Commit graph

4706 commits

Author SHA1 Message Date
Dane Everitt
bf9cbe2c6d
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints 2021-11-16 20:02:18 -08:00
Matthew Penner
cc31a0a6d0
tests(integration): don't expect non-required fields 2021-11-15 11:29:22 -07:00
Alex
01871d8a6c
add Java 17 LTS image to Minecraft eggs (#3744)
* feat: add Java 17 LTS for Minecraft

* feat: add java 17 option to java modal
2021-11-15 08:15:27 -08:00
Matthew Penner
d8da79b7fb
yarn: upgrade dependencies 2021-11-12 13:16:15 -07:00
Matthew Penner
ce0bc477c2
ui(admin): fix egg variables 2021-11-04 14:33:24 -06:00
Matthew Penner
f7c824743f
ui(editor): prevent initialContent being duplicated 2021-11-04 13:44:10 -06:00
Matthew Penner
5359ef8407
api(app): allow removing a server's startup command 2021-11-04 11:47:08 -06:00
Matthew Penner
34d20b2bf0
api: remove old debug logs 2021-11-04 11:37:33 -06:00
Matthew Penner
fad4005168
Merge branch 'develop' into v2 2021-11-04 11:34:11 -06:00
Dane Everitt
17c03e9a4d
Fix broken session management for application api 2021-11-03 21:33:21 -07:00
Dane Everitt
e8a8405899
Remove tests 2021-11-03 21:22:14 -07:00
Dane Everitt
60eff40a0c
Fix session management on client API requests; closes #3727
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.

Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).

This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.

In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
2021-11-03 20:51:39 -07:00
Matthew Penner
44f4cbc4c3
Merge branch 'develop' into v2 2021-11-03 15:35:22 -06:00
Matthew Penner
728adfe388
server(startup): make startup nullable; resolves #3721 2021-11-03 15:32:53 -06:00
Dane Everitt
cdd8eabcc0
Add phpstan for static analysis (#3718) 2021-10-30 13:41:38 -07:00
Alex
d0663dcbd4
fix: use POST for admin logout route (#3710)
Quick fix for logging out from the admin panel as the auth route was changed from GET to POST.
2021-10-30 13:27:59 -07:00
Matthew Penner
871d0bdd1c
ui(admin): add egg exporting 2021-10-30 14:23:29 -06:00
Matthew Penner
469c0b40a3
ui(admin): add views for settings 2021-10-30 13:12:02 -06:00
Matthew Penner
70cf5c17aa
ui(admin): basic server creation 2021-10-29 00:04:28 -06:00
Matthew Penner
cc2ed97b0f
ui: fix SearchableSelect not selecting when hitting enter 2021-10-28 23:48:07 -06:00
Matthew Penner
c48d573cc9
Merge branch 'develop' into v2 2021-10-28 22:59:12 -06:00
Matthew Penner
5e99bb8dd6
ui(admin): fix server startup variables 2021-10-24 16:05:00 -06:00
Alex
4dca4f0aa9
change display format of the container uptime (#3706)
* change display format of the container uptime

Display `day, hour, min` if days is more than 0, otherwise default to existing `hour, min, sec`. Removes pads to make it more clean in this new format.

