Ensure we don't cause a mess with the auth providers

This commit is contained in:
DaneEveritt 2022-05-22 18:16:47 -04:00
parent 3ae70efc14
commit dca53611ff
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
6 changed files with 233 additions and 15 deletions

View file

@ -2,6 +2,7 @@
namespace Pterodactyl\Http;
use Fruitcake\Cors\HandleCors;
use Illuminate\Auth\Middleware\Authorize;
use Illuminate\Auth\Middleware\Authenticate;
use Illuminate\Http\Middleware\TrustProxies;
@ -26,9 +27,9 @@ use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
use Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance;
use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
class Kernel extends HttpKernel
@ -39,12 +40,12 @@ class Kernel extends HttpKernel
* @var array
*/
protected $middleware = [
CheckForMaintenanceMode::class,
EncryptCookies::class,
TrustProxies::class,
HandleCors::class,
PreventRequestsDuringMaintenance::class,
ValidatePostSize::class,
TrimStrings::class,
ConvertEmptyStringsToNull::class,
TrustProxies::class,
];
/**
@ -54,14 +55,13 @@ class Kernel extends HttpKernel
*/
protected $middlewareGroups = [
'web' => [
EncryptCookies::class,
AddQueuedCookiesToResponse::class,
StartSession::class,
AuthenticateSession::class,
ShareErrorsFromSession::class,
VerifyCsrfToken::class,
SubstituteBindings::class,
LanguageMiddleware::class,
RequireTwoFactorAuthentication::class,
],
'api' => [
EnsureStatefulRequests::class,
@ -91,6 +91,7 @@ class Kernel extends HttpKernel
protected $routeMiddleware = [
'auth' => Authenticate::class,
'auth.basic' => AuthenticateWithBasicAuth::class,
'auth.session' => AuthenticateSession::class,
'guest' => RedirectIfAuthenticated::class,
'csrf' => VerifyCsrfToken::class,
'throttle' => ThrottleRequests::class,

View file

@ -9,6 +9,7 @@ use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;
use Pterodactyl\Http\Middleware\TrimStrings;
use Pterodactyl\Http\Middleware\AdminAuthenticate;
use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
class RouteServiceProvider extends ServiceProvider
@ -35,12 +36,17 @@ class RouteServiceProvider extends ServiceProvider
$this->routes(function () {
Route::middleware('web')->group(function () {
Route::middleware('auth')->group(base_path('routes/base.php'));
Route::middleware(['auth.session', RequireTwoFactorAuthentication::class])
->group(base_path('routes/base.php'));
Route::middleware(['auth.session', RequireTwoFactorAuthentication::class, AdminAuthenticate::class])
->prefix('/admin')
->group(base_path('routes/admin.php'));
Route::middleware('guest')->prefix('/auth')->group(base_path('routes/auth.php'));
Route::middleware(['auth', AdminAuthenticate::class])->prefix('/admin')->group(base_path('routes/admin.php'));
});
Route::middleware('api')->group(function () {
Route::middleware(['api', RequireTwoFactorAuthentication::class])->group(function () {
Route::middleware(['application-api', 'throttle:api.application'])
->prefix('/api/application')
->scopeBindings()

View file

@ -19,6 +19,7 @@
"ext-zip": "*",
"aws/aws-sdk-php": "^3.171",
"doctrine/dbal": "~2.13.9",
"fruitcake/laravel-cors": "~3.0.0",
"guzzlehttp/guzzle": "~7.4.2",
"hashids/hashids": "~4.1.0",
"laracasts/utilities": "~3.2.1",

