Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints

app/Http/Kernel.php

@@ -75,6 +75,7 @@ class Kernel extends HttpKernel
             ApiSubstituteBindings::class,
             'api..key:' . ApiKey::TYPE_APPLICATION,
             AuthenticateApplicationUser::class,
+            VerifyCsrfToken::class,
             AuthenticateIPAccess::class,
         ],
         'client-api' => [
@@ -85,6 +86,7 @@ class Kernel extends HttpKernel
             SubstituteClientApiBindings::class,
             'api..key:' . ApiKey::TYPE_ACCOUNT,
             AuthenticateIPAccess::class,
+            VerifyCsrfToken::class,
             // This is perhaps a little backwards with the Client API, but logically you'd be unable
             // to create/get an API key without first enabling 2FA on the account, so I suppose in the
             // end it makes sense.

app/Http/Middleware/Api/AuthenticateKey.php

@@ -8,6 +8,7 @@ use Illuminate\Http\Request;
 use Pterodactyl\Models\User;
 use Pterodactyl\Models\ApiKey;
 use Illuminate\Auth\AuthManager;
+use Illuminate\Support\Facades\Session;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
@@ -55,7 +56,7 @@ class AuthenticateKey
     public function handle(Request $request, Closure $next, int $keyType)
     {
         if (is_null($request->bearerToken()) && is_null($request->user())) {
-            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
+            throw new HttpException(401, 'A bearer token or valid user session cookie must be provided to access this endpoint.', null, ['WWW-Authenticate' => 'Bearer']);
         }
 
         // This is a request coming through using cookies, we have an authenticated user

app/Http/Middleware/VerifyCsrfToken.php

@@ -2,18 +2,45 @@
 
 namespace Pterodactyl\Http\Middleware;
 
+use Closure;
+use Pterodactyl\Models\ApiKey;
 use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
 
 class VerifyCsrfToken extends BaseVerifier
 {
     /**
-     * The URIs that should be excluded from CSRF verification.
+     * The URIs that should be excluded from CSRF verification. These are
+     * never hit by the front-end, and require specific token validation
+     * to work.
      *
-     * @var array
+     * @var string[]
      */
-    protected $except = [
-        'remote/*',
-        'daemon/*',
-        'api/*',
-    ];
+    protected $except = ['remote/*', 'daemon/*'];
+
+    /**
+     * Manually apply CSRF protection to routes depending on the authentication
+     * mechanism being used. If the API request is using an API key that exists
+     * in the database we can safely ignore CSRF protections, since that would be
+     * a manually initiated request by a user or server.
+     *
+     * All other requests should go through the standard CSRF protections that
+     * Laravel affords us. This code will be removed in v2 since we have switched
+     * to using Sanctum for the API endpoints, which handles that for us automatically.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure $next
+     * @return mixed
+     *
+     * @throws \Illuminate\Session\TokenMismatchException
+     */
+    public function handle($request, Closure $next)
+    {
+        $key = $request->attributes->get('api_key');
+
+        if ($key instanceof ApiKey && $key->exists) {
+            return $next($request);
+        }
+
+        return parent::handle($request, $next);
+    }
 }