Change authentication method for API.

Author: DaneEveritt

app/Http/Controllers/API/AuthController.php

@@ -0,0 +1,80 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware;
+
+use Pterodactyl\Models\APIKey;
+use Pterodactyl\Models\APIPermission;
+
+use Illuminate\Http\Request;
+use Dingo\Api\Routing\Route;
+use Dingo\Api\Auth\Provider\Authorization;
+
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; // 400
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; // 401
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; // 403
+
+class APISecretToken extends Authorization
+{
+
+    protected $algo = 'sha256';
+
+    protected $permissionAllowed = false;
+
+    public function __construct()
+    {
+        //
+    }
+
+    public function getAuthorizationMethod()
+    {
+        return 'Authorization';
+    }
+
+    public function authenticate(Request $request, Route $route)
+    {
+        if (!$request->bearerToken() || empty($request->bearerToken())) {
+            throw new UnauthorizedHttpException('The authentication header was missing or malformed');
+        }
+
+        list($public, $hashed) = explode('.', $request->bearerToken());
+
+        $key = APIKey::where('public', $public)->first();
+        if (!$key) {
+            throw new AccessDeniedHttpException('Invalid API Key.');
+        }
+
+        // Check for Resource Permissions
+        if (!empty($request->route()->getName())) {
+            if(!is_null($key->allowed_ips)) {
+                if (!in_array($request->ip(), json_decode($key->allowed_ips))) {
+                    throw new AccessDeniedHttpException('This IP address does not have permission to use this API key.');
+                }
+            }
+
+            foreach(APIPermission::where('key_id', $key->id)->get() as &$row) {
+                if ($row->permission === '*' || $row->permission === $request->route()->getName()) {
+                    $this->permissionAllowed = true;
+                    continue;
+                }
+            }
+
+            if (!$this->permissionAllowed) {
+                throw new AccessDeniedHttpException('You do not have permission to access this resource.');
+            }
+        }
+
+        if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $key->secret) !== base64_decode($hashed)) {
+            throw new BadRequestHttpException('The hashed body was not valid. Potential modification of contents in route.');
+        }
+
+        return true;
+
+    }
+
+    protected function _generateHMAC($url, $body, $key)
+    {
+        $data = urldecode($url) . '.' . $body;
+        return hash_hmac($this->algo, $data, $key, true);
+    }
+
+}

app/Http/Middleware/APISecretToken.php

@@ -10,25 +10,7 @@ class APIRoutes
 
     public function map(Router $router) {
 
-        app('Dingo\Api\Auth\Auth')->extend('jwt', function ($app) {
-            return new \Dingo\Api\Auth\Provider\JWT($app['Tymon\JWTAuth\JWTAuth']);
-        });
-
         $api = app('Dingo\Api\Routing\Router');
-
-        $api->version('v1', function ($api) {
-            $api->post('auth/login', [
-                'as' => 'api.auth.login',
-                'uses' => 'Pterodactyl\Http\Controllers\API\AuthController@postLogin'
-            ]);
-
-            $api->post('auth/validate', [
-                'middleware' => 'api.auth',
-                'as' => 'api.auth.validate',
-                'uses' => 'Pterodactyl\Http\Controllers\API\AuthController@postValidate'
-            ]);
-        });
-
         $api->version('v1', ['middleware' => 'api.auth'], function ($api) {
 
             /**

app/Http/Routes/APIRoutes.php

@@ -0,0 +1,17 @@
+<?php
+
+namespace Pterodactyl\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class APIKey extends Model
+{
+
+    /**
+     * The table associated with the model.
+     *
+     * @var string
+     */
+    protected $table = 'api_keys';
+
+}

app/Models/API.php

@@ -2,7 +2,6 @@
 
 namespace Pterodactyl\Models;
 
-use Debugbar;
 use Illuminate\Database\Eloquent\Model;
 
 class APIPermission extends Model
@@ -15,16 +14,4 @@ class APIPermission extends Model
      */
     protected $table = 'api_permissions';
 
-    /**
-     * Checks if an API key has a specific permission.
-     *
-     * @param  int $id
-     * @param  string $permission
-     * @return boolean
-     */
-    public static function check($id, $permission)
-    {
-        return self::where('key_id', $id)->where('permission', $permission)->exists();
-    }
-
 }

app/Models/APIKey.php

@@ -155,7 +155,7 @@
     */
 
     'auth' => [
-        'jwt' => 'Dingo\Api\Auth\Provider\JWT'
+        'custom' => 'Pterodactyl\Http\Middleware\APISecretToken'
     ],
 
     /*

app/Models/APIPermission.php

@@ -0,0 +1,33 @@
+<?php
+
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+class CreateTableApiKeys extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::create('api_keys', function (Blueprint $table) {
+            $table->increments('id');
+            $table->char('public', 16);
+            $table->char('secret', 32);
+            $table->json('allowed_ips')->nullable();
+            $table->timestamps();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::drop('api_keys');
+    }
+}