a5521ecb79
Add support for returning transforming activity logs on the front-end
2022-05-29 20:34:48 -04:00
9b7af02690
Add activity logging to most of the endpoints
2022-05-29 19:26:28 -04:00
287fd60891
Log activity when modifying account details
2022-05-29 18:48:35 -04:00
0b2c0db170
Remove last references to audit logs
2022-05-29 18:20:54 -04:00
2fc5a734f9
Update backup logic to use activity logs, not audit logs
2022-05-29 16:19:04 -04:00
cbecfff6da
Add activity logging for files
2022-05-29 13:56:39 -04:00
0999ad7ff0
Add activity logging for authentication events
2022-05-28 17:03:58 -04:00
5bb66a00d8
Add new activity logging code to replace audit log
2022-05-28 15:36:26 -04:00
c14c7b436e
Pass along new fields to Wings instance when endpoint is used; closes #4048
2022-05-28 13:45:23 -04:00
b051718afe
Fix up API handling logic for keys and set a prefix on all keys
2022-05-22 19:03:51 -04:00
dca53611ff
Ensure we don't cause a mess with the auth providers
2022-05-22 18:16:47 -04:00
3ae70efc14
Use existing method to handle the login
2022-05-22 17:26:32 -04:00
4d3362b24f
Perform a bit of code cleanup
2022-05-22 17:23:48 -04:00
56f15c15a1
We can make this middleware significantly simpler
2022-05-22 16:54:07 -04:00
0fa33e0438
Mark a request as being stateful if a cookie for the session is provided at all
...
This accounts for poorly configured API clients that try to use cookies for authentication purposes. Treat everything with a session cookie as being a stateful request from the front-end.
2022-05-22 16:50:36 -04:00
33bafe9277
Simplify transformer logic
2022-05-22 16:23:22 -04:00
f7fc67344e
Ensure tokens are found in the database using the expected logic
2022-05-22 16:05:58 -04:00
e9c633fd03
Update transformers and controllers to no longer pull an API key attribute
2022-05-22 15:37:39 -04:00
bd37978a98
Initial pass at implementing Laravel Sanctum for authorization on the API
2022-05-22 14:57:06 -04:00
e313dff674
Massively simplify API binding logic
...
Changes the API internals to use normal Laravel binding which automatically supports nested-models and can determine their relationships. This removes a lot of confusingly complex internal logic and replaces it with standard Laravel code.
This also removes a deprecated "getModel" method and fully replaces it with a "parameter" method that does stricter type-checking.
2022-05-22 14:10:01 -04:00
d4bf6bd46a
Add test coverage and fix permissions mistake
2022-05-15 17:30:57 -04:00
a9364061c1
Store keys in standard format; query with fingerprint not public key
2022-05-15 16:41:15 -04:00
b563f13d09
Trim the key provided to query correctly; don't increment throttles when keys aren't found
2022-05-15 16:23:17 -04:00
3d6a30c9fd
Oops, don't make this abstract
2022-05-15 16:06:00 -04:00
412ac5ef39
Have the panel handle all of the authorization for both public key and password based attempts
2022-05-15 16:00:08 -04:00
e856daee19
Reject requests for public key auth when the user has no keys
2022-05-15 15:47:06 -04:00
12927a3202
Update SFTP authentication endpoint to support returning user public keys
2022-05-15 15:37:58 -04:00
6554164252
Add test coverage for the SSH key endpoints
2022-05-14 18:08:48 -04:00
97280a62a2
Add support for storing SSH keys on user accounts
2022-05-14 17:31:53 -04:00
5705d7dbdd
Run php-cs-fixer
2022-05-14 16:03:50 -04:00
65f27d41a2
Switch to more recent Laravel route definition methods
2022-05-14 15:51:05 -04:00
c8faf64059
Support naming docker images on eggs; closes #4052
...
Bumps PTDL_v1 export images to PTDL_v2, updates the Minecraft specific eggs to use named images.
