceof AdminRole && $role->exists;
}
}

View file

@ -2,14 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Roles;
use Pterodactyl\Models\AdminRole;
class GetRoleRequest extends GetRolesRequest
{
public function resourceExists(): bool
{
$role = $this->route()->parameter('role');
return $role instanceof AdminRole && $role->exists;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Roles;
use Pterodactyl\Services\Acl\Api\AdminAcl as Acl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetRolesRequest extends ApplicationApiRequest
{
protected string $resource = Acl::RESOURCE_ROLES;
protected int $permission = Acl::READ;
}

View file

@ -3,14 +3,10 @@
namespace Pterodactyl\Http\Requests\Api\Application\Roles;
use Pterodactyl\Models\AdminRole;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreRoleRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_ROLES;
protected int $permission = AdminAcl::WRITE;
public function rules(array $rules = null): array
{
return $rules ?? AdminRole::getRules();

View file

@ -2,19 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Servers\Databases;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetServerDatabaseRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_SERVER_DATABASES;
protected int $permission = AdminAcl::READ;
public function resourceExists(): bool
{
$server = $this->route()->parameter('server');
$database = $this->route()->parameter('database');
return $database->server_id === $server->id;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Servers\Databases;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetServerDatabasesRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_SERVER_DATABASES;
protected int $permission = AdminAcl::READ;
}

View file

@ -2,9 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Servers\Databases;
use Pterodactyl\Services\Acl\Api\AdminAcl;
class ServerDatabaseWriteRequest extends GetServerDatabasesRequest
{
protected int $permission = AdminAcl::WRITE;
}

View file

@ -6,15 +6,11 @@ use Webmozart\Assert\Assert;
use Pterodactyl\Models\Server;
use Illuminate\Validation\Rule;
use Illuminate\Database\Query\Builder;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Services\Databases\DatabaseManagementService;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreServerDatabaseRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_SERVER_DATABASES;
protected int $permission = AdminAcl::WRITE;
public function rules(): array
{
$server = $this->route()->parameter('server');

View file

@ -2,35 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Servers;
use Pterodactyl\Models\Server;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ServerRepositoryInterface;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetExternalServerRequest extends ApplicationApiRequest
{
private Server $serverModel;
protected string $resource = AdminAcl::RESOURCE_SERVERS;
protected int $permission = AdminAcl::READ;
public function resourceExists(): bool
{
$repository = $this->container->make(ServerRepositoryInterface::class);
try {
$this->serverModel = $repository->findFirstWhere([
['external_id', '=', $this->route()->parameter('external_id')],
]);
} catch (RecordNotFoundException $exception) {
return false;
}
return true;
}
public function getServerModel(): Server
{
return $this->serverModel;
}
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Servers;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class GetServerRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_SERVERS;
protected int $permission = AdminAcl::READ;
}

View file

@ -2,11 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Application\Servers;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class ServerWriteRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_SERVERS;
protected int $permission = AdminAcl::WRITE;
}

View file

@ -4,16 +4,12 @@ namespace Pterodactyl\Http\Requests\Api\Application\Servers;
use Pterodactyl\Models\Server;
use Illuminate\Validation\Rule;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Illuminate\Contracts\Validation\Validator;
use Pterodactyl\Models\Objects\DeploymentObject;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
class StoreServerRequest extends ApplicationApiRequest
{
protected string $resource = AdminAcl::RESOURCE_SERVERS;
protected int $permission = AdminAcl::WRITE;
public function rules(): array
{
$rules = Server::getRules();
@ -93,7 +89,9 @@ class StoreServerRequest extends ApplicationApiRequest
public function withValidator(Validator $validator)
{
$validator->sometimes('allocation.default', [
'required', 'integer', 'bail',
'required',
'integer',
'bail',
Rule::exists('allocations', 'id')->where(function ($query) {
$query->whereNull('server_id');
}),

Some files were not shown because too many files have changed in this diff Show more