Merge branch 'feature/vuejs' into feature/vue-serverview

2018-06-11 21:06:12 +02:00 · 2018-06-11 21:06:12 +02:00 · 05478e3277
commit 05478e3277
parent 855af7cb4d f971cdf9ca
29 changed files with 2997 additions and 16217 deletions
--- a/app/Http/Controllers/Api/Client/AccountController.php
+++ b/app/Http/Controllers/Api/Client/AccountController.php
@ -0,0 +1,16 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\Api\Client;
+
+use Illuminate\Http\Request;
+use Pterodactyl\Transformers\Api\Client\AccountTransformer;
+
+class AccountController extends ClientApiController
+{
+    public function index(Request $request): array
+    {
+        return $this->fractal->item($request->user())
+            ->transformWith($this->getTransformer(AccountTransformer::class))
+            ->toArray();
+    }
+}
--- a/app/Http/Controllers/Auth/AbstractLoginController.php
+++ b/app/Http/Controllers/Auth/AbstractLoginController.php
@ -16,6 +16,7 @@ use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Illuminate\Foundation\Auth\AuthenticatesUsers;
 use Pterodactyl\Traits\Helpers\ProvidesJWTServices;
+use Pterodactyl\Transformers\Api\Client\AccountTransformer;
 use Illuminate\Contracts\Cache\Repository as CacheRepository;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;

@ -137,27 +138,37 @@ abstract class AbstractLoginController extends Controller
        $request->session()->regenerate();
        $this->clearLoginAttempts($request);

-        $token = $this->builder->setIssuer(config('app.url'))
-            ->setAudience(config('app.url'))
-            ->setId(str_random(12), true)
-            ->setIssuedAt(Chronos::now()->getTimestamp())
-            ->setNotBefore(Chronos::now()->getTimestamp())
-            ->setExpiration(Chronos::now()->addSeconds(config('session.lifetime'))->getTimestamp())
-            ->set('user', $user->only([
-                'id', 'uuid', 'username', 'email', 'name_first', 'name_last', 'language', 'root_admin',
-            ]))
-            ->sign($this->getJWTSigner(), $this->getJWTSigningKey())
-            ->getToken();
-
        $this->auth->guard()->login($user, true);

        return response()->json([
            'complete' => true,
            'intended' => $this->redirectPath(),
-            'token' => $token->__toString(),
+            'jwt' => $this->createJsonWebToken($user),
        ]);
    }

+    /**
+     * Create a new JWT for the request and sign it using the signing key.
+     *
+     * @param User $user
+     * @return string
+     */
+    protected function createJsonWebToken(User $user): string
+    {
+        $token = $this->builder
+            ->setIssuer('Pterodactyl Panel')
+            ->setAudience(config('app.url'))
+            ->setId(str_random(16), true)
+            ->setIssuedAt(Chronos::now()->getTimestamp())
+            ->setNotBefore(Chronos::now()->getTimestamp())
+            ->setExpiration(Chronos::now()->addSeconds(config('session.lifetime'))->getTimestamp())
+            ->set('user', (new AccountTransformer())->transform($user))
+            ->sign($this->getJWTSigner(), $this->getJWTSigningKey())
+            ->getToken();
+
+        return $token->__toString();
+    }
+
    /**
     * Determine if the user is logging in using an email or username,.
     *
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -2,7 +2,6 @@

 namespace Pterodactyl\Http;

-use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
 use Pterodactyl\Models\ApiKey;
 use Illuminate\Auth\Middleware\Authorize;
 use Illuminate\Auth\Middleware\Authenticate;
@ -21,6 +20,7 @@ use Illuminate\Routing\Middleware\SubstituteBindings;
 use Pterodactyl\Http\Middleware\AccessingValidServer;
 use Pterodactyl\Http\Middleware\Api\SetSessionDriver;
 use Illuminate\View\Middleware\ShareErrorsFromSession;
+use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
 use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
 use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
 use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
@ -71,7 +71,7 @@ class Kernel extends HttpKernel
            RequireTwoFactorAuthentication::class,
        ],
        'api' => [
-            'throttle:120,1',
+            'throttle:240,1',
            ApiSubstituteBindings::class,
            SetSessionDriver::class,
            'api..key:' . ApiKey::TYPE_APPLICATION,
@ -79,7 +79,7 @@ class Kernel extends HttpKernel
            AuthenticateIPAccess::class,
        ],
        'client-api' => [
-            'throttle:60,1',
+            'throttle:240,1',
            SubstituteClientApiBindings::class,
            SetSessionDriver::class,
            'api..key:' . ApiKey::TYPE_ACCOUNT,
--- a/app/Http/Middleware/Api/AuthenticateKey.php
+++ b/app/Http/Middleware/Api/AuthenticateKey.php
@ -97,6 +97,16 @@ class AuthenticateKey
            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
        }

+        // Run through the token validation and throw an exception if the token is not valid.
+        if (
+            $token->getClaim('nbf') > Chronos::now()->getTimestamp()
+            || $token->getClaim('iss') !== 'Pterodactyl Panel'
+            || $token->getClaim('aud') !== config('app.url')
+            || $token->getClaim('exp') <= Chronos::now()->getTimestamp()
+        ) {
+            throw new AccessDeniedHttpException;
+        }
+
        return (new ApiKey)->forceFill([
            'user_id' => object_get($token->getClaim('user'), 'id', 0),
            'key_type' => ApiKey::TYPE_ACCOUNT,