2022-05-07 17:45:22 -04:00
634b80ed42
Add support for filtering allocations to determine if they're assigned or not; closes #3872
2022-05-07 16:16:11 -04:00
e88d24e0db
Don't allow allocations to be deleted by users if no limit is defined; closes #3703
2022-05-07 15:05:28 -04:00
c751ce7f44
Allow more values for remote field when creating a database; closes #3842
2022-05-07 14:17:10 -04:00
530558b0f8
Update deprecated JSON response creation and unnecessary middleware
2022-05-04 19:23:01 -04:00
34ffaebd3e
Run cs-fix, ensure we only install dependency versions supporting 7.4+
2022-05-04 19:01:29 -04:00
5120590e47
ref: remove google analytics ( #3912 )
2022-02-05 09:08:43 -08:00
dfa329ddf2
[security] ensure session is only for that request when authenticating user API key
...
https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv
2022-01-19 21:09:17 -05:00
28f7a809a5
fix: exception localization ( #3850 )
...
resolves #3849
2022-01-15 08:10:37 -08:00
bf9cbe2c6d
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints
2021-11-16 20:02:18 -08:00
17c03e9a4d
Fix broken session management for application api
2021-11-03 21:33:21 -07:00
60eff40a0c
Fix session management on client API requests; closes #3727
...
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.
Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).
This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.
In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
2021-11-03 20:51:39 -07:00
22a8b2b3a2
Use more standardized rate limiting in Laravel; apply limits to auth routes
2021-10-23 12:17:16 -07:00
4a84c36009
Fix security vulnerability when authenticating a two-factor authentication token for a user
...
See associated security advisory for technical details on the content of this security fix.
GHSA ID: GHSA-5vfx-8w6m-h3v4
2021-09-21 21:30:08 -07:00
e96ead4c4d
Update API calls to Wings to only pass the required details with the changes to the installer system
2021-08-29 14:09:43 -07:00
b4cae916ac
transfers: fix allocation array merging logic ( #3551 )
2021-08-18 12:58:41 -06:00
2b3303c46b
Fix changing a user password to not incorrectly handle logging out old sessions; closes #3531
2021-08-15 17:37:12 -07:00
25d9ba4779
Run php-cs-fixer
2021-08-15 17:20:36 -07:00
10b357b71e
ui(server): fix used backup count ( #3526 )
...
* ui(server): fix used backup count
* ui(server): refactor backup count code
2021-08-04 20:34:00 -07:00
970f281859
backups: default is_successful to false ( #3522 )
...
* backups: default is_successful to false
* backups: properly query backups
2021-08-03 19:45:25 -07:00
bda1ff50ab
[UI] Display the 2FA token, show spinner on load ( #3367 )
...
Co-authored-by: Dane Everitt <dane@daneeveritt.com>
2021-08-02 20:39:12 -07:00
1a79b4827c
backups: allow updating a failed backup ( #3470 )
2021-07-18 08:46:20 -07:00
d049839ffc
Fix deleting a backup that is locked and failed; closes #3404
2021-06-13 10:26:47 -07:00
d45c67a6e1
Allow to find servers by short UUID (Application API) ( #3340 )
2021-06-05 08:43:57 -07:00
9656378783
Fix 401 error typo ( #3393 )
2021-06-03 13:35:51 -07:00
76ac1998cf
Don't allow backups to be made via schedules if limit = 0 ( #3323 )
2021-05-16 09:47:36 -07:00
5d5e4ca7b1
Add support for locking backups to prevent any accidental deletions
2021-05-03 21:26:09 -07:00
92cd659db3
Add underlying data changes necessary for new task & schedule features
2021-05-01 10:44:40 -07:00
552b9d3c33
Add possibility to run disabled cron
2021-04-24 15:06:21 -07:00
77a3ca682f
Change to actual function names to support MariaDB
2021-04-08 17:34:25 -04:00
45680cab47
Don't use tagging, closes #3224
2021-04-03 10:53:41 -07:00
48ad8f538e
Always allow specifying a page size with the API; closes #3218
2021-03-26 09:03:51 -07:00
9b46d59045
Cache resource lookup results for 20 seconds for each server
2021-03-21 12:29:18 -07:00
8c7d785c9e
Ensure a created_at value is set on recovery tokens; closes #3163
2021-03-21 10:43:01 -07:00
582521f419
fix: backup restore delete all files
2021-03-12 14:47:49 -07:00
1476104b30
Fix inability to download files from the panel; closes #3151
...
