StarMC/Astral-nook
StarMC/Astral-nook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initial pass at implementing Laravel Sanctum for authorization on the API

Browse source
This commit is contained in:
DaneEveritt 2022-05-22 14:57:06 -04:00
parent e313dff674
commit bd37978a98
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
13 changed files with 324 additions and 220 deletions
Download patch file Download diff file Expand all files Collapse all files

30
app/Http/Kernel.php
View file

@ -2,7 +2,6 @@
namespace Pterodactyl\Http;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\Middleware\Authorize;
use Illuminate\Auth\Middleware\Authenticate;
use Illuminate\Http\Middleware\TrustProxies;
@ -16,7 +15,6 @@ use Pterodactyl\Http\Middleware\AdminAuthenticate;
use Illuminate\Routing\Middleware\ThrottleRequests;
use Pterodactyl\Http\Middleware\LanguageMiddleware;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
use Pterodactyl\Http\Middleware\Api\AuthenticateKey;
use Illuminate\Routing\Middleware\SubstituteBindings;
use Illuminate\Session\Middleware\AuthenticateSession;
use Illuminate\View\Middleware\ShareErrorsFromSession;
@ -25,13 +23,13 @@ use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
use Pterodactyl\Http\Middleware\Api\HandleStatelessRequest;
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
class Kernel extends HttpKernel
@ -67,29 +65,19 @@ class Kernel extends HttpKernel
RequireTwoFactorAuthentication::class,
],
'api' => [
HandleStatelessRequest::class,
IsValidJson::class,
StartSession::class,
AuthenticateSession::class,
VerifyCsrfToken::class,
EnsureFrontendRequestsAreStateful::class,
'auth:sanctum',
RequireTwoFactorAuthentication::class,
AuthenticateIPAccess::class,
],
'application-api' => [
SubstituteBindings::class,
'api..key:' . ApiKey::TYPE_APPLICATION,
AuthenticateApplicationUser::class,
AuthenticateIPAccess::class,
],
'client-api' => [
SubstituteClientBindings::class,
'api..key:' . ApiKey::TYPE_ACCOUNT,
AuthenticateIPAccess::class,
// This is perhaps a little backwards with the Client API, but logically you'd be unable
// to create/get an API key without first enabling 2FA on the account, so I suppose in the
// end it makes sense.
//
// You just wouldn't be authenticating with the API by providing a 2FA token.
RequireTwoFactorAuthentication::class,
],
// TODO: don't allow an application key to use the client API, but do allow a client
// api key to access the application API.
'client-api' => [SubstituteClientBindings::class],
'daemon' => [
SubstituteBindings::class,
DaemonAuthenticate::class,
@ -112,7 +100,5 @@ class Kernel extends HttpKernel
'bindings' => SubstituteBindings::class,
'recaptcha' => VerifyReCaptcha::class,
'node.maintenance' => MaintenanceMiddleware::class,
// API Specific Middleware
'api..key' => AuthenticateKey::class,
];
}

12
app/Http/Middleware/Api/AuthenticateIPAccess.php
View file

@ -6,6 +6,7 @@ use Closure;
use IPTools\IP;
use IPTools\Range;
use Illuminate\Http\Request;
use Laravel\Sanctum\TransientToken;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
class AuthenticateIPAccess
@ -20,14 +21,19 @@ class AuthenticateIPAccess
*/
public function handle(Request $request, Closure $next)
{
$model = $request->attributes->get('api_key');
/** @var \Laravel\Sanctum\TransientToken|\Pterodactyl\Models\ApiKey $token */
$token = $request->user()->currentAccessToken();
if (is_null($model->allowed_ips) || empty($model->allowed_ips)) {
// If this is a stateful request just push the request through to the next
// middleware in the stack, there is nothing we need to explicitly check. If
// this is a valid API Key, but there is no allowed IP restriction, also pass
// the request through.
if ($token instanceof TransientToken || empty($token->allowed_ips)) {
return $next($request);
}
$find = new IP($request->ip());
foreach ($model->allowed_ips as $ip) {
foreach ($token->allowed_ips as $ip) {
if (Range::parse($ip)->contains($find)) {
return $next($request);
}