152
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "0368e946c40456bcd1fb007bfc3e7bf0",
"content-hash": "3bd4e0acecbf871892a813141facfaea",
"packages": [
{
"name": "aws/aws-crt-php",
@ -923,6 +923,156 @@
],
"time": "2020-12-29T14:50:06+00:00"
},
{
"name": "fruitcake/laravel-cors",
"version": "v3.0.0",
"source": {
"type": "git",
"url": "https://github.com/fruitcake/laravel-cors.git",
"reference": "7c036ec08972d8d5d9db637e772af6887828faf5"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/fruitcake/laravel-cors/zipball/7c036ec08972d8d5d9db637e772af6887828faf5",
"reference": "7c036ec08972d8d5d9db637e772af6887828faf5",
"shasum": ""
},
"require": {
"fruitcake/php-cors": "^1.2",
"illuminate/contracts": "^6|^7|^8|^9",
"illuminate/support": "^6|^7|^8|^9",
"php": "^7.4|^8.0"
},
"require-dev": {
"laravel/framework": "^6|^7.24|^8",
"orchestra/testbench-dusk": "^4|^5|^6|^7",
"phpunit/phpunit": "^9",
"squizlabs/php_codesniffer": "^3.5"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "3.0-dev"
},
"laravel": {
"providers": [
"Fruitcake\\Cors\\CorsServiceProvider"
]
}
},
"autoload": {
"psr-4": {
"Fruitcake\\Cors\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Fruitcake",
"homepage": "https://fruitcake.nl"
},
{
"name": "Barry vd. Heuvel",
"email": "barryvdh@gmail.com"
}
],
"description": "Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application",
"keywords": [
"api",
"cors",
"crossdomain",
"laravel"
],
"support": {
"issues": "https://github.com/fruitcake/laravel-cors/issues",
"source": "https://github.com/fruitcake/laravel-cors/tree/v3.0.0"
},
"funding": [
{
"url": "https://fruitcake.nl",
"type": "custom"
},
{
"url": "https://github.com/barryvdh",
"type": "github"
}
],
"time": "2022-02-23T14:53:22+00:00"
},
{
"name": "fruitcake/php-cors",
"version": "v1.2.0",
"source": {
"type": "git",
"url": "https://github.com/fruitcake/php-cors.git",
"reference": "58571acbaa5f9f462c9c77e911700ac66f446d4e"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/fruitcake/php-cors/zipball/58571acbaa5f9f462c9c77e911700ac66f446d4e",
"reference": "58571acbaa5f9f462c9c77e911700ac66f446d4e",
"shasum": ""
},
"require": {
"php": "^7.4|^8.0",
"symfony/http-foundation": "^4.4|^5.4|^6"
},
"require-dev": {
"phpstan/phpstan": "^1.4",
"phpunit/phpunit": "^9",
"squizlabs/php_codesniffer": "^3.5"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-main": "1.1-dev"
}
},
"autoload": {
"psr-4": {
"Fruitcake\\Cors\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Fruitcake",
"homepage": "https://fruitcake.nl"
},
{
"name": "Barryvdh",
"email": "barryvdh@gmail.com"
}
],
"description": "Cross-origin resource sharing library for the Symfony HttpFoundation",
"homepage": "https://github.com/fruitcake/php-cors",
"keywords": [
"cors",
"laravel",
"symfony"
],
"support": {
"issues": "https://github.com/fruitcake/php-cors/issues",
"source": "https://github.com/fruitcake/php-cors/tree/v1.2.0"
},
"funding": [
{
"url": "https://fruitcake.nl",
"type": "custom"
},
{
"url": "https://github.com/barryvdh",
"type": "github"
}
],
"time": "2022-02-20T15:07:15+00:00"
},
{
"name": "graham-campbell/result-type",
"version": "v1.0.4",

59
config/cors.php Normal file
View file

@ -0,0 +1,59 @@
<?php
return [
/*
|--------------------------------------------------------------------------
| Laravel CORS Options
|--------------------------------------------------------------------------
|
| The allowed_methods and allowed_headers options are case-insensitive.
|
| You don't need to provide both allowed_origins and allowed_origins_patterns.
| If one of the strings passed matches, it is considered a valid origin.
|
| If ['*'] is provided to allowed_methods, allowed_origins or allowed_headers
| all methods / origins / headers are allowed.
|
*/
/*
* You can enable CORS for 1 or multiple paths.
* Example: ['api/*']
*/
'paths' => ['/api/client', '/api/application', '/api/client/*', '/api/application/*'],
/*
* Matches the request method. `['*']` allows all methods.
*/
'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD'],
/*
* Matches the request origin. `['*']` allows all origins. Wildcards can be used, eg `*.mydomain.com`
*/
'allowed_origins' => explode(',', env('APP_CORS_ALLOWED_ORIGINS') ?? ''),
/*
* Patterns that can be used with `preg_match` to match the origin.
*/
'allowed_origins_patterns' => [],
/*
* Sets the Access-Control-Allow-Headers response header. `['*']` allows all headers.
*/
'allowed_headers' => ['*'],
/*
* Sets the Access-Control-Expose-Headers response header with these headers.
*/
'exposed_headers' => [],
/*
* Sets the Access-Control-Max-Age response header when > 0.
*/
'max_age' => 0,
/*
* Sets the Access-Control-Allow-Credentials header.
*/
'supports_credentials' => true,
];

View file

@ -14,11 +14,12 @@ export interface LoginData {
export default ({ username, password, recaptchaData }: LoginData): Promise<LoginResponse> => {
return new Promise((resolve, reject) => {
http.post('/auth/login', {
http.get('/sanctum/csrf-cookie')
.then(() => http.post('/auth/login', {
user: username,
password,
'g-recaptcha-response': recaptchaData,
})
}))
.then(response => {
if (!(response.data instanceof Object)) {
return reject(new Error('An error occurred while processing the login request.'));