Commit graph

58 commits

Author SHA1 Message Date
DaneEveritt
e313dff674
Massively simplify API binding logic
Changes the API internals to use normal Laravel binding which automatically supports nested-models and can determine their relationships. This removes a lot of confusingly complex internal logic and replaces it with standard Laravel code.

This also removes a deprecated "getModel" method and fully replaces it with a "parameter" method that does stricter type-checking.
2022-05-22 14:10:01 -04:00
DaneEveritt
5705d7dbdd
Run php-cs-fixer 2022-05-14 16:03:50 -04:00
DaneEveritt
65f27d41a2
Switch to more recent Laravel route definition methods 2022-05-14 15:51:05 -04:00
DaneEveritt
530558b0f8
Update deprecated JSON response creation and unnecessary middleware 2022-05-04 19:23:01 -04:00
Dane Everitt
bf9cbe2c6d
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints 2021-11-16 20:02:18 -08:00
Dane Everitt
17c03e9a4d
Fix broken session management for application api 2021-11-03 21:33:21 -07:00
Dane Everitt
60eff40a0c
Fix session management on client API requests; closes #3727
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.

Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).

This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.

In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
2021-11-03 20:51:39 -07:00
Dane Everitt
22a8b2b3a2
Use more standardized rate limiting in Laravel; apply limits to auth routes 2021-10-23 12:17:16 -07:00
Dane Everitt
e30a765071
Simplify logic when a server is in an unsupported state 2021-01-30 13:28:31 -08:00
Dane Everitt
d22456d9ca
Block API access when 2FA is required on account; closes #2791 2020-12-06 13:56:14 -08:00
Dane Everitt
e95a532da9
Make rate limit configurable; closes #1695 2020-07-02 21:11:16 -07:00
Dane Everitt
fde8465f35
Show a better error when JSON data cannot be parsed in the request 2020-06-30 20:05:11 -07:00
Dane Everitt
756a21ff04
Remove unused code 2020-06-24 20:38:13 -07:00
Dane Everitt
536180ed0c
Return Http test cases to a passing state 2020-06-23 21:59:37 -07:00
Dane Everitt
7557dddf49
Store node daemon tokens in an encrypted manner 2020-04-10 15:15:38 -07:00
Dane Everitt
6336e5191f
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-14 22:42:58 -07:00
Dane Everitt
eafc4408eb
Fix broken unit tests 2018-07-14 21:49:49 -07:00
Dane Everitt
48cb01f438
Merge branch 'develop' into feature/vuejs 2018-07-02 21:00:42 -07:00
Dane Everitt
974318ffb4
Logout other sessions when password is changed
closes #1222
2018-06-30 17:50:58 -07:00
Dane Everitt
03c83c084a
Revert use of cookies, go back to using a JWT 2018-06-06 22:49:44 -07:00
Dane Everitt
5bcabbde35
Get dashboard in a more working state 2018-06-05 23:42:34 -07:00
Dane Everitt
969b16a563 Apply fixes from StyleCI
[ci skip] [skip ci]
2018-06-02 21:32:26 +00:00
stanjg
ccf3e3511f
Renamed middleware, and fixed the test 2018-05-31 16:40:18 +02:00
Dane Everitt
e3bbd85f3f
Merge branch 'develop' into pr/1129 2018-05-26 10:34:29 -07:00
Lance Pioch
e2dc0638d9 Fix app/ spelling errors 2018-05-13 11:12:41 -04:00
stanjg
86c8ecdcdf
Added the actual logic 2018-05-04 15:02:51 +02:00
Dane Everitt
cef3e4ced4
Add base routes for managing servers as a client 2018-02-27 21:28:43 -06:00
Dane Everitt
e28973bcae
Move everything around as needed to get things setup for the client API 2018-02-25 15:30:56 -06:00
Dane Everitt
3e327b8b0e
Use more logical route binding to not reveal resources on the API unless authenticated. 2018-01-20 15:33:04 -06:00
Dane Everitt
0e7f8cedf0
Reorganize API files 2018-01-19 19:58:57 -06:00
Dane Everitt
c3b9738364
Implement application API Keys 2018-01-18 21:36:15 -06:00
Dane Everitt
e3df0738da
Change the way API keys are stored and validated; clarify API namespacing
Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison.
2018-01-13 16:06:19 -06:00
Dane Everitt
a31e5875dc
First round of changes to API to support simpler permissions. 2018-01-11 22:49:46 -06:00
Dane Everitt
0dcf2aaed6
Inital upgrade to 5.5
This simply updates dependencies and gets all of the providers and config files updated based on what  the laravel/laravel currently ships with
2017-12-16 12:20:09 -06:00
Dane Everitt
285485d7b0
Change how API keys are validated (#771) 2017-12-03 14:29:14 -06:00
Dane Everitt
ecdd133b75
Fix daemon auth 2017-11-04 17:16:44 -05:00
Dane Everitt
e9aecfe6db
Shorten imports 2017-10-29 15:57:43 -05:00
Dane Everitt
79decafdc8
Update all the middlewares 2017-10-29 12:37:25 -05:00
Dane Everitt
e0d03513e4
Cleanup frontend controllers and middleware 2017-10-27 21:42:53 -05:00
Dane Everitt
97dc0519d6
Add database management back to front-end and begin some refactoring
Here we go again boys...
2017-10-18 22:32:19 -05:00
Dane Everitt
fb8a26f141
Merge branch 'develop' into feature/api-daemon-changes 2017-09-25 21:46:44 -05:00
Lance Pioch
09d958249d Add togglable 2FA user requirements (#635) 2017-09-25 15:58:16 -10:00
Lance Pioch
8197b1733f Fix some more routes 2017-09-24 21:27:57 -04:00
Dane Everitt
906a699ee2
Begin implementation of new daemon authentication scheme 2017-09-23 20:45:25 -05:00
Lance Pioch
8bfebf5b32 Use proper route name instead of using class in route file 2017-09-21 13:48:57 -04:00
Dane Everitt
4532811fcd
Improved middleware, console page now using new setup 2017-09-02 21:35:33 -05:00
Dane Everitt
87530cdc01
Initial moves to new API scheme.
Implements a better middleware for handling API authentication, as well
as cleaner route handling.
2017-04-02 00:11:52 -04:00
Dane Everitt
d80c59aad3
Cleanup routing mechanisms 2017-04-01 21:01:10 -04:00
Jakob Schrettenbrunner
142cbb0641 Add invisible ReCAPTCHA to login and password reset 2017-03-31 12:19:44 +02:00
Jakob Schrettenbrunner
24650b67be Merge branch 'develop' into fix/trusted-proxies
sorry
2017-02-01 20:35:10 +01:00