Commit graph

2005 commits

Author SHA1 Message Date
Dane Everitt
afd0a8f768
Update phpstan 2022-02-13 19:04:11 -05:00
Dane Everitt
e683c0a518
Fix failing tests related to these changes 2022-02-13 18:32:02 -05:00
Dane Everitt
341ff6e178
Cleanup test framework; drop all the unused browser tests 2022-02-13 17:59:53 -05:00
Dane Everitt
fac4902ccc
Don't trigger an internal error if hitting 2fa endpoint and it isn't enabled 2022-02-13 17:33:12 -05:00
Dane Everitt
9032699deb
Use SWR for security key index 2022-02-13 15:44:19 -05:00
Dane Everitt
b43e8835bb
Don't store a new key on every login 2022-02-13 15:06:08 -05:00
Dane Everitt
2d2352017d
Fix login authentication using security key 2022-02-13 14:57:45 -05:00
Dane Everitt
09497c234a
Support authenticating the provided key when loggin in 2022-02-13 14:44:50 -05:00
Dane Everitt
54c7207836
Fix authentication request creation 2022-02-13 14:23:20 -05:00
Dane Everitt
969d40d6c1
Logic cleanup after a bit of dust collection 2022-02-13 14:15:18 -05:00
Dane Everitt
8971e78ab5
Merge branch 'v2' into dane/webauthn 2022-02-13 13:46:15 -05:00
Dane Everitt
cd84663ffe
Fix missing import from merge 2022-02-13 13:17:33 -05:00
Dane Everitt
ca6f501c70
Merge branch 'develop' into v2 2022-02-13 12:55:02 -05:00
Alex
5120590e47
ref: remove google analytics (#3912) 2022-02-05 09:08:43 -08:00
Dane Everitt
0a4ba6a7dc
Force https on URLs when behind proxy; closes #3623 2022-01-23 12:58:44 -05:00
Dane Everitt
dfa329ddf2
[security] ensure session is only for that request when authenticating user API key
https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv
2022-01-19 21:09:17 -05:00
Matthew Penner
1eaf411cb4
node: lowercase fqdn in letsencrypt path (#3890) 2022-01-17 19:56:57 -07:00
Alex
28f7a809a5
fix: exception localization (#3850)
resolves #3849
2022-01-15 08:10:37 -08:00
Matthew Penner
d1c9af8f04
Merge branch 'develop' into v2 2022-01-08 15:20:23 -07:00
Alex
b8bf537737
cmd(setup): validate email input, closes #3175 (#3716) 2021-12-04 10:52:09 -08:00
Dane Everitt
bf9cbe2c6d
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints 2021-11-16 20:02:18 -08:00
Matthew Penner
ce0bc477c2
ui(admin): fix egg variables 2021-11-04 14:33:24 -06:00
Matthew Penner
5359ef8407
api(app): allow removing a server's startup command 2021-11-04 11:47:08 -06:00
Matthew Penner
34d20b2bf0
api: remove old debug logs 2021-11-04 11:37:33 -06:00
Dane Everitt
17c03e9a4d
Fix broken session management for application api 2021-11-03 21:33:21 -07:00
Dane Everitt
60eff40a0c
Fix session management on client API requests; closes #3727
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.

Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).

This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.

In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
2021-11-03 20:51:39 -07:00
Matthew Penner
728adfe388
server(startup): make startup nullable; resolves #3721 2021-11-03 15:32:53 -06:00
Dane Everitt
cdd8eabcc0
Add phpstan for static analysis (#3718) 2021-10-30 13:41:38 -07:00
Matthew Penner
871d0bdd1c
ui(admin): add egg exporting 2021-10-30 14:23:29 -06:00
Matthew Penner
70cf5c17aa
ui(admin): basic server creation 2021-10-29 00:04:28 -06:00
Matthew Penner
c48d573cc9
Merge branch 'develop' into v2 2021-10-28 22:59:12 -06:00
Matthew Penner
5e99bb8dd6
ui(admin): fix server startup variables 2021-10-24 16:05:00 -06:00
Alex
ef4410bac6
expose uptime to client resources API endpoint (#3705)
resolves #3704
2021-10-24 10:12:17 -07:00
Matthew Penner
0e870ab256
fix integration tests 2021-10-23 14:17:05 -06:00
Matthew Penner
2948e344d2
fix integration tests 2021-10-23 13:34:41 -06:00
Matthew Penner
b966069946
Merge branch 'develop' into v2 2021-10-23 13:26:25 -06:00
Dane Everitt
22a8b2b3a2
Use more standardized rate limiting in Laravel; apply limits to auth routes 2021-10-23 12:17:16 -07:00
Matthew Penner
cddf2ce41c
ui(admin): new egg page 2021-10-23 13:13:25 -06:00
Alex
f77932a617
cmd(upgrade): Attempt to gain users attention during upgrade (#3678)
* cmd(upgrade):  Attempt to gain users attention during upgrade

Changes color of the user and group to gain attention, common issue is having wrong user/group which breaks the panel. Outputs termination message when users spam enter skipping the upgrade wondering why it didn't upgrade.

Reminder to update wings, because users forget it.

* cmd(upgrade): Display wings upgrade documentation link
2021-10-10 11:08:22 -07:00
Matthew Penner
4fa38b8e9c
Fix wings receiving wrong suspended status on sync (#3667)
Due to wings pulling the server configuration rather than the Panel pushing it,
wings gets the wrong status for a server if both the status update and sync request
are ran in a transaction due to the status not being persisted in the database.

Fixes #3639
2021-10-07 08:46:09 -07:00
Matthew Penner
9ab8f946ec
this should fix tests!
Pro-tip: disable function calls that don't work instead of trying
to figure out why they don't work :)
2021-10-06 15:02:30 -06:00
Matthew Penner
d945ce76f2
hopefully fix integration tests 2021-10-06 14:45:44 -06:00
Matthew Penner
6df90a12d8
ui(admin): add delete egg variable button 2021-10-03 16:07:13 -06:00
Matthew Penner
1eed25dcc7
ui(admin): finish egg variable editing 2021-10-03 16:07:13 -06:00
Matthew Penner
e2de673488
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00
Dane Everitt
4a84c36009
Fix security vulnerability when authenticating a two-factor authentication token for a user
See associated security advisory for technical details on the content of this security fix.

GHSA ID: GHSA-5vfx-8w6m-h3v4
2021-09-21 21:30:08 -07:00
Dane Everitt
5a4d1a668f
UI tweaking and transformer for the stored keys 2021-09-19 11:24:38 -07:00
Dane Everitt
81a6a8653f
Fix up creation of keys to fail when registering the same key again 2021-09-19 11:24:33 -07:00
Dane Everitt
1053b5d605
Get basic storage of webauthn tokens working 2021-09-19 11:24:33 -07:00
Dane Everitt
eaf12aec60
Clean out existing webauthn logic, implement base logic for base package 2021-09-19 11:24:31 -07:00