Commit graph

416 commits

Author SHA1 Message Date
DaneEveritt
a6df0afefd
Update CHANGELOG.md 2022-05-07 18:30:12 -04:00
Dane Everitt
dfa329ddf2
[security] ensure session is only for that request when authenticating user API key
https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv
2022-01-19 21:09:17 -05:00
Dane Everitt
ee870d45e8
Update CHANGELOG.md 2022-01-19 19:55:33 -05:00
Dane Everitt
30bb629bad
Update CHANGELOG.md 2021-11-16 20:36:53 -08:00
Dane Everitt
17c03e9a4d
Fix broken session management for application api 2021-11-03 21:33:21 -07:00
Dane Everitt
60eff40a0c
Fix session management on client API requests; closes #3727
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.

Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).

This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.

In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
2021-11-03 20:51:39 -07:00
Dane Everitt
d65e2978d0
Update CHANGELOG.md 2021-10-23 13:02:25 -07:00
Dane Everitt
c57eb2c9e6
Update CHANGELOG.md 2021-09-21 21:36:29 -07:00
Dane Everitt
5fdb0a5909
Correctly expose OOM disable state for a server 2021-09-13 21:02:12 -07:00
Dane Everitt
f5a1ce13b8
Update CHANGELOG.md 2021-09-13 20:47:30 -07:00
Dane Everitt
dbb061d6f3
Update CHANGELOG.md 2021-09-12 11:26:37 -07:00
Dane Everitt
869bc22103
Update CHANGELOG.md 2021-08-29 13:42:49 -07:00
Matthew Penner
7e91a33a67
Update CHANGELOG.md (#3524) 2021-08-03 20:51:18 -07:00
Dane Everitt
b19a1640f0
Update CHANGELOG.md 2021-08-02 20:48:16 -07:00
Dane Everitt
aa3ea8b24b
Update CHANGELOG.md 2021-06-05 09:02:21 -07:00
Dane Everitt
8ab3ad3f1a
Update CHANGELOG.md 2021-05-01 11:54:23 -07:00
Dane Everitt
d0c7e2c0e6
Update CHANGELOG.md 2021-04-24 16:45:54 -07:00
Dane Everitt
b5f5185a9b
Update CHANGELOG.md 2021-03-26 09:18:54 -07:00
Dane Everitt
9d500f1c49
Update CHANGELOG.md 2021-03-07 17:38:42 -08:00
Dane Everitt
ca6068fa6d
Update CHANGELOG.md 2021-03-06 10:49:08 -08:00
Dane Everitt
4192bcab4b
Update CHANGELOG.md 2021-03-03 21:17:20 -08:00
Dane Everitt
3053a896f4
Update CHANGELOG.md 2021-01-19 21:45:32 -08:00
Dane Everitt
ef3f8586c5
Update CHANGELOG.md 2021-01-06 21:45:06 -08:00
Dane Everitt
5f284dad1d
Update CHANGELOG.md 2020-12-30 18:13:28 -08:00
Dane Everitt
1fcffc7eb9
Update CHANGELOG.md 2020-12-06 15:44:26 -08:00
Stepan Fedotov
e32c4d4f05
Documentate fix 2020-12-04 19:58:09 +02:00
Dane Everitt
16f49f8dc1
Close cleanup; only try to run power actions against non-suspended & installed servers; closes #2760 2020-11-29 12:50:22 -08:00
Dane Everitt
aaaa05be93
Fix docker build 2020-11-14 20:46:37 -08:00
Dane Everitt
6795bae335
Fix server state not being updated correctly when adding/removing allocation; closes #2680 2020-11-08 17:12:07 -08:00
Dane Everitt
74e90e087f
Fix allocation permission 2020-11-08 17:07:26 -08:00
Dane Everitt
2d19c12a5a
Update CHANGELOG.md 2020-11-08 15:29:23 -08:00
Dane Everitt
ad4df56f7c
Update CHANGELOG.md 2020-10-25 18:12:22 -07:00
Dane Everitt
fd3b11e9cc
Update CHANGELOG.md 2020-10-22 21:27:15 -07:00
Dane Everitt
110b2568d5
Update changelog 2020-10-12 21:12:31 -07:00
Dane Everitt
d4db80b5c9
Update CHANGELOG.md 2020-10-11 16:19:56 -07:00
Stepan Fedotov
62856556b9
Apply security fixes from #2441 to 1.0 2020-10-03 11:34:36 -07:00
Dane Everitt
b3fb658511
Merge branch '0.7-develop' into develop 2020-03-15 17:30:28 -07:00
Dane Everitt
468d426ebd
Limit to 5 API keys at a time.
Ref advisory #GHSA-pjmh-7xfm-r4x9
2020-03-15 17:05:53 -07:00
Dane Everitt
41cbdb8d59
Dont require an IP address for hostnames; closes #1728 2020-03-15 16:29:05 -07:00
Dane Everitt
05d859c985
Ensure password used when creating a database is valid; closes #1852 2020-03-15 16:25:29 -07:00
Dane Everitt
51defae917
Merge branch 'master' into develop 2019-12-28 11:49:08 -08:00
Dane Everitt
66ead2f682
Update subuser API output to work correctly 2019-12-28 11:39:44 -08:00
Dane Everitt
34bf452bef
Update CHANGELOG.md 2019-12-28 11:23:07 -08:00
TrixterTheTux
ab09c7db28 Fix couple of issues with /api/application/servers 2019-08-31 11:29:44 +03:00
TrixterTheTux
20c594ae3b Include the egg name in egg model's response from the application API 2019-08-24 15:47:11 +03:00
Dane Everitt
81143e231a
Merge branch 'master' into develop 2019-08-04 13:49:26 -07:00
Dane Everitt
d430acf768
LOCK TABLES not LOCK 2019-08-03 14:57:01 -07:00
Dane Everitt
e200277655
Add LOCK permission 2019-08-03 14:52:35 -07:00
Dane Everitt
eb81e1ed20
Support special characters in database password, closes #1508 2019-08-03 14:42:32 -07:00
Dane Everitt
e7e41d8ee8
Fix bulk power when spanning multiple nodes, closes #1526 2019-08-03 14:04:31 -07:00