Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints
This commit is contained in:
parent
cc31a0a6d0
commit
bf9cbe2c6d
7 changed files with 59 additions and 14 deletions
|
@ -75,6 +75,7 @@ class Kernel extends HttpKernel
|
||||||
ApiSubstituteBindings::class,
|
ApiSubstituteBindings::class,
|
||||||
'api..key:' . ApiKey::TYPE_APPLICATION,
|
'api..key:' . ApiKey::TYPE_APPLICATION,
|
||||||
AuthenticateApplicationUser::class,
|
AuthenticateApplicationUser::class,
|
||||||
|
VerifyCsrfToken::class,
|
||||||
AuthenticateIPAccess::class,
|
AuthenticateIPAccess::class,
|
||||||
],
|
],
|
||||||
'client-api' => [
|
'client-api' => [
|
||||||
|
@ -85,6 +86,7 @@ class Kernel extends HttpKernel
|
||||||
SubstituteClientApiBindings::class,
|
SubstituteClientApiBindings::class,
|
||||||
'api..key:' . ApiKey::TYPE_ACCOUNT,
|
'api..key:' . ApiKey::TYPE_ACCOUNT,
|
||||||
AuthenticateIPAccess::class,
|
AuthenticateIPAccess::class,
|
||||||
|
VerifyCsrfToken::class,
|
||||||
// This is perhaps a little backwards with the Client API, but logically you'd be unable
|
// This is perhaps a little backwards with the Client API, but logically you'd be unable
|
||||||
// to create/get an API key without first enabling 2FA on the account, so I suppose in the
|
// to create/get an API key without first enabling 2FA on the account, so I suppose in the
|
||||||
// end it makes sense.
|
// end it makes sense.
|
||||||
|
|
|
@ -8,6 +8,7 @@ use Illuminate\Http\Request;
|
||||||
use Pterodactyl\Models\User;
|
use Pterodactyl\Models\User;
|
||||||
use Pterodactyl\Models\ApiKey;
|
use Pterodactyl\Models\ApiKey;
|
||||||
use Illuminate\Auth\AuthManager;
|
use Illuminate\Auth\AuthManager;
|
||||||
|
use Illuminate\Support\Facades\Session;
|
||||||
use Illuminate\Contracts\Encryption\Encrypter;
|
use Illuminate\Contracts\Encryption\Encrypter;
|
||||||
use Symfony\Component\HttpKernel\Exception\HttpException;
|
use Symfony\Component\HttpKernel\Exception\HttpException;
|
||||||
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
|
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
|
||||||
|
@ -55,7 +56,7 @@ class AuthenticateKey
|
||||||
public function handle(Request $request, Closure $next, int $keyType)
|
public function handle(Request $request, Closure $next, int $keyType)
|
||||||
{
|
{
|
||||||
if (is_null($request->bearerToken()) && is_null($request->user())) {
|
if (is_null($request->bearerToken()) && is_null($request->user())) {
|
||||||
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
|
throw new HttpException(401, 'A bearer token or valid user session cookie must be provided to access this endpoint.', null, ['WWW-Authenticate' => 'Bearer']);
|
||||||
}
|
}
|
||||||
|
|
||||||
// This is a request coming through using cookies, we have an authenticated user
|
// This is a request coming through using cookies, we have an authenticated user
|
||||||
|
|
|
@ -2,18 +2,45 @@
|
||||||
|
|
||||||
namespace Pterodactyl\Http\Middleware;
|
namespace Pterodactyl\Http\Middleware;
|
||||||
|
|
||||||
|
use Closure;
|
||||||
|
use Pterodactyl\Models\ApiKey;
|
||||||
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
|
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
|
||||||
|
|
||||||
class VerifyCsrfToken extends BaseVerifier
|
class VerifyCsrfToken extends BaseVerifier
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* The URIs that should be excluded from CSRF verification.
|
* The URIs that should be excluded from CSRF verification. These are
|
||||||
|
* never hit by the front-end, and require specific token validation
|
||||||
|
* to work.