109
app/Http/Middleware/Api/AuthenticateKey.php
View file

@ -1,109 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Carbon\CarbonImmutable;
use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
use Illuminate\Support\Facades\Session;
use Illuminate\Contracts\Encryption\Encrypter;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
class AuthenticateKey
{
/**
* @var \Illuminate\Auth\AuthManager
*/
private $auth;
/**
* @var \Illuminate\Contracts\Encryption\Encrypter
*/
private $encrypter;
/**
* @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
*/
private $repository;
/**
* AuthenticateKey constructor.
*/
public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)
{
$this->auth = $auth;
$this->encrypter = $encrypter;
$this->repository = $repository;
}
/**
* Handle an API request by verifying that the provided API key is in a valid
* format and exists in the database. If there is currently a user in the session
* do not even bother to look at the token (they provided a cookie for this to
* be the case).
*
* @return mixed
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function handle(Request $request, Closure $next, int $keyType)
{
if (is_null($request->bearerToken()) && is_null($request->user())) {
throw new HttpException(401, 'A bearer token or valid user session cookie must be provided to access this endpoint.', null, ['WWW-Authenticate' => 'Bearer']);
}
// This is a request coming through using cookies, we have an authenticated user
// not using an API key. Make some fake API key models and continue on through
// the process.
if ($request->user() instanceof User) {
$model = (new ApiKey())->forceFill([
'user_id' => $request->user()->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
} else {
$model = $this->authenticateApiKey($request->bearerToken(), $keyType);
$this->auth->guard()->onceUsingId($model->user_id);
}
$request->attributes->set('api_key', $model);
return $next($request);
}
/**
* Authenticate an API key.
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
protected function authenticateApiKey(string $key, int $keyType): ApiKey
{
$identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);
$token = substr($key, ApiKey::IDENTIFIER_LENGTH);
try {
$model = $this->repository->findFirstWhere([
['identifier', '=', $identifier],
['key_type', '=', $keyType],
]);
} catch (RecordNotFoundException $exception) {
throw new AccessDeniedHttpException();
}
if (!hash_equals($this->encrypter->decrypt($model->token), $token)) {
throw new AccessDeniedHttpException();
}
$this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => CarbonImmutable::now()]);
return $model;
}
}

35
app/Http/Middleware/Api/HandleStatelessRequest.php
View file

@ -1,35 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Illuminate\Http\Request;
class HandleStatelessRequest
{
/**
* Ensure that the 'Set-Cookie' header is removed from the response if
* a bearer token is present and there is an api_key in the request attributes.
*
* This will also delete the session from the database automatically so that
* it is effectively treated as a stateless request. Any additional requests
* attempting to use that session will find no data.
*
* @return \Illuminate\Http\Response
*/
public function handle(Request $request, Closure $next)
{
/** @var \Illuminate\Http\Response $response */
$response = $next($request);
if (!is_null($request->bearerToken()) && $request->isJson()) {
$request->session()->getHandler()->destroy(
$request->session()->getId()
);
$response->headers->remove('Set-Cookie');
}
return $response;
}
}

29
app/Http/Middleware/VerifyCsrfToken.php
View file

@ -2,8 +2,6 @@
namespace Pterodactyl\Http\Middleware;
use Closure;
use Pterodactyl\Models\ApiKey;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
class VerifyCsrfToken extends BaseVerifier
@ -16,31 +14,4 @@ class VerifyCsrfToken extends BaseVerifier
* @var string[]
*/
protected $except = ['remote/*', 'daemon/*'];
/**
* Manually apply CSRF protection to routes depending on the authentication
* mechanism being used. If the API request is using an API key that exists
* in the database we can safely ignore CSRF protections, since that would be
* a manually initiated request by a user or server.
*
* All other requests should go through the standard CSRF protections that
* Laravel affords us. This code will be removed in v2 since we have switched
* to using Sanctum for the API endpoints, which handles that for us automatically.
*
* @param \Illuminate\Http\Request $request
*
* @return mixed
*
* @throws \Illuminate\Session\TokenMismatchException
*/
public function handle($request, Closure $next)
{
$key = $request->attributes->get('api_key');
if ($key instanceof ApiKey && $key->exists) {
return $next($request);
}
return parent::handle($request, $next);
}
}