StarMC/Astral-nook
StarMC/Astral-nook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix session management on client API requests; closes #3727

Browse source 
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.

Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).

This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.

In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
This commit is contained in:
Dane Everitt 2021-11-03 20:51:18 -07:00
parent d0663dcbd4
commit 60eff40a0c
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
5 changed files with 54 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

18
app/Http/Middleware/Api/AuthenticateKey.php
View file

@ -42,8 +42,10 @@ class AuthenticateKey
}
/**
* Handle an API request by verifying that the provided API key
* is in a valid format and exists in the database.
* Handle an API request by verifying that the provided API key is in a valid
* format and exists in the database. If there is currently a user in the session
* do not even bother to look at the token (they provided a cookie for this to
* be the case).
*
* @return mixed
*
@ -56,17 +58,17 @@ class AuthenticateKey
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
}
$raw = $request->bearerToken();
// This is a request coming through using cookies, we have an authenticated user not using
// an API key. Make some fake API key models and continue on through the process.
if (empty($raw) && $request->user() instanceof User) {
// This is a request coming through using cookies, we have an authenticated user
// not using an API key. Make some fake API key models and continue on through
// the process.
if ($request->user() instanceof User) {
$model = (new ApiKey())->forceFill([
'user_id' => $request->user()->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
} else {
$model = $this->authenticateApiKey($raw, $keyType);
$model = $this->authenticateApiKey($request->bearerToken(), $keyType);
$this->auth->guard()->loginUsingId($model->user_id);
}