[security] ensure session is only for that request when authenticating user API key

https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv
This commit is contained in:
Dane Everitt 2022-01-19 21:09:17 -05:00
parent 21f74a835c
commit dfa329ddf2
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
2 changed files with 2 additions and 1 deletions

View file

@ -13,6 +13,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
* Fixes missing validation of Egg Author email addresses during the setup process that could cause unexpected failures later on. * Fixes missing validation of Egg Author email addresses during the setup process that could cause unexpected failures later on.
* Fixes font rendering issues of the console on Firefox due to an outdated version of xterm.js being used. * Fixes font rendering issues of the console on Firefox due to an outdated version of xterm.js being used.
* Fixes display overlap issues of the two-factor configuration form in a user's settings. * Fixes display overlap issues of the two-factor configuration form in a user's settings.
* **[security]** When authenticating using an API key a user session is now only persisted for the duration of the request before being destroyed.
### Changed ### Changed
* CPU graph changed to show the maximum amount of CPU available to a server to better match how the memory graph is displayed. * CPU graph changed to show the maximum amount of CPU available to a server to better match how the memory graph is displayed.

View file

@ -70,7 +70,7 @@ class AuthenticateKey
} else { } else {
$model = $this->authenticateApiKey($request->bearerToken(), $keyType); $model = $this->authenticateApiKey($request->bearerToken(), $keyType);
$this->auth->guard()->loginUsingId($model->user_id); $this->auth->guard()->onceUsingId($model->user_id);
} }
$request->attributes->set('api_key', $model); $request->attributes->set('api_key', $model);