From dca53611ff86999144ee177548861ce30d92c854 Mon Sep 17 00:00:00 2001 From: DaneEveritt Date: Sun, 22 May 2022 18:16:47 -0400 Subject: [PATCH] Ensure we don't cause a mess with the auth providers --- app/Http/Kernel.php | 13 ++- app/Providers/RouteServiceProvider.php | 12 +- composer.json | 1 + composer.lock | 152 ++++++++++++++++++++++++- config/cors.php | 59 ++++++++++ resources/scripts/api/auth/login.ts | 11 +- 6 files changed, 233 insertions(+), 15 deletions(-) create mode 100644 config/cors.php diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 4c9881949..f2c113b8c 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -2,6 +2,7 @@ namespace Pterodactyl\Http; +use Fruitcake\Cors\HandleCors; use Illuminate\Auth\Middleware\Authorize; use Illuminate\Auth\Middleware\Authenticate; use Illuminate\Http\Middleware\TrustProxies; @@ -26,9 +27,9 @@ use Illuminate\Foundation\Http\Middleware\ValidatePostSize; use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse; use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate; use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication; -use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode; use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull; use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings; +use Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance; use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser; class Kernel extends HttpKernel @@ -39,12 +40,12 @@ class Kernel extends HttpKernel * @var array */ protected $middleware = [ - CheckForMaintenanceMode::class, - EncryptCookies::class, + TrustProxies::class, + HandleCors::class, + PreventRequestsDuringMaintenance::class, ValidatePostSize::class, TrimStrings::class, ConvertEmptyStringsToNull::class, - TrustProxies::class, ]; /** @@ -54,14 +55,13 @@ class Kernel extends HttpKernel */ protected $middlewareGroups = [ 'web' => [ + EncryptCookies::class, AddQueuedCookiesToResponse::class, StartSession::class, - AuthenticateSession::class, ShareErrorsFromSession::class, VerifyCsrfToken::class, SubstituteBindings::class, LanguageMiddleware::class, - RequireTwoFactorAuthentication::class, ], 'api' => [ EnsureStatefulRequests::class, @@ -91,6 +91,7 @@ class Kernel extends HttpKernel protected $routeMiddleware = [ 'auth' => Authenticate::class, 'auth.basic' => AuthenticateWithBasicAuth::class, + 'auth.session' => AuthenticateSession::class, 'guest' => RedirectIfAuthenticated::class, 'csrf' => VerifyCsrfToken::class, 'throttle' => ThrottleRequests::class, diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php index 2177eb916..f5ac5565d 100644 --- a/app/Providers/RouteServiceProvider.php +++ b/app/Providers/RouteServiceProvider.php @@ -9,6 +9,7 @@ use Illuminate\Cache\RateLimiting\Limit; use Illuminate\Support\Facades\RateLimiter; use Pterodactyl\Http\Middleware\TrimStrings; use Pterodactyl\Http\Middleware\AdminAuthenticate; +use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication; use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider; class RouteServiceProvider extends ServiceProvider @@ -35,12 +36,17 @@ class RouteServiceProvider extends ServiceProvider $this->routes(function () { Route::middleware('web')->group(function () { - Route::middleware('auth')->group(base_path('routes/base.php')); + Route::middleware(['auth.session', RequireTwoFactorAuthentication::class]) + ->group(base_path('routes/base.php')); + + Route::middleware(['auth.session', RequireTwoFactorAuthentication::class, AdminAuthenticate::class]) + ->prefix('/admin') + ->group(base_path('routes/admin.php')); + Route::middleware('guest')->prefix('/auth')->group(base_path('routes/auth.php')); - Route::middleware(['auth', AdminAuthenticate::class])->prefix('/admin')->group(base_path('routes/admin.php')); }); - Route::middleware('api')->group(function () { + Route::middleware(['api', RequireTwoFactorAuthentication::class])->group(function () { Route::middleware(['application-api', 'throttle:api.application']) ->prefix('/api/application') ->scopeBindings() diff --git a/composer.json b/composer.json index eb553e6a7..e8fe36370 100644 --- a/composer.json +++ b/composer.json @@ -19,6 +19,7 @@ "ext-zip": "*", "aws/aws-sdk-php": "^3.171", "doctrine/dbal": "~2.13.9", + "fruitcake/laravel-cors": "~3.0.0", "guzzlehttp/guzzle": "~7.4.2", "hashids/hashids": "~4.1.0", "laracasts/utilities": "~3.2.1", diff --git a/composer.lock b/composer.lock index 534c1958a..b13af61ad 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "0368e946c40456bcd1fb007bfc3e7bf0", + "content-hash": "3bd4e0acecbf871892a813141facfaea", "packages": [ { "name": "aws/aws-crt-php", @@ -923,6 +923,156 @@ ], "time": "2020-12-29T14:50:06+00:00" }, + { + "name": "fruitcake/laravel-cors", + "version": "v3.0.0", + "source": { + "type": "git", + "url": "https://github.com/fruitcake/laravel-cors.git", + "reference": "7c036ec08972d8d5d9db637e772af6887828faf5" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/fruitcake/laravel-cors/zipball/7c036ec08972d8d5d9db637e772af6887828faf5", + "reference": "7c036ec08972d8d5d9db637e772af6887828faf5", + "shasum": "" + }, + "require": { + "fruitcake/php-cors": "^1.2", + "illuminate/contracts": "^6|^7|^8|^9", + "illuminate/support": "^6|^7|^8|^9", + "php": "^7.4|^8.0" + }, + "require-dev": { + "laravel/framework": "^6|^7.24|^8", + "orchestra/testbench-dusk": "^4|^5|^6|^7", + "phpunit/phpunit": "^9", + "squizlabs/php_codesniffer": "^3.5" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "3.0-dev" + }, + "laravel": { + "providers": [ + "Fruitcake\\Cors\\CorsServiceProvider" + ] + } + }, + "autoload": { + "psr-4": { + "Fruitcake\\Cors\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fruitcake", + "homepage": "https://fruitcake.nl" + }, + { + "name": "Barry vd. Heuvel", + "email": "barryvdh@gmail.com" + } + ], + "description": "Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application", + "keywords": [ + "api", + "cors", + "crossdomain", + "laravel" + ], + "support": { + "issues": "https://github.com/fruitcake/laravel-cors/issues", + "source": "https://github.com/fruitcake/laravel-cors/tree/v3.0.0" + }, + "funding": [ + { + "url": "https://fruitcake.nl", + "type": "custom" + }, + { + "url": "https://github.com/barryvdh", + "type": "github" + } + ], + "time": "2022-02-23T14:53:22+00:00" + }, + { + "name": "fruitcake/php-cors", + "version": "v1.2.0", + "source": { + "type": "git", + "url": "https://github.com/fruitcake/php-cors.git", + "reference": "58571acbaa5f9f462c9c77e911700ac66f446d4e" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/fruitcake/php-cors/zipball/58571acbaa5f9f462c9c77e911700ac66f446d4e", + "reference": "58571acbaa5f9f462c9c77e911700ac66f446d4e", + "shasum": "" + }, + "require": { + "php": "^7.4|^8.0", + "symfony/http-foundation": "^4.4|^5.4|^6" + }, + "require-dev": { + "phpstan/phpstan": "^1.4", + "phpunit/phpunit": "^9", + "squizlabs/php_codesniffer": "^3.5" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-main": "1.1-dev" + } + }, + "autoload": { + "psr-4": { + "Fruitcake\\Cors\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fruitcake", + "homepage": "https://fruitcake.nl" + }, + { + "name": "Barryvdh", + "email": "barryvdh@gmail.com" + } + ], + "description": "Cross-origin resource sharing library for the Symfony HttpFoundation", + "homepage": "https://github.com/fruitcake/php-cors", + "keywords": [ + "cors", + "laravel", + "symfony" + ], + "support": { + "issues": "https://github.com/fruitcake/php-cors/issues", + "source": "https://github.com/fruitcake/php-cors/tree/v1.2.0" + }, + "funding": [ + { + "url": "https://fruitcake.nl", + "type": "custom" + }, + { + "url": "https://github.com/barryvdh", + "type": "github" + } + ], + "time": "2022-02-20T15:07:15+00:00" + }, { "name": "graham-campbell/result-type", "version": "v1.0.4", diff --git a/config/cors.php b/config/cors.php new file mode 100644 index 000000000..a96bb270c --- /dev/null +++ b/config/cors.php @@ -0,0 +1,59 @@ + ['/api/client', '/api/application', '/api/client/*', '/api/application/*'], + + /* + * Matches the request method. `['*']` allows all methods. + */ + 'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD'], + + /* + * Matches the request origin. `['*']` allows all origins. Wildcards can be used, eg `*.mydomain.com` + */ + 'allowed_origins' => explode(',', env('APP_CORS_ALLOWED_ORIGINS') ?? ''), + + /* + * Patterns that can be used with `preg_match` to match the origin. + */ + 'allowed_origins_patterns' => [], + + /* + * Sets the Access-Control-Allow-Headers response header. `['*']` allows all headers. + */ + 'allowed_headers' => ['*'], + + /* + * Sets the Access-Control-Expose-Headers response header with these headers. + */ + 'exposed_headers' => [], + + /* + * Sets the Access-Control-Max-Age response header when > 0. + */ + 'max_age' => 0, + + /* + * Sets the Access-Control-Allow-Credentials header. + */ + 'supports_credentials' => true, +]; diff --git a/resources/scripts/api/auth/login.ts b/resources/scripts/api/auth/login.ts index af2f5faa3..379b6590e 100644 --- a/resources/scripts/api/auth/login.ts +++ b/resources/scripts/api/auth/login.ts @@ -14,11 +14,12 @@ export interface LoginData { export default ({ username, password, recaptchaData }: LoginData): Promise => { return new Promise((resolve, reject) => { - http.post('/auth/login', { - user: username, - password, - 'g-recaptcha-response': recaptchaData, - }) + http.get('/sanctum/csrf-cookie') + .then(() => http.post('/auth/login', { + user: username, + password, + 'g-recaptcha-response': recaptchaData, + })) .then(response => { if (!(response.data instanceof Object)) { return reject(new Error('An error occurred while processing the login request.'));