Fix up API handling logic for keys and set a prefix on all keys
This commit is contained in:
DaneEveritt
parent
8605d175d6
commit
b051718afe
11 changed files with 88 additions and 31 deletions
|
|
@ -63,7 +63,6 @@ class ApiKeyController extends ClientApiController
|
|||
* @return array
|
||||
*
|
||||
* @throws \Pterodactyl\Exceptions\DisplayException
|
||||
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
|
||||
*/
|
||||
public function store(StoreApiKeyRequest $request)
|
||||
{
|
||||
|
|
@ -71,17 +70,14 @@ class ApiKeyController extends ClientApiController
|
|||
throw new DisplayException('You have reached the account limit for number of API keys.');
|
||||
}
|
||||
|
||||
$key = $this->keyCreationService->setKeyType(ApiKey::TYPE_ACCOUNT)->handle([
|
||||
'user_id' => $request->user()->id,
|
||||
'memo' => $request->input('description'),
|
||||
'allowed_ips' => $request->input('allowed_ips') ?? [],
|
||||
]);
|
||||
$token = $request->user()->createToken(
|
||||
$request->input('description'),
|
||||
$request->input('allowed_ips')
|
||||
);
|
||||
|
||||
return $this->fractal->item($key)
|
||||
return $this->fractal->item($token->accessToken)
|
||||
->transformWith($this->getTransformer(ApiKeyTransformer::class))
|
||||
->addMeta([
|
||||
'secret_token' => $this->encrypter->decrypt($key->token),
|
||||
])
|
||||
->addMeta(['secret_token' => $token->plainTextToken])
|
||||
->toArray();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
|
|||
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
|
||||
use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
|
||||
use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
|
||||
use Pterodactyl\Http\Middleware\Api\Client\RequireClientApiKey;
|
||||
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
|
||||
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
|
||||
use Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance;
|
||||
|
|
@ -74,9 +75,10 @@ class Kernel extends HttpKernel
|
|||
SubstituteBindings::class,
|
||||
AuthenticateApplicationUser::class,
|
||||
],
|
||||
// TODO: don't allow an application key to use the client API, but do allow a client
|
||||
// api key to access the application API.
|
||||
'client-api' => [SubstituteClientBindings::class],
|
||||
'client-api' => [
|
||||
SubstituteClientBindings::class,
|
||||
RequireClientApiKey::class,
|
||||
],
|
||||
'daemon' => [
|
||||
SubstituteBindings::class,
|
||||
DaemonAuthenticate::class,
|
||||
|
|
|
|||
|
|
@ -16,7 +16,9 @@ class AuthenticateApplicationUser
|
|||
*/
|
||||
public function handle(Request $request, Closure $next)
|
||||
{
|
||||
if (is_null($request->user()) || !$request->user()->root_admin) {
|
||||
/** @var \Pterodactyl\Models\User|null $user */
|
||||
$user = $request->user();
|
||||
if (!$user || !$user->root_admin) {
|
||||
throw new AccessDeniedHttpException('This account does not have permission to access the API.');
|
||||
}
|
||||
|
||||
|
|
|
|||
27
app/Http/Middleware/Api/Client/RequireClientApiKey.php
Normal file
27
app/Http/Middleware/Api/Client/RequireClientApiKey.php
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
<?php
|
||||
|
||||
namespace Pterodactyl\Http\Middleware\Api\Client;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Pterodactyl\Models\ApiKey;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
|
||||
class RequireClientApiKey
|
||||
{
|
||||
/**
|
||||
* Blocks a request to the Client API endpoints if the user is providing an API token
|
||||
* that was created for the application API.
|
||||
*
|
||||
* @return mixed
|
||||
*/
|
||||
public function handle(Request $request, \Closure $next)
|
||||
{
|
||||
$token = $request->user()->currentAccessToken();
|
||||
|
||||
if ($token instanceof ApiKey && $token->key_type === ApiKey::TYPE_APPLICATION) {
|
||||
throw new AccessDeniedHttpException('You are attempting to use an application API key on an endpoint that requires a client API key.');
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
|
|
@ -3,6 +3,7 @@
|
|||
namespace Pterodactyl\Http\Requests\Api\Application;
|
||||
|
||||
use Webmozart\Assert\Assert;
|
||||
use Pterodactyl\Models\ApiKey;
|
||||
use Laravel\Sanctum\TransientToken;
|
||||
use Illuminate\Validation\Validator;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
|
@ -45,6 +46,10 @@ abstract class ApplicationApiRequest extends FormRequest
|
|||
return true;
|
||||
}
|
||||
|
||||
if ($token->key_type === ApiKey::TYPE_ACCOUNT) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return AdminAcl::check($token, $this->resource, $this->permission);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@
|
|||
namespace Pterodactyl\Models;
|
||||
|
||||
use Illuminate\Support\Str;
|
||||
use Webmozart\Assert\Assert;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
|
||||
|
|
@ -194,21 +195,33 @@ class ApiKey extends Model
|
|||
*/
|
||||
public static function findToken($token)
|
||||
{
|
||||
$id = Str::substr($token, 0, self::IDENTIFIER_LENGTH);
|
||||
$identifier = substr($token, 0, self::IDENTIFIER_LENGTH);
|
||||
|
||||
$model = static::where('identifier', $id)->first();
|
||||
if (!is_null($model) && decrypt($model->token) === Str::substr($token, strlen($id))) {
|
||||
$model = static::where('identifier', $identifier)->first();
|
||||
if (!is_null($model) && decrypt($model->token) === substr($token, strlen($identifier))) {
|
||||
return $model;
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the standard prefix for API keys in the system.