|
||||||
*
|
*
|
||||||
* @var array
|
* @var string[]
|
||||||
*/
|
*/
|
||||||
protected $except = [
|
protected $except = ['remote/*', 'daemon/*'];
|
||||||
'remote/*',
|
|
||||||
'daemon/*',
|
/**
|
||||||
'api/*',
|
* Manually apply CSRF protection to routes depending on the authentication
|
||||||
];
|
* mechanism being used. If the API request is using an API key that exists
|
||||||
|
* in the database we can safely ignore CSRF protections, since that would be
|
||||||
|
* a manually initiated request by a user or server.
|
||||||
|
*
|
||||||
|
* All other requests should go through the standard CSRF protections that
|
||||||
|
* Laravel affords us. This code will be removed in v2 since we have switched
|
||||||
|
* to using Sanctum for the API endpoints, which handles that for us automatically.
|
||||||
|
*
|
||||||
|
* @param \Illuminate\Http\Request $request
|
||||||
|
* @param \Closure $next
|
||||||
|
* @return mixed
|
||||||
|
*
|
||||||
|
* @throws \Illuminate\Session\TokenMismatchException
|
||||||
|
*/
|
||||||
|
public function handle($request, Closure $next)
|
||||||
|
{
|
||||||
|
$key = $request->attributes->get('api_key');
|
||||||
|
|
||||||
|
if ($key instanceof ApiKey && $key->exists) {
|
||||||
|
return $next($request);
|
||||||
|
}
|
||||||
|
|
||||||
|
return parent::handle($request, $next);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,10 +7,21 @@ const http: AxiosInstance = axios.create({
|
||||||
'X-Requested-With': 'XMLHttpRequest',
|
'X-Requested-With': 'XMLHttpRequest',
|
||||||
Accept: 'application/json',
|
Accept: 'application/json',
|
||||||
'Content-Type': 'application/json',
|
'Content-Type': 'application/json',
|
||||||
'X-CSRF-Token': (window as any).X_CSRF_TOKEN as string || '',
|
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
|
http.interceptors.request.use(req => {
|
||||||
|
const cookies = document.cookie.split(';').reduce((obj, val) => {
|
||||||
|
const [ key, value ] = val.trim().split('=').map(decodeURIComponent);
|
||||||
|
|
||||||
|
return { ...obj, [key]: value };
|
||||||
|
}, {} as Record<string, string>);
|
||||||
|
|
||||||
|
req.headers['X-XSRF-TOKEN'] = cookies['XSRF-TOKEN'] || 'nil';
|
||||||
|
|
||||||
|
return req;
|
||||||
|
});
|
||||||
|
|
||||||
http.interceptors.request.use(req => {
|
http.interceptors.request.use(req => {
|
||||||
if (!req.url?.endsWith('/resources') && (req.url?.indexOf('_debugbar') || -1) < 0) {
|
if (!req.url?.endsWith('/resources') && (req.url?.indexOf('_debugbar') || -1) < 0) {
|
||||||
store.getActions().progress.startContinuous();
|
store.getActions().progress.startContinuous();
|
||||||
|
|
|
@ -70,7 +70,11 @@
|
||||||
@parent
|
@parent
|
||||||
<script>
|
<script>
|
||||||
$('#configTokenBtn').on('click', function (event) {
|
$('#configTokenBtn').on('click', function (event) {
|
||||||
$.getJSON('{{ route('admin.nodes.view.configuration.token', $node->id) }}').done(function (data) {
|
$.ajax({
|
||||||
|
method: 'POST',
|
||||||
|
url: '{{ route('admin.nodes.view.configuration.token', $node->id) }}',
|
||||||
|
headers: { 'X-CSRF-TOKEN': '{{ csrf_token() }}' },
|
||||||
|
}).done(function (data) {
|
||||||
swal({
|
swal({
|
||||||
type: 'success',
|
type: 'success',
|
||||||
title: 'Token created.',
|
title: 'Token created.',
|
||||||
|
|
|
@ -145,9 +145,9 @@
|
||||||
showLoaderOnConfirm: true
|
showLoaderOnConfirm: true
|
||||||
}, function () {
|
}, function () {
|
||||||
$.ajax({
|
$.ajax({
|
||||||
method: 'GET',
|
method: 'POST',
|
||||||
url: '/admin/settings/mail/test',
|
url: '/admin/settings/mail/test',
