StarMC/Astral-nook
StarMC/Astral-nook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints

Browse source
This commit is contained in:
Dane Everitt 2021-11-16 20:02:18 -08:00
parent cc31a0a6d0
commit bf9cbe2c6d
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
7 changed files with 59 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/Http/Kernel.php
View file

@ -75,6 +75,7 @@ class Kernel extends HttpKernel
ApiSubstituteBindings::class,
'api..key:' . ApiKey::TYPE_APPLICATION,
AuthenticateApplicationUser::class,
VerifyCsrfToken::class,
AuthenticateIPAccess::class,
],
'client-api' => [
@ -85,6 +86,7 @@ class Kernel extends HttpKernel
SubstituteClientApiBindings::class,
'api..key:' . ApiKey::TYPE_ACCOUNT,
AuthenticateIPAccess::class,
VerifyCsrfToken::class,
// This is perhaps a little backwards with the Client API, but logically you'd be unable
// to create/get an API key without first enabling 2FA on the account, so I suppose in the
// end it makes sense.