|
||||
*/
|
||||
public static function getPrefixForType(int $type): string
|
||||
{
|
||||
Assert::oneOf($type, [self::TYPE_ACCOUNT, self::TYPE_APPLICATION]);
|
||||
|
||||
return $type === self::TYPE_ACCOUNT ? 'ptlc_' : 'ptla_';
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates a new identifier for an API key.
|
||||
*/
|
||||
public static function generateTokenIdentifier(): string
|
||||
public static function generateTokenIdentifier(int $type): string
|
||||
{
|
||||
return 'ptdl_' . Str::random(self::IDENTIFIER_LENGTH - 5);
|
||||
$prefix = self::getPrefixForType($type);
|
||||
|
||||
return $prefix . Str::random(self::IDENTIFIER_LENGTH - strlen($prefix));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ use Illuminate\Support\Str;
|
|||
use Laravel\Sanctum\Sanctum;
|
||||
use Pterodactyl\Models\ApiKey;
|
||||
use Laravel\Sanctum\HasApiTokens;
|
||||
use Illuminate\Database\Eloquent\Relations\HasMany;
|
||||
use Pterodactyl\Extensions\Laravel\Sanctum\NewAccessToken;
|
||||
|
||||
/**
|
||||
|
|
@ -13,25 +14,28 @@ use Pterodactyl\Extensions\Laravel\Sanctum\NewAccessToken;
|
|||
*/
|
||||
trait HasAccessTokens
|
||||
{
|
||||
use HasApiTokens;
|
||||
use HasApiTokens {
|
||||
tokens as private _tokens;
|
||||
createToken as private _createToken;
|
||||
}
|
||||
|
||||
public function tokens()
|
||||
public function tokens(): HasMany
|
||||
{
|
||||
return $this->hasMany(Sanctum::$personalAccessTokenModel);
|
||||
}
|
||||
|
||||
public function createToken(string $name, array $abilities = ['*'])
|
||||
public function createToken(?string $memo, ?array $ips): NewAccessToken
|
||||
{
|
||||
/** @var \Pterodactyl\Models\ApiKey $token */
|
||||
$token = $this->tokens()->create([
|
||||
$token = $this->tokens()->forceCreate([
|
||||
'user_id' => $this->id,
|
||||
'key_type' => ApiKey::TYPE_ACCOUNT,
|
||||
'identifier' => ApiKey::generateTokenIdentifier(),
|
||||
'identifier' => ApiKey::generateTokenIdentifier(ApiKey::TYPE_ACCOUNT),
|
||||
'token' => encrypt($plain = Str::random(ApiKey::KEY_LENGTH)),
|
||||
'memo' => $name,
|
||||
'allowed_ips' => [],
|
||||
'memo' => $memo ?? '',
|
||||
'allowed_ips' => $ips ?? [],
|
||||
]);
|
||||
|
||||
return new NewAccessToken($token, $token->identifier . $plain);
|
||||
return new NewAccessToken($token, $plain);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,12 +3,12 @@
|
|||
namespace Pterodactyl\Models;
|
||||
|
||||
use Pterodactyl\Rules\Username;
|
||||
use Laravel\Sanctum\HasApiTokens;
|
||||
use Illuminate\Support\Collection;
|
||||
use Illuminate\Validation\Rules\In;
|
||||
use Illuminate\Auth\Authenticatable;
|
||||
use Illuminate\Notifications\Notifiable;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Pterodactyl\Models\Traits\HasAccessTokens;
|
||||
use Illuminate\Auth\Passwords\CanResetPassword;
|
||||
use Pterodactyl\Traits\Helpers\AvailableLanguages;
|
||||
use Illuminate\Database\Eloquent\Relations\HasMany;
|
||||
|
|
@ -84,7 +84,7 @@ class User extends Model implements
|
|||
use Authorizable;
|
||||
use AvailableLanguages;
|
||||
use CanResetPassword;
|
||||
use HasApiTokens;
|
||||
use HasAccessTokens;
|
||||
use Notifiable;
|
||||
|
||||
public const USER_LEVEL_USER = 0;
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ class KeyCreationService
|
|||
{
|
||||
$data = array_merge($data, [
|
||||
'key_type' => $this->keyType,
|
||||
'identifier' => str_random(ApiKey::IDENTIFIER_LENGTH),
|
||||
'identifier' => ApiKey::generateTokenIdentifier($this->keyType),
|
||||
'token' => $this->encrypter->encrypt(str_random(ApiKey::KEY_LENGTH)),
|
||||
]);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue