StarMC/Astral-nook
StarMC/Astral-nook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Revert use of cookies, go back to using a JWT

Browse source
This commit is contained in:
Dane Everitt 2018-06-06 22:49:44 -07:00
parent 871147f2d9
commit 03c83c084a
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
8 changed files with 80 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

30
app/Http/Middleware/Api/AuthenticateKey.php
View file

@ -5,7 +5,6 @@ namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Lcobucci\JWT\Parser;
use Cake\Chronos\Chronos;
use Illuminate\Support\Str;
use Illuminate\Http\Request;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
@ -64,24 +63,19 @@ class AuthenticateKey
public function handle(Request $request, Closure $next, int $keyType)
{
if (is_null($request->bearerToken())) {
if (! Str::startsWith($request->route()->getName(), ['api.client']) && ! $request->user()) {
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
}
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
}
if (is_null($request->bearerToken())) {
$model = (new ApiKey)->forceFill([
'user_id' => $request->user()->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
}
$raw = $request->bearerToken();
if (! isset($model)) {
$raw = $request->bearerToken();
// This is an internal JWT, treat it differently to get the correct user before passing it along.
if (strlen($raw) > ApiKey::IDENTIFIER_LENGTH + ApiKey::KEY_LENGTH) {
$model = $this->authenticateJWT($raw);
} else {
$model = $this->authenticateApiKey($raw, $keyType);
$this->auth->guard()->loginUsingId($model->user_id);
}
$this->auth->guard()->loginUsingId($model->user_id);
$request->attributes->set('api_key', $model);
return $next($request);
@ -103,6 +97,16 @@ class AuthenticateKey
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
}
// Run through the token validation and throw an exception if the token is not valid.
if (
$token->getClaim('nbf') > Chronos::now()->getTimestamp()
|| $token->getClaim('iss') !== 'Pterodactyl Panel'
|| $token->getClaim('aud') !== config('app.url')
|| $token->getClaim('exp') <= Chronos::now()->getTimestamp()
) {
throw new AccessDeniedHttpException;
}
return (new ApiKey)->forceFill([
'user_id' => object_get($token->getClaim('user'), 'id', 0),
'key_type' => ApiKey::TYPE_ACCOUNT,