DaneEveritt
3f99b00cf7
Fix display exception handling
2022-05-22 18:21:38 -04:00
DaneEveritt
dca53611ff
Ensure we don't cause a mess with the auth providers
2022-05-22 18:16:47 -04:00
DaneEveritt
3ae70efc14
Use existing method to handle the login
2022-05-22 17:26:32 -04:00
DaneEveritt
4d3362b24f
Perform a bit of code cleanup
2022-05-22 17:23:48 -04:00
DaneEveritt
be88e4e893
Ignore migrations, pass credentials
2022-05-22 17:01:39 -04:00
DaneEveritt
56f15c15a1
We can make this middleware significantly simpler
2022-05-22 16:54:07 -04:00
DaneEveritt
0fa33e0438
Mark a request as being stateful if a cookie for the session is provided at all
...
This accounts for poorly configured API clients that try to use cookies for authentication purposes. Treat everything with a session cookie as being a stateful request from the front-end.
2022-05-22 16:50:36 -04:00
DaneEveritt
33bafe9277
Simplify transformer logic
2022-05-22 16:23:22 -04:00
DaneEveritt
f7fc67344e
Ensure tokens are found in the database using the expected logic
2022-05-22 16:05:58 -04:00
DaneEveritt
e9c633fd03
Update transformers and controllers to no longer pull an API key attribute
2022-05-22 15:37:39 -04:00
DaneEveritt
bd37978a98
Initial pass at implementing Laravel Sanctum for authorization on the API
2022-05-22 14:57:06 -04:00
DaneEveritt
e313dff674
Massively simplify API binding logic
...
Changes the API internals to use normal Laravel binding which automatically supports nested-models and can determine their relationships. This removes a lot of confusingly complex internal logic and replaces it with standard Laravel code.
This also removes a deprecated "getModel" method and fully replaces it with a "parameter" method that does stricter type-checking.
2022-05-22 14:10:01 -04:00
DaneEveritt
05f41a2ca8
Don't trim strings on file manager endpoints; ref #4081
2022-05-21 16:58:06 -04:00
DaneEveritt
d4bf6bd46a
Add test coverage and fix permissions mistake
2022-05-15 17:30:57 -04:00
DaneEveritt
a9364061c1
Store keys in standard format; query with fingerprint not public key
2022-05-15 16:41:15 -04:00
DaneEveritt
b563f13d09
Trim the key provided to query correctly; don't increment throttles when keys aren't found
2022-05-15 16:23:17 -04:00
DaneEveritt
3d6a30c9fd
Oops, don't make this abstract
2022-05-15 16:06:00 -04:00
DaneEveritt
412ac5ef39
Have the panel handle all of the authorization for both public key and password based attempts
2022-05-15 16:00:08 -04:00
DaneEveritt
e856daee19
Reject requests for public key auth when the user has no keys
2022-05-15 15:47:06 -04:00
DaneEveritt
12927a3202
Update SFTP authentication endpoint to support returning user public keys
2022-05-15 15:37:58 -04:00
DaneEveritt
cca0010a00
Update egg import/update logic to all use the same pathwaus
2022-05-15 14:40:19 -04:00
DaneEveritt
6554164252
Add test coverage for the SSH key endpoints
2022-05-14 18:08:48 -04:00
DaneEveritt
97280a62a2
Add support for storing SSH keys on user accounts
2022-05-14 17:31:53 -04:00
DaneEveritt
5705d7dbdd
Run php-cs-fixer
2022-05-14 16:03:50 -04:00
DaneEveritt
65f27d41a2
Switch to more recent Laravel route definition methods
2022-05-14 15:51:05 -04:00
DaneEveritt
97a7959096
Support outputting all of the nodes on the instance
2022-05-13 21:49:06 -04:00
DaneEveritt
3f47d7a12c
Allow returning the node configuration from the CLI; closes pterodactyl/panel#4047
2022-05-13 21:30:16 -04:00
DaneEveritt
100d4ee726
Remove more unnecessary translations
2022-05-12 17:53:29 -04:00
DaneEveritt
c8faf64059
Support naming docker images on eggs; closes #4052
...
Bumps PTDL_v1 export images to PTDL_v2, updates the Minecraft specific eggs to use named images.
2022-05-07 17:45:22 -04:00
DaneEveritt
634b80ed42
Add support for filtering allocations to determine if they're assigned or not; closes #3872
2022-05-07 16:16:11 -04:00
DaneEveritt
e88d24e0db
Don't allow allocations to be deleted by users if no limit is defined; closes #3703
2022-05-07 15:05:28 -04:00
DaneEveritt
c751ce7f44
Allow more values for remote field when creating a database; closes #3842
2022-05-07 14:17:10 -04:00
DaneEveritt
b07fdc100c
Don't run schedules when a server is suspended or installing; closes #4008
2022-05-04 20:41:53 -04:00
DaneEveritt
8c63eebf13
Fix fractal errors
2022-05-04 19:35:10 -04:00
DaneEveritt
530558b0f8
Update deprecated JSON response creation and unnecessary middleware
2022-05-04 19:23:01 -04:00
DaneEveritt
4252014d18
Update includes definition to match updated package requirements
2022-05-04 19:11:42 -04:00
DaneEveritt
34ffaebd3e
Run cs-fix, ensure we only install dependency versions supporting 7.4+
2022-05-04 19:01:29 -04:00
Jim C K Flaten
2680fe4c8e
Feature/task order ( #3807 )
2022-03-28 12:31:35 -07:00
FabianS
82818414a3
Ability to create nodes with artisan ( #3319 )
2022-03-28 12:28:16 -07:00
Георгий Пронюк
281256e17c
Grant all necessary permissions to generated SQL users ( #3800 )
...
* grant all necessary permissions to users
* fix CREATE TEMPORARY TABLES
Co-authored-by: A248 <theanandbeh@gmail.com>
Co-authored-by: A248 <theanandbeh@gmail.com>
Co-authored-by: Matthew Penner <me@matthewp.io>
2022-03-28 12:22:37 -07:00
Alex
5120590e47
ref: remove google analytics ( #3912 )
2022-02-05 09:08:43 -08:00
Dane Everitt
0a4ba6a7dc
Force https on URLs when behind proxy; closes #3623
2022-01-23 12:58:44 -05:00
Dane Everitt
dfa329ddf2
[security] ensure session is only for that request when authenticating user API key
...
https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv
2022-01-19 21:09:17 -05:00
Matthew Penner
1eaf411cb4
node: lowercase fqdn in letsencrypt path ( #3890 )
2022-01-17 19:56:57 -07:00
Alex
28f7a809a5
fix: exception localization ( #3850 )
...
resolves #3849
2022-01-15 08:10:37 -08:00
Alex
b8bf537737
cmd(setup): validate email input, closes #3175 ( #3716 )
2021-12-04 10:52:09 -08:00
Dane Everitt
bf9cbe2c6d
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints
2021-11-16 20:02:18 -08:00
Dane Everitt
17c03e9a4d
Fix broken session management for application api
2021-11-03 21:33:21 -07:00
Dane Everitt
60eff40a0c
Fix session management on client API requests; closes #3727
...
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.
Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).
This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.
In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
2021-11-03 20:51:39 -07:00
Alex
ef4410bac6
expose uptime to client resources API endpoint ( #3705 )
...
resolves #3704
2021-10-24 10:12:17 -07:00