From c701aa08251300fa533020f84d37c8c8f6327e6d Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sat, 16 Jan 2016 20:17:46 -0500
Subject: [PATCH] Add support for CIDR ranges on API

---
 app/Http/Middleware/APISecretToken.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/Http/Middleware/APISecretToken.php b/app/Http/Middleware/APISecretToken.php
index 0ac1fe2db..52d5a14f5 100644
--- a/app/Http/Middleware/APISecretToken.php
+++ b/app/Http/Middleware/APISecretToken.php
@@ -3,6 +3,8 @@
 namespace Pterodactyl\Http\Middleware;
 
 use Crypt;
+use IPTools\IP;
+use IPTools\Range;
 
 use Pterodactyl\Models\APIKey;
 use Pterodactyl\Models\APIPermission;
@@ -49,8 +51,15 @@ class APISecretToken extends Authorization
         // Check for Resource Permissions
         if (!empty($request->route()->getName())) {
             if(!is_null($key->allowed_ips)) {
-                if (!in_array($request->ip(), json_decode($key->allowed_ips))) {
-                    throw new AccessDeniedHttpException('This IP address does not have permission to use this API key.');
+                $inRange = false;
+                foreach(json_decode($key->allowed_ips) as $ip) {
+                    if (Range::parse($ip)->contains(new IP($request->ip()))) {
+                        $inRange = true;
+                        break;
+                    }
+                }
+                if (!$inRange) {
+                    throw new AccessDeniedHttpException('This IP address <' . $request->ip() . '> does not have permission to use this API key.');
                 }
             }