Add front-end support for adding and deleting API keys.

Author: DaneEveritt

app/Http/Controllers/Base/APIController.php

@@ -25,9 +25,12 @@
 namespace Pterodactyl\Http\Controllers\Base;
 
 use Alert;
+use Log;
 
 use Pterodactyl\Models;
 
+use Pterodactyl\Repositories\APIRepository;
+use Pterodactyl\Exceptions\DisplayValidationException;
 use Pterodactyl\Exceptions\DisplayException;
 use Pterodactyl\Http\Controllers\Controller;
 
@@ -45,7 +48,6 @@ public function index(Request $request)
         return view('base.api.index', [
             'keys' => $keys
         ]);
-
     }
 
     public function new(Request $request)
@@ -55,6 +57,32 @@ public function new(Request $request)
 
     public function save(Request $request)
     {
+        try {
+            $repo = new APIRepository($request->user());
+            $secret = $repo->new($request->except(['_token']));
+            Alert::success('An API Keypair has successfully been generated. The API secret for this public key is shown below and will not be shown again.<br /><br /><code>' . $secret . '</code>')->flash();
+            return redirect()->route('account.api');
+        } catch (DisplayValidationException $ex) {
+            return redirect()->route('account.api.new')->withErrors(json_decode($ex->getMessage()))->withInput();
+        } catch (DisplayException $ex) {
+            Alert::danger($ex->getMessage())->flash();
+        } catch (\Exception $ex) {
+            Log::error($ex);
+            Alert::danger('An unhandled exception occured while attempting to add this API key.')->flash();
+        }
+        return redirect()->route('account.api.new')->withInput();
+    }
 
+    public function revoke(Request $request, $key)
+    {
+        try {
+            $repo = new APIRepository($request->user());
+            $repo->revoke($key);
+            return response('', 204);
+        } catch (\Exception $ex) {
+            return response()->json([
+                'error' => 'An error occured while attempting to remove this key.'
+            ], 503);
+        }
     }
 }

app/Http/Routes/APIRoutes.php

@@ -34,7 +34,7 @@ public function map(Router $router) {
         $api = app('Dingo\Api\Routing\Router');
         $api->version('v1', ['prefix' => 'api/me', 'middleware' => 'api.auth'], function ($api) {
             $api->get('/', [
-                'as' => 'api.user',
+                'as' => 'api.user.me',
                 'uses' => 'Pterodactyl\Http\Controllers\API\User\InfoController@me'
             ]);
 

app/Http/Routes/BaseRoutes.php

@@ -88,6 +88,10 @@ public function map(Router $router) {
             $router->post('/new', [
                 'uses' => 'Base\APIController@save'
             ]);
+
+            $router->delete('/revoke/{key}', [
+                'uses' => 'Base\APIController@revoke'
+            ]);
         });
 
         // TOTP Routes

app/Repositories/APIRepository.php

@@ -23,6 +23,7 @@
  */
 namespace Pterodactyl\Repositories;
 
+use Auth;
 use DB;
 use Crypt;
 use Validator;
@@ -40,38 +41,51 @@ class APIRepository
      * @var array
      */
     protected $permissions = [
-        '*',
-
-        // User Management Routes
-        'api.users.list',
-        'api.users.create',
-        'api.users.view',
-        'api.users.update',
-        'api.users.delete',
-
-        // Server Manaement Routes
-        'api.servers.list',
-        'api.servers.create',
-        'api.servers.view',
-        'api.servers.config',
-        'api.servers.build',
-        'api.servers.suspend',
-        'api.servers.unsuspend',
-        'api.servers.delete',
-
-        // Node Management Routes
-        'api.nodes.list',
-        'api.nodes.create',
-        'api.nodes.list',
-        'api.nodes.allocations',
-        'api.nodes.delete',
-
-        // Service Routes
-        'api.services.list',
-        'api.services.view',
-
-        // Location Routes
-        'api.locations.list',
+        'admin' => [
+            '*',
+
+            // User Management Routes
+            'users.list',
+            'users.create',
+            'users.view',
+            'users.update',
+            'users.delete',
+
+            // Server Manaement Routes
+            'servers.list',
+            'servers.create',
+            'servers.view',
+            'servers.config',
+            'servers.build',
+            'servers.suspend',
+            'servers.unsuspend',
+            'servers.delete',
+
+            // Node Management Routes
+            'nodes.list',
+            'nodes.create',
+            'nodes.list',
+            'nodes.allocations',
+            'nodes.delete',
+
+            // Service Routes
+            'services.list',
+            'services.view',
+
+            // Location Routes
+            'locations.list',
+
+        ],
+        'user' => [
+            '*',
+
+            // Informational
+            'me',
+
+            // Server Control
+            'server',
+            'server.power',
+        ],
     ];
 
     /**
@@ -80,12 +94,17 @@ class APIRepository
      */
     protected $allowed = [];
 
+    protected $user;
+
     /**
      * Constructor
      */
-    public function __construct()
+    public function __construct(Models\User $user = null)
     {
-        //
+        $this->user = is_null($user) ? Auth::user() : $user;
+        if (is_null($this->user)) {
+            throw new \Exception('Cannot access API Repository without passing a user to __construct().');
+        }
     }
 
