Dane Everitt
dfa329ddf2
[security] ensure session is only for that request when authenticating user API key
...
https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv
2022-01-19 21:09:17 -05:00
Matthew Penner
1eaf411cb4
node: lowercase fqdn in letsencrypt path ( #3890 )
2022-01-17 19:56:57 -07:00
Alex
28f7a809a5
fix: exception localization ( #3850 )
...
resolves #3849
2022-01-15 08:10:37 -08:00
Alex
b8bf537737
cmd(setup): validate email input, closes #3175 ( #3716 )
2021-12-04 10:52:09 -08:00
Dane Everitt
bf9cbe2c6d
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints
2021-11-16 20:02:18 -08:00
Dane Everitt
17c03e9a4d
Fix broken session management for application api
2021-11-03 21:33:21 -07:00
Dane Everitt
60eff40a0c
Fix session management on client API requests; closes #3727
...
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.
Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).
This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.
In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
2021-11-03 20:51:39 -07:00
Alex
ef4410bac6
expose uptime to client resources API endpoint ( #3705 )
...
resolves #3704
2021-10-24 10:12:17 -07:00
Dane Everitt
22a8b2b3a2
Use more standardized rate limiting in Laravel; apply limits to auth routes
2021-10-23 12:17:16 -07:00
Alex
f77932a617
cmd(upgrade): Attempt to gain users attention during upgrade ( #3678 )
...
* cmd(upgrade): Attempt to gain users attention during upgrade
Changes color of the user and group to gain attention, common issue is having wrong user/group which breaks the panel. Outputs termination message when users spam enter skipping the upgrade wondering why it didn't upgrade.
Reminder to update wings, because users forget it.
* cmd(upgrade): Display wings upgrade documentation link
2021-10-10 11:08:22 -07:00
Matthew Penner
4fa38b8e9c
Fix wings receiving wrong suspended status on sync ( #3667 )
...
Due to wings pulling the server configuration rather than the Panel pushing it,
wings gets the wrong status for a server if both the status update and sync request
are ran in a transaction due to the status not being persisted in the database.
Fixes #3639
2021-10-07 08:46:09 -07:00
Dane Everitt
4a84c36009
Fix security vulnerability when authenticating a two-factor authentication token for a user
...
See associated security advisory for technical details on the content of this security fix.
GHSA ID: GHSA-5vfx-8w6m-h3v4
2021-09-21 21:30:08 -07:00
Dane Everitt
5fdb0a5909
Correctly expose OOM disable state for a server
2021-09-13 21:02:12 -07:00
Matthew Penner
bc25468802
server: fix build modification not being persisted ( #3610 )
2021-09-12 23:18:17 -06:00
Dane Everitt
7b429831ce
Fix missing user agent headers to store an empty string rather than null value
2021-09-11 13:00:53 -07:00
Dane Everitt
e96ead4c4d
Update API calls to Wings to only pass the required details with the changes to the installer system
2021-08-29 14:09:43 -07:00
Dane Everitt
2d47f986ee
Replace calls to server patch with a manual sync method
2021-08-29 13:32:55 -07:00
Dane Everitt
d8d1eacb42
Don't require Wings API call to pass in order to update server details
2021-08-29 13:19:24 -07:00
Matthew Penner
b4cae916ac
transfers: fix allocation array merging logic ( #3551 )
2021-08-18 12:58:41 -06:00
Dane Everitt
2b3303c46b
Fix changing a user password to not incorrectly handle logging out old sessions; closes #3531
2021-08-15 17:37:12 -07:00
Dane Everitt
25d9ba4779
Run php-cs-fixer
2021-08-15 17:20:36 -07:00
Matthew Penner
10b357b71e
ui(server): fix used backup count ( #3526 )
...
* ui(server): fix used backup count
* ui(server): refactor backup count code
2021-08-04 20:34:00 -07:00
Matthew Penner
81c788f524
cmd(upgrade): fix force and seed flags being ignored ( #3519 )
2021-08-03 19:48:34 -07:00
Matthew Penner
970f281859
backups: default is_successful to false ( #3522 )
...
