sonot
/
PteroTheme
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4,297 Commits 61 Branches 128 Tags 29 MiB
Commit Graph

1177 Commits

Author SHA1 Message Date
DaneEveritt 0fa33e0438
Mark a request as being stateful if a cookie for the session is provided at all 
This accounts for poorly configured API clients that try to use cookies for authentication purposes. Treat everything with a session cookie as being a stateful request from the front-end.
 2022-05-22 16:50:36 -04:00
DaneEveritt 33bafe9277
Simplify transformer logic 2022-05-22 16:23:22 -04:00
DaneEveritt f7fc67344e
Ensure tokens are found in the database using the expected logic 2022-05-22 16:05:58 -04:00
DaneEveritt e9c633fd03
Update transformers and controllers to no longer pull an API key attribute 2022-05-22 15:37:39 -04:00
DaneEveritt bd37978a98
Initial pass at implementing Laravel Sanctum for authorization on the API 2022-05-22 14:57:06 -04:00
DaneEveritt e313dff674
Massively simplify API binding logic 
Changes the API internals to use normal Laravel binding which automatically supports nested-models and can determine their relationships. This removes a lot of confusingly complex internal logic and replaces it with standard Laravel code.

This also removes a deprecated "getModel" method and fully replaces it with a "parameter" method that does stricter type-checking.
 2022-05-22 14:10:01 -04:00
DaneEveritt d4bf6bd46a
Add test coverage and fix permissions mistake 2022-05-15 17:30:57 -04:00
DaneEveritt a9364061c1
Store keys in standard format; query with fingerprint not public key 2022-05-15 16:41:15 -04:00
DaneEveritt b563f13d09
Trim the key provided to query correctly; don't increment throttles when keys aren't found 2022-05-15 16:23:17 -04:00
DaneEveritt 3d6a30c9fd
Oops, don't make this abstract 2022-05-15 16:06:00 -04:00
DaneEveritt 412ac5ef39
Have the panel handle all of the authorization for both public key and password based attempts 2022-05-15 16:00:08 -04:00
DaneEveritt e856daee19
Reject requests for public key auth when the user has no keys 2022-05-15 15:47:06 -04:00
DaneEveritt 12927a3202
Update SFTP authentication endpoint to support returning user public keys 2022-05-15 15:37:58 -04:00
DaneEveritt 6554164252
Add test coverage for the SSH key endpoints 2022-05-14 18:08:48 -04:00
DaneEveritt 97280a62a2
Add support for storing SSH keys on user accounts 2022-05-14 17:31:53 -04:00
DaneEveritt 5705d7dbdd
Run php-cs-fixer 2022-05-14 16:03:50 -04:00
DaneEveritt 65f27d41a2
Switch to more recent Laravel route definition methods 2022-05-14 15:51:05 -04:00
DaneEveritt c8faf64059
Support naming docker images on eggs; closes #4052 
Bumps PTDL_v1 export images to PTDL_v2, updates the Minecraft specific eggs to use named images.
 2022-05-07 17:45:22 -04:00
DaneEveritt 634b80ed42
Add support for filtering allocations to determine if they're assigned or not; closes #3872 2022-05-07 16:16:11 -04:00
DaneEveritt e88d24e0db
Don't allow allocations to be deleted by users if no limit is defined; closes #3703 2022-05-07 15:05:28 -04:00
DaneEveritt c751ce7f44
Allow more values for remote field when creating a database; closes #3842 2022-05-07 14:17:10 -04:00
DaneEveritt 530558b0f8
Update deprecated JSON response creation and unnecessary middleware 2022-05-04 19:23:01 -04:00
DaneEveritt 34ffaebd3e
Run cs-fix, ensure we only install dependency versions supporting 7.4+ 2022-05-04 19:01:29 -04:00
Alex 5120590e47
ref: remove google analytics (#3912) 2022-02-05 09:08:43 -08:00
Dane Everitt dfa329ddf2
[security] ensure session is only for that request when authenticating user API key 
https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv
 2022-01-19 21:09:17 -05:00
Alex 28f7a809a5
fix: exception localization (#3850) 
resolves #3849
 2022-01-15 08:10:37 -08:00
Dane Everitt bf9cbe2c6d
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints 2021-11-16 20:02:18 -08:00
Dane Everitt 17c03e9a4d
Fix broken session management for application api 2021-11-03 21:33:21 -07:00
Dane Everitt 60eff40a0c
Fix session management on client API requests; closes #3727 
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.

Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).

This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.

In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
 2021-11-03 20:51:39 -07:00
Dane Everitt 22a8b2b3a2
Use more standardized rate limiting in Laravel; apply limits to auth routes 2021-10-23 12:17:16 -07:00
Dane Everitt 4a84c36009
Fix security vulnerability when authenticating a two-factor authentication token for a user 
See associated security advisory for technical details on the content of this security fix.

GHSA ID: GHSA-5vfx-8w6m-h3v4
 2021-09-21 21:30:08 -07:00
Dane Everitt e96ead4c4d
Update API calls to Wings to only pass the required details with the changes to the installer system 2021-08-29 14:09:43 -07:00
Matthew Penner b4cae916ac
transfers: fix allocation array merging logic (#3551) 2021-08-18 12:58:41 -06:00
Dane Everitt 2b3303c46b
Fix changing a user password to not incorrectly handle logging out old sessions; closes #3531 2021-08-15 17:37:12 -07:00
Dane Everitt 25d9ba4779
Run php-cs-fixer 2021-08-15 17:20:36 -07:00
Matthew Penner 10b357b71e
ui(server): fix used backup count (#3526) 
* ui(server): fix used backup count

* ui(server): refactor backup count code
 2021-08-04 20:34:00 -07:00
Matthew Penner 970f281859
backups: default is_successful to false (#3522) 
* backups: default is_successful to false
* backups: properly query backups
 2021-08-03 19:45:25 -07:00
Mia bda1ff50ab
[UI] Display the 2FA token, show spinner on load (#3367) 
Co-authored-by: Dane Everitt <dane@daneeveritt.com>
 2021-08-02 20:39:12 -07:00
Matthew Penner 1a79b4827c
backups: allow updating a failed backup (#3470) 2021-07-18 08:46:20 -07:00
Dane Everitt d049839ffc
Fix deleting a backup that is locked and failed; closes #3404 2021-06-13 10:26:47 -07:00
Mark Ross d45c67a6e1
Allow to find servers by short UUID (Application API) (#3340) 2021-06-05 08:43:57 -07:00
Alex 9656378783
Fix 401 error typo (#3393) 2021-06-03 13:35:51 -07:00
Charles Morgan 76ac1998cf
Don't allow backups to be made via schedules if limit = 0 (#3323) 2021-05-16 09:47:36 -07:00
Dane Everitt 5d5e4ca7b1
Add support for locking backups to prevent any accidental deletions 2021-05-03 21:26:09 -07:00
Dane Everitt 92cd659db3
Add underlying data changes necessary for new task & schedule features 2021-05-01 10:44:40 -07:00
Julien Tant 552b9d3c33 Add possibility to run disabled cron 2021-04-24 15:06:21 -07:00
Lance Pioch 77a3ca682f
Change to actual function names to support MariaDB 2021-04-08 17:34:25 -04:00
Dane Everitt 45680cab47
Don't use tagging, closes #3224 2021-04-03 10:53:41 -07:00
Dane Everitt 48ad8f538e
Always allow specifying a page size with the API; closes #3218 2021-03-26 09:03:51 -07:00
Dane Everitt 9b46d59045
Cache resource lookup results for 20 seconds for each server 2021-03-21 12:29:18 -07:00