diff --git a/app/Http/Controllers/Api/Client/ApiKeyController.php b/app/Http/Controllers/Api/Client/ApiKeyController.php index 0788e62e2..5662e19cd 100644 --- a/app/Http/Controllers/Api/Client/ApiKeyController.php +++ b/app/Http/Controllers/Api/Client/ApiKeyController.php @@ -103,6 +103,7 @@ class ApiKeyController extends ClientApiController public function delete(ClientApiRequest $request, string $identifier) { $response = $this->repository->deleteWhere([ + 'key_type' => ApiKey::TYPE_ACCOUNT, 'user_id' => $request->user()->id, 'identifier' => $identifier, ]); diff --git a/tests/Integration/Api/Client/ApiKeyControllerTest.php b/tests/Integration/Api/Client/ApiKeyControllerTest.php new file mode 100644 index 000000000..2abf64185 --- /dev/null +++ b/tests/Integration/Api/Client/ApiKeyControllerTest.php @@ -0,0 +1,221 @@ +forceDelete(); + User::query()->forceDelete(); + + parent::tearDown(); + } + + /** + * Test that the client's API key can be returned successfully. + */ + public function testApiKeysAreReturned() + { + /** @var \Pterodactyl\Models\User $user */ + $user = factory(User::class)->create(); + /** @var \Pterodactyl\Models\ApiKey $key */ + $key = factory(ApiKey::class)->create([ + 'user_id' => $user->id, + 'key_type' => ApiKey::TYPE_ACCOUNT, + ]); + + $response = $this->actingAs($user)->get('/api/client/account/api-keys'); + + $response->assertOk(); + $response->assertJson([ + 'object' => 'list', + 'data' => [ + [ + 'object' => 'api_key', + 'attributes' => [ + 'identifier' => $key->identifier, + 'description' => $key->memo, + 'allowed_ips' => $key->allowed_ips, + 'last_used_at' => null, + 'created_at' => $key->created_at->toIso8601String(), + ], + ], + ], + ]); + } + + /** + * Test that an API key can be created for the client account. This also checks that the + * API key secret is returned as metadata in the response since it will not be returned + * after that point. + */ + public function testApiKeyCanBeCreatedForAccount() + { + /** @var \Pterodactyl\Models\User $user */ + $user = factory(User::class)->create(); + + // Small sub-test to ensure we're always comparing the number of keys to the + // specific logged in account, and not just the total number of keys stored in + // the database. + factory(ApiKey::class)->create([ + 'user_id' => factory(User::class)->create()->id, + 'key_type' => ApiKey::TYPE_ACCOUNT, + ]); + + $response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [ + 'description' => 'Test Description', + 'allowed_ips' => ['127.0.0.1'], + ]); + + $response->assertOk(); + + /** @var \Pterodactyl\Models\ApiKey $key */ + $key = ApiKey::query()->where('identifier', $response->json('attributes.identifier'))->firstOrFail(); + + $response->assertJson([ + 'object' => 'api_key', + 'attributes' => [ + 'identifier' => $key->identifier, + 'description' => 'Test Description', + 'allowed_ips' => ['127.0.0.1'], + 'last_used_at' => null, + 'created_at' => $key->created_at->toIso8601String(), + ], + 'meta' => [ + 'secret_token' => decrypt($key->token), + ], + ]); + } + + /** + * Test that no more than 5 API keys can exist at any one time for an account. This prevents + * a DoS attack vector against the panel. + * + * @see https://github.com/pterodactyl/panel/security/advisories/GHSA-pjmh-7xfm-r4x9 + */ + public function testNoMoreThanFiveApiKeysCanBeCreatedForAnAccount() + { + /** @var \Pterodactyl\Models\User $user */ + $user = factory(User::class)->create(); + factory(ApiKey::class)->times(5)->create([ + 'user_id' => $user->id, + 'key_type' => ApiKey::TYPE_ACCOUNT, + ]); + + $response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [ + 'description' => 'Test Description', + 'allowed_ips' => ['127.0.0.1'], + ]); + + $response->assertStatus(Response::HTTP_BAD_REQUEST); + $response->assertJsonPath('errors.0.code', 'DisplayException'); + $response->assertJsonPath('errors.0.detail', 'You have reached the account limit for number of API keys.'); + } + + /** + * Test that a bad request results in a validation error being returned by the API. + */ + public function testValidationErrorIsReturnedForBadRequests() + { + /** @var \Pterodactyl\Models\User $user */ + $user = factory(User::class)->create(); + + $response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [ + 'description' => '', + 'allowed_ips' => ['127.0.0.1'], + ]); + + $response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY); + $response->assertJsonPath('errors.0.code', 'required'); + $response->assertJsonPath('errors.0.detail', 'The description field is required.'); + } + + /** + * Tests that an API key can be deleted from the account. + */ + public function testApiKeyCanBeDeleted() + { + /** @var \Pterodactyl\Models\User $user */ + $user = factory(User::class)->create(); + /** @var \Pterodactyl\Models\ApiKey $key */ + $key = factory(ApiKey::class)->create([ + 'user_id' => $user->id, + 'key_type' => ApiKey::TYPE_ACCOUNT, + ]); + + $response = $this->actingAs($user)->delete('/api/client/account/api-keys/' . $key->identifier); + $response->assertStatus(Response::HTTP_NO_CONTENT); + + $this->assertDatabaseMissing('api_keys', ['id' => $key->id]); + } + + /** + * Test that trying to delete an API key that does not exist results in a 404. + */ + public function testNonExistentApiKeyDeletionReturns404Error() + { + /** @var \Pterodactyl\Models\User $user */ + $user = factory(User::class)->create(); + /** @var \Pterodactyl\Models\ApiKey $key */ + $key = factory(ApiKey::class)->create([ + 'user_id' => $user->id, + 'key_type' => ApiKey::TYPE_ACCOUNT, + ]); + + $response = $this->actingAs($user)->delete('/api/client/account/api-keys/1234'); + $response->assertNotFound(); + + $this->assertDatabaseHas('api_keys', ['id' => $key->id]); + } + + /** + * Test that an API key that exists on the system cannot be deleted if the user + * who created it is not the authenticated user. + */ + public function testApiKeyBelongingToAnotherUserCannotBeDeleted() + { + /** @var \Pterodactyl\Models\User $user */ + $user = factory(User::class)->create(); + /** @var \Pterodactyl\Models\User $user2 */ + $user2 = factory(User::class)->create(); + /** @var \Pterodactyl\Models\ApiKey $key */ + $key = factory(ApiKey::class)->create([ + 'user_id' => $user2->id, + 'key_type' => ApiKey::TYPE_ACCOUNT, + ]); + + $response = $this->actingAs($user)->delete('/api/client/account/api-keys/' . $key->identifier); + $response->assertNotFound(); + + $this->assertDatabaseHas('api_keys', ['id' => $key->id]); + } + + /** + * Tests that an application API key also belonging to the logged in user cannot be + * deleted through this endpoint if it exists. + */ + public function testApplicationApiKeyCannotBeDeleted() + { + /** @var \Pterodactyl\Models\User $user */ + $user = factory(User::class)->create(); + /** @var \Pterodactyl\Models\ApiKey $key */ + $key = factory(ApiKey::class)->create([ + 'user_id' => $user->id, + 'key_type' => ApiKey::TYPE_APPLICATION, + ]); + + $response = $this->actingAs($user)->delete('/api/client/account/api-keys/' . $key->identifier); + $response->assertNotFound(); + + $this->assertDatabaseHas('api_keys', ['id' => $key->id]); + } +}