StarMC/Astral-nook
StarMC/Astral-nook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints

Browse source
This commit is contained in:
Dane Everitt 2021-11-16 20:02:18 -08:00
parent cc31a0a6d0
commit bf9cbe2c6d
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
7 changed files with 59 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

3
app/Http/Middleware/Api/AuthenticateKey.php
View file

@ -8,6 +8,7 @@ use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
use Illuminate\Support\Facades\Session;
use Illuminate\Contracts\Encryption\Encrypter;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
@ -55,7 +56,7 @@ class AuthenticateKey
public function handle(Request $request, Closure $next, int $keyType)
{
if (is_null($request->bearerToken()) && is_null($request->user())) {
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
throw new HttpException(401, 'A bearer token or valid user session cookie must be provided to access this endpoint.', null, ['WWW-Authenticate' => 'Bearer']);
}
// This is a request coming through using cookies, we have an authenticated user