Limit to 5 API keys at a time.

Ref advisory #GHSA-pjmh-7xfm-r4x9

Author: DaneEveritt

CHANGELOG.md

@@ -5,6 +5,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 
 ## v0.7.17 (Derelict Dermodactylus)
 ### Fixed
+* Limited accounts to 5 API keys at a time.
 * Fixes database passwords not being generated with the proper requirements for some MySQL setups.
 * Hostnames that are not FQDNs/IP addresses can now be used for connecting to a MySQL host.
 

app/Http/Controllers/Base/AccountKeyController.php

@@ -7,6 +7,7 @@
 use Illuminate\Http\Response;
 use Pterodactyl\Models\ApiKey;
 use Prologue\Alerts\AlertsMessageBag;
+use Pterodactyl\Exceptions\DisplayException;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Services\Api\KeyCreationService;
 use Pterodactyl\Http\Requests\Base\StoreAccountKeyRequest;
@@ -76,10 +77,17 @@ public function create(Request $request): View
      * @param \Pterodactyl\Http\Requests\Base\StoreAccountKeyRequest $request
      * @return \Illuminate\Http\RedirectResponse
      *
+     * @throws \Pterodactyl\Exceptions\DisplayException
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      */
     public function store(StoreAccountKeyRequest $request)
     {
+        if ($this->repository->findCountWhere(['user_id' => $request->user()->id]) >= 5) {
+            throw new DisplayException(
+                'Cannot assign more than 5 API keys to an account.'
+            );
+        }
+
         $this->keyService->setKeyType(ApiKey::TYPE_ACCOUNT)->handle([
             'user_id' => $request->user()->id,
             'allowed_ips' => $request->input('allowed_ips'),