From dfa329ddf242908b60e22e3340ea36359eab1ef4 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Wed, 19 Jan 2022 21:09:17 -0500 Subject: [PATCH] [security] ensure session is only for that request when authenticating user API key https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv --- CHANGELOG.md | 1 + app/Http/Middleware/Api/AuthenticateKey.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eabeb8061..78a403449 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines. * Fixes missing validation of Egg Author email addresses during the setup process that could cause unexpected failures later on. * Fixes font rendering issues of the console on Firefox due to an outdated version of xterm.js being used. * Fixes display overlap issues of the two-factor configuration form in a user's settings. +* **[security]** When authenticating using an API key a user session is now only persisted for the duration of the request before being destroyed. ### Changed * CPU graph changed to show the maximum amount of CPU available to a server to better match how the memory graph is displayed. diff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php index eb25dac6f..857bfab29 100644 --- a/app/Http/Middleware/Api/AuthenticateKey.php +++ b/app/Http/Middleware/Api/AuthenticateKey.php @@ -70,7 +70,7 @@ class AuthenticateKey } else { $model = $this->authenticateApiKey($request->bearerToken(), $keyType); - $this->auth->guard()->loginUsingId($model->user_id); + $this->auth->guard()->onceUsingId($model->user_id); } $request->attributes->set('api_key', $model);