Fix up API handling logic for keys and set a prefix on all keys

2022-05-22 19:03:51 -04:00 · 2022-05-22 19:03:51 -04:00 · b051718afe
commit b051718afe
parent 8605d175d6
11 changed files with 88 additions and 31 deletions
--- a/app/Http/Middleware/Api/Application/AuthenticateApplicationUser.php
+++ b/app/Http/Middleware/Api/Application/AuthenticateApplicationUser.php
@ -16,7 +16,9 @@ class AuthenticateApplicationUser
     */
    public function handle(Request $request, Closure $next)
    {
-        if (is_null($request->user()) || !$request->user()->root_admin) {
+        /** @var \Pterodactyl\Models\User|null $user */
+        $user = $request->user();
+        if (!$user || !$user->root_admin) {
            throw new AccessDeniedHttpException('This account does not have permission to access the API.');
        }

--- a/app/Http/Middleware/Api/Client/RequireClientApiKey.php
+++ b/app/Http/Middleware/Api/Client/RequireClientApiKey.php
@ -0,0 +1,27 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\Api\Client;
+
+use Illuminate\Http\Request;
+use Pterodactyl\Models\ApiKey;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class RequireClientApiKey
+{
+    /**
+     * Blocks a request to the Client API endpoints if the user is providing an API token
+     * that was created for the application API.
+     *
+     * @return mixed
+     */
+    public function handle(Request $request, \Closure $next)
+    {
+        $token = $request->user()->currentAccessToken();
+
+        if ($token instanceof ApiKey && $token->key_type === ApiKey::TYPE_APPLICATION) {
+            throw new AccessDeniedHttpException('You are attempting to use an application API key on an endpoint that requires a client API key.');
+        }
+
+        return $next($request);
+    }
+}