Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints
This commit is contained in:
Dane Everitt
parent
cc31a0a6d0
commit
bf9cbe2c6d
7 changed files with 59 additions and 14 deletions
|
|
@ -8,6 +8,7 @@ use Illuminate\Http\Request;
|
|||
use Pterodactyl\Models\User;
|
||||
use Pterodactyl\Models\ApiKey;
|
||||
use Illuminate\Auth\AuthManager;
|
||||
use Illuminate\Support\Facades\Session;
|
||||
use Illuminate\Contracts\Encryption\Encrypter;
|
||||
use Symfony\Component\HttpKernel\Exception\HttpException;
|
||||
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
|
||||
|
|
@ -55,7 +56,7 @@ class AuthenticateKey
|
|||
public function handle(Request $request, Closure $next, int $keyType)
|
||||
{
|
||||
if (is_null($request->bearerToken()) && is_null($request->user())) {
|
||||
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
|
||||
throw new HttpException(401, 'A bearer token or valid user session cookie must be provided to access this endpoint.', null, ['WWW-Authenticate' => 'Bearer']);
|
||||
}
|
||||
|
||||
// This is a request coming through using cookies, we have an authenticated user
|
||||
|
|
|
|||
|
|
@ -2,18 +2,45 @@
|
|||
|
||||
namespace Pterodactyl\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Pterodactyl\Models\ApiKey;
|
||||
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
|
||||
|
||||
class VerifyCsrfToken extends BaseVerifier
|
||||
{
|
||||
/**
|
||||
* The URIs that should be excluded from CSRF verification.
|
||||
* The URIs that should be excluded from CSRF verification. These are
|
||||
* never hit by the front-end, and require specific token validation
|
||||
* to work.
|
||||
*
|
||||
* @var array
|
||||
* @var string[]
|
||||
*/
|
||||
protected $except = [
|
||||
'remote/*',
|
||||
'daemon/*',
|
||||
'api/*',
|
||||
];
|
||||
protected $except = ['remote/*', 'daemon/*'];
|
||||
|
||||
/**
|
||||
* Manually apply CSRF protection to routes depending on the authentication
|
||||
* mechanism being used. If the API request is using an API key that exists
|
||||
* in the database we can safely ignore CSRF protections, since that would be
|
||||
* a manually initiated request by a user or server.
|
||||
*
|
||||
* All other requests should go through the standard CSRF protections that
|
||||
* Laravel affords us. This code will be removed in v2 since we have switched
|
||||
* to using Sanctum for the API endpoints, which handles that for us automatically.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return mixed
|
||||
*
|
||||
* @throws \Illuminate\Session\TokenMismatchException
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
$key = $request->attributes->get('api_key');
|
||||
|
||||
if ($key instanceof ApiKey && $key->exists) {
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
return parent::handle($request, $next);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue