Add support for tracking when an activity event is triggered from an API key

Author: DaneEveritt

app/Http/Kernel.php

@@ -16,6 +16,7 @@
 use Pterodactyl\Http\Middleware\LanguageMiddleware;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
 use Illuminate\Routing\Middleware\SubstituteBindings;
+use Pterodactyl\Http\Middleware\Activity\TrackAPIKey;
 use Illuminate\Session\Middleware\AuthenticateSession;
 use Illuminate\View\Middleware\ShareErrorsFromSession;
 use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
@@ -68,6 +69,7 @@ class Kernel extends HttpKernel
             EnsureStatefulRequests::class,
             'auth:sanctum',
             IsValidJson::class,
+            TrackAPIKey::class,
             RequireTwoFactorAuthentication::class,
             AuthenticateIPAccess::class,
         ],

app/Http/Middleware/Activity/TrackAPIKey.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\Activity;
+
+use Closure;
+use Illuminate\Http\Request;
+use Pterodactyl\Models\ApiKey;
+use Pterodactyl\Facades\LogTarget;
+
+class TrackAPIKey
+{
+    /**
+     * Determines if the authenticated user making this request is using an actual
+     * API key, or it is just a cookie authenticated session. This data is set in a
+     * request singleton so that all tracked activity log events are properly associated
+     * with the given API key.
+     *
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if ($request->user()) {
+            $token = $request->user()->currentAccessToken();
+
+            LogTarget::setApiKeyId($token instanceof ApiKey ? $token->id : null);
+        }
+
+        return $next($request);
+    }
+}

app/Models/ActivityLog.php

@@ -8,6 +8,7 @@
 use Pterodactyl\Events\ActivityLogged;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\MassPrunable;
+use Illuminate\Database\Eloquent\Relations\HasOne;
 use Illuminate\Database\Eloquent\Relations\MorphTo;
 use Illuminate\Database\Eloquent\Model as IlluminateModel;
 
@@ -21,11 +22,13 @@
  * @property string|null $description
  * @property string|null $actor_type
  * @property int|null $actor_id
+ * @property int|null $api_key_id
  * @property \Illuminate\Support\Collection|null $properties
  * @property \Carbon\Carbon $timestamp
  * @property IlluminateModel|\Eloquent $actor
  * @property \Illuminate\Database\Eloquent\Collection|\Pterodactyl\Models\ActivityLogSubject[] $subjects
  * @property int|null $subjects_count
+ * @property \Pterodactyl\Models\ApiKey|null $apiKey
  *
  * @method static Builder|ActivityLog forActor(\Illuminate\Database\Eloquent\Model $actor)
  * @method static Builder|ActivityLog forEvent(string $action)
@@ -34,6 +37,7 @@
  * @method static Builder|ActivityLog query()
  * @method static Builder|ActivityLog whereActorId($value)
  * @method static Builder|ActivityLog whereActorType($value)
+ * @method static Builder|ActivityLog whereApiKeyId($value)
  * @method static Builder|ActivityLog whereBatch($value)
  * @method static Builder|ActivityLog whereDescription($value)
  * @method static Builder|ActivityLog whereEvent($value)
@@ -86,6 +90,11 @@ public function subjects()
         return $this->hasMany(ActivityLogSubject::class);
     }
 
+    public function apiKey(): HasOne
+    {
+        return $this->hasOne(ApiKey::class, 'id', 'api_key_id');
+    }
+
     public function scopeForEvent(Builder $builder, string $action): Builder
     {
         return $builder->where('event', $action);

app/Services/Activity/ActivityLogService.php

@@ -210,6 +210,7 @@ protected function getActivity(): ActivityLog
             'ip' => Request::ip(),
             'batch_uuid' => $this->batch->uuid(),
             'properties' => Collection::make([]),
+            'api_key_id' => $this->targetable->apiKeyId(),
         ]);
 
         if ($subject = $this->targetable->subject()) {

app/Services/Activity/ActivityLogTargetableService.php

@@ -10,6 +10,8 @@ class ActivityLogTargetableService
 
     protected ?Model $subject = null;
 
+    protected ?int $apiKeyId = null;
+
     public function setActor(Model $actor): void
     {
         $this->actor = $actor;
@@ -20,6 +22,11 @@ public function setSubject(Model $subject): void
         $this->subject = $subject;
     }
 
+    public function setApiKeyId(?int $apiKeyId): void
+    {
+        $this->apiKeyId = $apiKeyId;
+    }
+
     public function actor(): ?Model
     {
         return $this->actor;
@@ -30,9 +37,15 @@ public function subject(): ?Model
         return $this->subject;
     }
 
+    public function apiKeyId(): ?int
+    {
+        return $this->apiKeyId;
+    }
+
     public function reset(): void
     {
         $this->actor = null;
         $this->subject = null;
+        $this->apiKeyId = null;
     }
 }

app/Transformers/Api/Client/ActivityLogTransformer.php

@@ -19,6 +19,7 @@ public function transform(ActivityLog $model): array
         return [
             'batch' => $model->batch,
             'event' => $model->event,
+            'is_api' => !is_null($model->api_key_id),
             'ip' => $model->ip,
             'description' => $model->description,
             'properties' => $model->properties ? $model->properties->toArray() : [],

database/migrations/2022_06_18_112822_track_api_key_usage_for_activity_events.php

@@ -0,0 +1,31 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+return new class () extends Migration {
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('activity_logs', function (Blueprint $table) {
+            $table->unsignedInteger('api_key_id')->nullable()->after('actor_id');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('activity_logs', function (Blueprint $table) {
+            $table->dropColumn('api_key_id');
+        });
+    }
+};