* backups: default is_successful to false
* backups: properly query backups
2021-08-03 19:45:25 -07:00
Mia
bda1ff50ab
[UI] Display the 2FA token, show spinner on load ( #3367 )
...
Co-authored-by: Dane Everitt <dane@daneeveritt.com>
2021-08-02 20:39:12 -07:00
Matthew Penner
1a79b4827c
backups: allow updating a failed backup ( #3470 )
2021-07-18 08:46:20 -07:00
ClumsyAdmin
57987c0f79
Update Allocation.php ( #3468 )
...
Max port typo
2021-07-17 10:02:15 -07:00
Charles Morgan
91ea0a4f41
Update core eggs to new docker yolk images ( #3382 )
2021-07-17 10:02:00 -07:00
Leystryku
298e985d74
Permission for referencing other tables (foreign keys) ( #3419 )
2021-07-17 10:01:37 -07:00
Dane Everitt
d3e3b1db38
Test that a deleted backup makes an audit log entry
2021-07-11 12:15:39 -07:00
Matthew Penner
1260965dfd
ServerCreationService: send 'start_on_completion' option to wings ( #3431 )
2021-07-04 15:15:19 -07:00
Dane Everitt
d049839ffc
Fix deleting a backup that is locked and failed; closes #3404
2021-06-13 10:26:47 -07:00
Mark Ross
d45c67a6e1
Allow to find servers by short UUID (Application API) ( #3340 )
2021-06-05 08:43:57 -07:00
Lukas
75d254a6a4
Add support for mailgun API endpoint ( #3364 )
2021-06-05 08:38:47 -07:00
Stephen White
8459b11019
Allow database users to create/alter/drop routines ( #3389 )
...
Database users may wish to create/alter/drop stored procedures on their databases in order to use extra MySQL functionality.
2021-06-05 08:37:10 -07:00
Alex
9656378783
Fix 401 error typo ( #3393 )
2021-06-03 13:35:51 -07:00
Matthew Penner
c5b6d0bf45
Fix query to avoid pruning actively running backups ( #3379 )
2021-05-27 15:33:43 -07:00
Charles Morgan
76ac1998cf
Don't allow backups to be made via schedules if limit = 0 ( #3323 )
2021-05-16 09:47:36 -07:00
Dane Everitt
5d5e4ca7b1
Add support for locking backups to prevent any accidental deletions
2021-05-03 21:26:09 -07:00
Dane Everitt
5f48712c28
Add test coverage for RunTaskJob
2021-05-01 12:24:42 -07:00
Dane Everitt
7a85c31553
Add internal code support for stopping tasks if server is not running or continuing through on task error
2021-05-01 11:52:02 -07:00
Dane Everitt
92cd659db3
Add underlying data changes necessary for new task & schedule features
2021-05-01 10:44:40 -07:00
Dane Everitt
fd8259f33d
Merge branch 'develop' into patch-1
2021-04-25 11:06:29 -07:00
Julien Tant
f7f972b33d
rename now variable & fix condition
2021-04-24 18:18:29 -07:00
Julien Tant
2cd64c0af4
Merge remote-tracking branch 'upstream/develop' into develop
2021-04-24 17:14:18 -07:00
Dane Everitt
6ef60633d3
Additional coverage to ensure values are wrapped as expected; ref #3287
2021-04-24 16:39:56 -07:00
Julien Tant
552b9d3c33
Add possibility to run disabled cron
2021-04-24 15:06:21 -07:00
Boy132
c56e699985
Separated user from group
2021-04-20 17:39:34 +02:00
Boy132
2f6351ec00
Small fix
2021-04-20 10:08:21 +02:00
Boy132
3ca835e661
Add group input to upgrade command
2021-04-20 10:06:19 +02:00