     /**
@@ -101,7 +120,9 @@ public function __construct()
     public function new(array $data)
     {
         $validator = Validator::make($data, [
-            'permissions' => 'required|array'
+            'memo' => 'string|max:500',
+            'permissions' => 'sometimes|required|array',
+            'adminPermissions' => 'sometimes|required|array'
         ]);
 
         $validator->after(function($validator) use ($data) {
@@ -125,31 +146,53 @@ public function new(array $data)
         }
 
         DB::beginTransaction();
-
         try {
-            $secretKey = str_random(16) . '.' . str_random(15);
+            $secretKey = str_random(16) . '.' . str_random(7) . '.' . str_random(7);
             $key = new Models\APIKey;
             $key->fill([
+                'user' => $this->user->id,
                 'public' => str_random(16),
                 'secret' => Crypt::encrypt($secretKey),
-                'allowed_ips' => empty($this->allowed) ? null : json_encode($this->allowed)
+                'allowed_ips' => empty($this->allowed) ? null : json_encode($this->allowed),
+                'memo' => $data['memo'],
+                'expires_at' => null
             ]);
             $key->save();
 
-            foreach($data['permissions'] as $permission) {
-                if (in_array($permission, $this->permissions)) {
+            foreach($data['permissions'] as $permNode) {
+                if (!strpos($permNode, ':')) continue;
+
+                list($toss, $permission) = explode(':', $permNode);
+                if (in_array('api.user.' . $permission, $this->permissions['user'])) {
                     $model = new Models\APIPermission;
                     $model->fill([
                         'key_id' => $key->id,
-                        'permission' => $permission
+                        'permission' => 'api.user.' . $permission
                     ]);
                     $model->save();
                 }
             }
 
+            if ($this->user->root_admin === 1) {
+                foreach($data['permissions'] as $permNode) {
+                    if (!strpos($permNode, ':')) continue;
+
+                    list($toss, $permission) = explode(':', $permNode);
+                    if (in_array('api.admin.' . $permission, $this->permissions['admin'])) {
+                        $model = new Models\APIPermission;
+                        $model->fill([
+                            'key_id' => $key->id,
+                            'permission' => 'api.admin.' . $permission
+                        ]);
+                        $model->save();
+                    }
+                }
+            }
+
             DB::commit();
             return $secretKey;
         } catch (\Exception $ex) {
+            DB::rollBack();
             throw $ex;
         }
 
@@ -169,7 +212,7 @@ public function revoke(string $key)
         DB::beginTransaction();
 
         try {
-            $model = Models\APIKey::where('public', $key)->firstOrFail();
+            $model = Models\APIKey::where('public', $key)->where('user', $this->user->id)->firstOrFail();
             $permissions = Models\APIPermission::where('key_id', $model->id)->delete();
             $model->delete();
 

public/themes/default/css/pterodactyl.css

@@ -267,3 +267,7 @@ li.btn.btn-default.pill:active,li.btn.btn-default.pill:focus,li.btn.btn-default.
 .fuelux .wizard .step-content > .alert {
     margin-bottom: 0 !important;
 }
+
+.fuelux .wizard .steps-container {
+    background-color: #eee;
+}

resources/views/base/api/index.blade.php

@@ -24,6 +24,12 @@
 @section('sidebar-server')
 @endsection
 
+@section('scripts')
+    @parent
+    {!! Theme::css('css/vendor/sweetalert/sweetalert.min.css') !!}
+    {!! Theme::js('js/vendor/sweetalert/sweetalert.min.js') !!}
+@endsection
+
 @section('content')
 <div class="col-md-12">
     <table class="table table-bordered table-hover">
@@ -61,6 +67,43 @@
 <script>
 $(document).ready(function () {
     $('#sidebar_links').find('a[href="/account/api"]').addClass('active');
+    $('[data-action="delete"]').click(function (event) {
+        var self = $(this);
+        event.preventDefault();
+        swal({
+            type: 'error',
+            title: 'Revoke API Key',
+            text: 'Once this API key is revoked any applications currently using it will stop working.',
+            showCancelButton: true,
+            allowOutsideClick: true,
+            closeOnConfirm: false,
+            confirmButtonText: 'Revoke',
+            confirmButtonColor: '#d9534f',
+            showLoaderOnConfirm: true
+        }, function () {
+            $.ajax({
+                method: 'DELETE',
+                url: '{{ route('account.api') }}/revoke/' + self.data('attr'),
+                headers: {
+                    'X-CSRF-TOKEN': '{{ csrf_token() }}'
+                }
+            }).done(function (data) {
+                swal({
+                    type: 'success',
+                    title: '',
+                    text: 'API Key has been revoked.'
+                });
+                self.parent().parent().slideUp();
+            }).fail(function (jqXHR) {
+                console.error(jqXHR);
+                swal({
+                    type: 'error',
+                    title: 'Whoops!',
+                    text: 'An error occured while attempting to revoke this key.'
+                });
+            });
+        });
+    });
 });
 </script>
 @endsection