Co-Authored-By: xcgc <74693042+xcgc@users.noreply.github.com>
2021-03-07 09:45:27 -08:00
397df3bf71
Update ServerInstallController.php
2021-03-06 15:52:24 +08:00
1b2c4931ee
Add endpoint logic necessary to reset server states if they get stuck installing/restoring when wings restarts
2021-02-23 21:20:02 -08:00
94ea9c37d0
Don't require auto-allocation settings if not enabled; closes #3085
2021-02-17 21:11:23 -08:00
352910f897
api(remote): fix inproper reading of boolean for installation status
2021-02-06 10:16:08 -07:00
00da092e45
Fix tests
2021-01-30 19:12:22 -08:00
e30a765071
Simplify logic when a server is in an unsupported state
2021-01-30 13:28:31 -08:00
be26921fcc
Merge branch 'develop' into dane/restore-backups
2021-01-30 10:10:29 -08:00
5515871b2f
Turns out I hate that huge space formatting, disable that mess
2021-01-27 20:52:11 -08:00
b00def2537
Switch to JSON from TEXT when storing denylist items for an egg; closes #3034
2021-01-26 21:08:53 -08:00
0dd0f09238
Formatting cleanup for backups
2021-01-25 19:25:15 -08:00
0a2c89e9f4
Reeformat with new rules post merge
2021-01-25 19:20:51 -08:00
663143de0b
Merge branch 'develop' into dane/restore-backups
2021-01-25 19:16:40 -08:00
b480a9e4e2
Make php-cs-fixer work in phpstorm
2021-01-23 13:44:35 -08:00
c449ca5155
Use more standardized phpcs
2021-01-23 12:33:34 -08:00
a043071e3c
Update to Laravel 8
...
Co-authored-by: Matthew Penner <me@matthewp.io>
2021-01-23 12:12:54 -08:00
aab353d91e
Merge pull request #3011 from AreYouRlyScared/addcronmonth
...
Adds months for schedules
2021-01-20 20:10:26 -08:00
e8dcd30e0c
[security] fix resources not properly returning an error when they don't match the server in the URL
...
Prior to this fix certain resources were accessible even when their assigned server was not the same as the server in the URL. This causes the resource server relationship to not match the server variable present on the request.
Due to this failed logic it was possible for users to access resources they should not have been able to access otherwise for some areas of the panel.
2021-01-19 21:19:17 -08:00
f24193801a
Add endpoint for triggering restoration completion
2021-01-18 21:14:49 -08:00
8d69a60e28
Only allow restoring valid backups, set the server correctly on the repository
2021-01-18 20:11:49 -08:00
87371901c0
Add base logic to support sending a request to restore a backup for a server
2021-01-17 17:51:09 -08:00
8db3a05498
;-;
2021-01-17 16:08:41 -08:00
cb40b280a4
Fix single failing test
2021-01-17 15:55:46 -08:00
a75a347d65
Remove suspended & installing fields, replace with single status field
2021-01-17 15:51:56 -08:00
4c29be2e54
Adjust some naming real quick
2021-01-17 15:25:49 -08:00
bfc6f34c50
Audit when a backup is successful or fails
2021-01-17 15:22:02 -08:00
291c65275a
Update audit design
2021-01-17 11:52:44 -08:00
ccecaa6694
Add basic auditing for filesystem actions
...
Specifically skipping read actions since there isn't much to say there, and it generally wouldn't be very helpful (plus, likely to generate lots of logs).
2021-01-17 11:46:08 -08:00
ffeedf17e4
Adds months for schedules
...
Adds month variable for schedules
2021-01-16 22:07:39 -05:00
239984f92c
Add internal support for file denylist on eggs; closes #569
2021-01-10 17:02:14 -08:00
ff21d83e2d
Add endpoint to get all nodes meeting memory & disk requirements for a server; closes #1012
2021-01-10 13:08:43 -08:00
a7fef8b736
Correctly handle backups that fail without an upload_id attached to them
2020-12-27 11:56:28 -08:00
952715facc
Fix handling of upload IDs on backups
2020-12-27 11:34:55 -08:00
951d92b143
Store S3 upload_id in the database for backups
2020-12-26 11:59:21 -07:00
DaneEveritt
Alex
Matthew Penner
Mia
Mark Ross
Charles Morgan
Julien Tant
Lance Pioch
xcgc