Fix up API handling logic for keys and set a prefix on all keys

2022-05-22 19:03:51 -04:00 · 2022-05-22 19:03:51 -04:00 · b051718afe
commit b051718afe
parent 8605d175d6
11 changed files with 88 additions and 31 deletions
--- a/app/Http/Controllers/Api/Client/ApiKeyController.php
+++ b/app/Http/Controllers/Api/Client/ApiKeyController.php
@ -63,7 +63,6 @@ class ApiKeyController extends ClientApiController
     * @return array
     *
     * @throws \Pterodactyl\Exceptions\DisplayException
-     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     */
    public function store(StoreApiKeyRequest $request)
    {
@ -71,17 +70,14 @@ class ApiKeyController extends ClientApiController
            throw new DisplayException('You have reached the account limit for number of API keys.');
        }

-        $key = $this->keyCreationService->setKeyType(ApiKey::TYPE_ACCOUNT)->handle([
-            'user_id' => $request->user()->id,
-            'memo' => $request->input('description'),
-            'allowed_ips' => $request->input('allowed_ips') ?? [],
-        ]);
+        $token = $request->user()->createToken(
+            $request->input('description'),
+            $request->input('allowed_ips')
+        );

-        return $this->fractal->item($key)
+        return $this->fractal->item($token->accessToken)
            ->transformWith($this->getTransformer(ApiKeyTransformer::class))
-            ->addMeta([
-                'secret_token' => $this->encrypter->decrypt($key->token),
-            ])
+            ->addMeta(['secret_token' => $token->plainTextToken])
            ->toArray();
    }

--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -27,6 +27,7 @@ use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
 use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
+use Pterodactyl\Http\Middleware\Api\Client\RequireClientApiKey;
 use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
 use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
 use Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance;
@ -74,9 +75,10 @@ class Kernel extends HttpKernel
            SubstituteBindings::class,
            AuthenticateApplicationUser::class,
        ],
-        // TODO: don't allow an application key to use the client API, but do allow a client
-        //  api key to access the application API.
-        'client-api' => [SubstituteClientBindings::class],
+        'client-api' => [
+            SubstituteClientBindings::class,
+            RequireClientApiKey::class,
+        ],
        'daemon' => [
            SubstituteBindings::class,
            DaemonAuthenticate::class,
--- a/app/Http/Middleware/Api/Application/AuthenticateApplicationUser.php
+++ b/app/Http/Middleware/Api/Application/AuthenticateApplicationUser.php
@ -16,7 +16,9 @@ class AuthenticateApplicationUser
     */
    public function handle(Request $request, Closure $next)
    {
-        if (is_null($request->user()) || !$request->user()->root_admin) {
+        /** @var \Pterodactyl\Models\User|null $user */
+        $user = $request->user();
+        if (!$user || !$user->root_admin) {
            throw new AccessDeniedHttpException('This account does not have permission to access the API.');
        }

--- a/app/Http/Middleware/Api/Client/RequireClientApiKey.php
+++ b/app/Http/Middleware/Api/Client/RequireClientApiKey.php
@ -0,0 +1,27 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\Api\Client;
+
+use Illuminate\Http\Request;
+use Pterodactyl\Models\ApiKey;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class RequireClientApiKey
+{
+    /**
+     * Blocks a request to the Client API endpoints if the user is providing an API token
+     * that was created for the application API.
+     *
+     * @return mixed
+     */
+    public function handle(Request $request, \Closure $next)
+    {
+        $token = $request->user()->currentAccessToken();
+
+        if ($token instanceof ApiKey && $token->key_type === ApiKey::TYPE_APPLICATION) {
+            throw new AccessDeniedHttpException('You are attempting to use an application API key on an endpoint that requires a client API key.');
+        }
+
+        return $next($request);
+    }
+}
--- a/app/Http/Requests/Api/Application/ApplicationApiRequest.php
+++ b/app/Http/Requests/Api/Application/ApplicationApiRequest.php
@ -3,6 +3,7 @@
 namespace Pterodactyl\Http\Requests\Api\Application;

 use Webmozart\Assert\Assert;
+use Pterodactyl\Models\ApiKey;
 use Laravel\Sanctum\TransientToken;
 use Illuminate\Validation\Validator;
 use Illuminate\Database\Eloquent\Model;
@ -45,6 +46,10 @@ abstract class ApplicationApiRequest extends FormRequest
            return true;
        }

+        if ($token->key_type === ApiKey::TYPE_ACCOUNT) {
+            return true;
+        }
+
        return AdminAcl::check($token, $this->resource, $this->permission);
    }