|
||||||
headers: { 'X-CSRF-Token': $('input[name="_token"]').val() }
|
headers: { 'X-CSRF-TOKEN': $('input[name="_token"]').val() }
|
||||||
}).fail(function (jqXHR) {
|
}).fail(function (jqXHR) {
|
||||||
showErrorDialog(jqXHR, 'test');
|
showErrorDialog(jqXHR, 'test');
|
||||||
}).done(function () {
|
}).done(function () {
|
||||||
|
|
|
@ -66,8 +66,8 @@ Route::group(['prefix' => 'databases'], function () {
|
||||||
Route::group(['prefix' => 'settings'], function () {
|
Route::group(['prefix' => 'settings'], function () {
|
||||||
Route::get('/', 'Settings\IndexController@index')->name('admin.settings');
|
Route::get('/', 'Settings\IndexController@index')->name('admin.settings');
|
||||||
Route::get('/mail', 'Settings\MailController@index')->name('admin.settings.mail');
|
Route::get('/mail', 'Settings\MailController@index')->name('admin.settings.mail');
|
||||||
Route::get('/mail/test', 'Settings\MailController@test')->name('admin.settings.mail.test');
|
|
||||||
Route::get('/advanced', 'Settings\AdvancedController@index')->name('admin.settings.advanced');
|
Route::get('/advanced', 'Settings\AdvancedController@index')->name('admin.settings.advanced');
|
||||||
|
Route::post('/mail/test', 'Settings\MailController@test')->name('admin.settings.mail.test');
|
||||||
|
|
||||||
Route::patch('/', 'Settings\IndexController@update');
|
Route::patch('/', 'Settings\IndexController@update');
|
||||||
Route::patch('/mail', 'Settings\MailController@update');
|
Route::patch('/mail', 'Settings\MailController@update');
|
||||||
|
@ -153,12 +153,12 @@ Route::group(['prefix' => 'nodes'], function () {
|
||||||
Route::get('/view/{node}/allocation', 'Nodes\NodeViewController@allocations')->name('admin.nodes.view.allocation');
|
Route::get('/view/{node}/allocation', 'Nodes\NodeViewController@allocations')->name('admin.nodes.view.allocation');
|
||||||
Route::get('/view/{node}/servers', 'Nodes\NodeViewController@servers')->name('admin.nodes.view.servers');
|
Route::get('/view/{node}/servers', 'Nodes\NodeViewController@servers')->name('admin.nodes.view.servers');
|
||||||
Route::get('/view/{node}/system-information', 'Nodes\SystemInformationController');
|
Route::get('/view/{node}/system-information', 'Nodes\SystemInformationController');
|
||||||
Route::get('/view/{node}/settings/token', 'NodeAutoDeployController')->name('admin.nodes.view.configuration.token');
|
|
||||||
|
|
||||||
Route::post('/new', 'NodesController@store');
|
Route::post('/new', 'NodesController@store');
|
||||||
Route::post('/view/{node}/allocation', 'NodesController@createAllocation');
|
Route::post('/view/{node}/allocation', 'NodesController@createAllocation');
|
||||||
Route::post('/view/{node}/allocation/remove', 'NodesController@allocationRemoveBlock')->name('admin.nodes.view.allocation.removeBlock');
|
Route::post('/view/{node}/allocation/remove', 'NodesController@allocationRemoveBlock')->name('admin.nodes.view.allocation.removeBlock');
|
||||||
Route::post('/view/{node}/allocation/alias', 'NodesController@allocationSetAlias')->name('admin.nodes.view.allocation.setAlias');
|
Route::post('/view/{node}/allocation/alias', 'NodesController@allocationSetAlias')->name('admin.nodes.view.allocation.setAlias');
|
||||||
|
Route::post('/view/{node}/settings/token', 'NodeAutoDeployController')->name('admin.nodes.view.configuration.token');
|
||||||
|
|
||||||
Route::patch('/view/{node}/settings', 'NodesController@updateSettings');
|
Route::patch('/view/{node}/settings', 'NodesController@updateSettings');
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue