60eff40a0c
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for requests. That pathway found the current request user before continuing on to other in-app middleware, thus the user was available downstream. Changes introduced in 1.6.3 changed the throttler logic, therefore removing this step. As a result, the client API could not always get the currently authenticated user when cookies were used (aka, requests from the Panel UI, and not API directly). This change corrects the logic to get the session setup correctly before falling through to authenticating as a user using the API key. If a cookie is present and a user is found as a result that session will be used. If an API key is provided it is ignored when a cookie is also present. In order to keep the API stateless any session created for an API request stemming from an API key will have the associated session deleted at the end of the request, and the 'Set-Cookies' header will be stripped from the response. |
||
|---|---|---|
| .. | ||
| Application | ||
| Client | ||
| Daemon | ||
| ApiSubstituteBindings.php | ||
| AuthenticateIPAccess.php | ||
| AuthenticateKey.php | ||
| HandleStatelessRequest.php | ||
| IsValidJson.php | ||