* clean the return
2021-10-24 14:41:01 -07:00
Samuel Ryberg
c4ab318d5a
Update docker-compose.example.yml (#3707) 2021-10-24 10:21:58 -07:00
Alex
ef4410bac6
expose uptime to client resources API endpoint (#3705)
resolves #3704
2021-10-24 10:12:17 -07:00
Matthew Penner
cf1cc97340
ui(admin): rough layout on new server page 2021-10-23 15:19:49 -06:00
Matthew Penner
bee7c4515c
eggs: update default script values 2021-10-23 14:31:23 -06:00
Matthew Penner
f6ac9707fa
Merge branch 'develop' into v2 2021-10-23 14:22:18 -06:00
Matthew Penner
7f7506e5a9
ui(admin): fix bad redirect on egg delete 2021-10-23 14:19:50 -06:00
Matthew Penner
0e870ab256
fix integration tests 2021-10-23 14:17:05 -06:00
Anders G. Jørgensen
72680fc954
Don't force enable-query (#3700)
But make sure the query.port is set correctly, if query is enabled.
2021-10-23 13:11:45 -07:00
Dane Everitt
d65e2978d0
Update CHANGELOG.md 2021-10-23 13:02:25 -07:00
Dane Everitt
45999ba4ee
(security) use POST for logout rather than GET
see https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6
2021-10-23 13:00:21 -07:00
Matthew Penner
2948e344d2
fix integration tests 2021-10-23 13:34:41 -06:00
Matthew Penner
b966069946
Merge branch 'develop' into v2 2021-10-23 13:26:25 -06:00
Dane Everitt
22a8b2b3a2
Use more standardized rate limiting in Laravel; apply limits to auth routes 2021-10-23 12:17:16 -07:00
Matthew Penner
cddf2ce41c
ui(admin): new egg page 2021-10-23 13:13:25 -06:00
Matthew Penner
336923ec18
ui(admin): fix container width on server startup 2021-10-23 12:31:30 -06:00
Matthew Penner
3b5fa34d85
ui(admin): add delete confirmation for egg variables 2021-10-23 12:29:17 -06:00
Dane Everitt
a3572006cb
Merge branch 'dane/type-cleanup' into v2 2021-10-10 13:21:44 -07:00
Dane Everitt
8486c914ae
More fixup for egg handling 2021-10-10 13:21:21 -07:00
Dane Everitt
85c8f4884f
Cleanup more of the server screen typings 2021-10-10 13:13:10 -07:00
Dane Everitt
f6998018b4
Cleanup more of the server UI logic 2021-10-10 12:03:28 -07:00
Dane Everitt
e3aca937b5
Add more type cleanup and have a completed server type 2021-10-10 11:32:07 -07:00
Alex
f77932a617
cmd(upgrade): Attempt to gain users attention during upgrade (#3678)
* cmd(upgrade):  Attempt to gain users attention during upgrade

Changes color of the user and group to gain attention, common issue is having wrong user/group which breaks the panel. Outputs termination message when users spam enter skipping the upgrade wondering why it didn't upgrade.

Reminder to update wings, because users forget it.

* cmd(upgrade): Display wings upgrade documentation link
2021-10-10 11:08:22 -07:00
Alex
c12f1463b0
eggs(forge): Add support for 1.17+ Forge (#3676)
Support new 1.17+ Forge JPMS arguments that don't ship any executable jar. It will use unix_args.txt file for 1.17+ when one exists, otherwise defaults to using the jar file

Fix forge latest build version option to actually use latest instead of recommended
Set build version input rules to only accept valid values of the latest and recommended
Remove spaces from the version variables to avoid issues with curl. Forge site displays versions with spaces to end users
2021-10-10 10:50:01 -07:00
Dane Everitt
00d0f49ede
Cleanup typing for server and expose more useful endpoint and transformer logic 2021-10-09 12:02:32 -07:00
Alex
5b6de4df6f
eggs(rust): custom map url (#3625)
Introduces custom map URL variable. If none is provided, it will default to using normal map size and seed. Otherwise, it will use the custom map and remove map size/seed from the startup as required.
2021-10-09 10:31:47 -07:00
Waseem Hassan Shahid
8b236c6907
Fix SSL config docker (#3616)
* Don't copy default nginx config at build time

* Use http.d folder for nginx configs

* Add default config back

* Change the panel config name
2021-10-09 10:31:29 -07:00
Matthew Penner
4fa38b8e9c
Fix wings receiving wrong suspended status on sync (#3667)
Due to wings pulling the server configuration rather than the Panel pushing it,
wings gets the wrong status for a server if both the status update and sync request
are ran in a transaction due to the status not being persisted in the database.

Fixes #3639
2021-10-07 08:46:09 -07:00