Update all the middlewares

Author: DaneEveritt

CHANGELOG.md

@@ -28,6 +28,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 * Server creation page now only asks for a node to deploy to, rather than requiring a location and then a node.
 * Database passwords are now hidden by default and will only show if clicked on. In addition, database view in ACP now indicates that passwords must be viewed on the front-end.
 * Localhost cannot be used as a connection address in the environment configuration script. `127.0.0.1` is allowed.
+* Application locale can now be quickly set using an environment variable `APP_LOCALE` rather than having to edit core files.
 
 ### Fixed
 * Unable to change the daemon secret for a server via the Admin CP.

app/Http/Kernel.php

@@ -6,6 +6,7 @@
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
 use Illuminate\Routing\Middleware\SubstituteBindings;
 use Pterodactyl\Http\Middleware\AccessingValidServer;
+use Pterodactyl\Http\Middleware\Server\AuthenticateAsSubuser;
 use Pterodactyl\Http\Middleware\Server\SubuserBelongsToServer;
 use Pterodactyl\Http\Middleware\Server\DatabaseBelongsToServer;
 use Pterodactyl\Http\Middleware\Server\ScheduleBelongsToServer;
@@ -66,7 +67,7 @@ class Kernel extends HttpKernel
         'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
         'guest' => \Pterodactyl\Http\Middleware\RedirectIfAuthenticated::class,
         'server' => AccessingValidServer::class,
-        'subuser.auth' => \Pterodactyl\Http\Middleware\SubuserAccessAuthenticate::class,
+        'subuser.auth' => AuthenticateAsSubuser::class,
         'admin' => \Pterodactyl\Http\Middleware\AdminAuthenticate::class,
         'daemon-old' => DaemonAuthenticate::class,
         'csrf' => \Pterodactyl\Http\Middleware\VerifyCsrfToken::class,

app/Http/Middleware/AdminAuthenticate.php

@@ -10,6 +10,8 @@
 namespace Pterodactyl\Http\Middleware;
 
 use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpKernel\Exception\HttpException;
 
 class AdminAuthenticate
 {
@@ -20,18 +22,10 @@ class AdminAuthenticate
      * @param \Closure                 $next
      * @return mixed
      */
-    public function handle($request, Closure $next)
+    public function handle(Request $request, Closure $next)
     {
-        if (! $request->user()) {
-            if ($request->expectsJson() || $request->json()) {
-                return response('Unauthorized.', 401);
-            } else {
-                return redirect()->guest('auth/login');
-            }
-        }
-
-        if (! $request->user()->root_admin) {
-            return abort(403);
+        if (! $request->user() || ! $request->user()->root_admin) {
+            throw new HttpException(403, 'Access Denied');
         }
 
         return $next($request);

app/Http/Middleware/Authenticate.php

@@ -3,6 +3,7 @@
 namespace Pterodactyl\Http\Middleware;
 
 use Closure;
+use Illuminate\Http\Request;
 use Illuminate\Contracts\Auth\Guard;
 
 class Authenticate
@@ -31,7 +32,7 @@ public function __construct(Guard $auth)
      * @param \Closure                 $next
      * @return mixed
      */
-    public function handle($request, Closure $next)
+    public function handle(Request $request, Closure $next)
     {
         if ($this->auth->guest()) {
             if ($request->ajax()) {

app/Http/Middleware/Daemon/DaemonAuthenticate.php

@@ -33,9 +33,12 @@
 class DaemonAuthenticate
 {
     /**
+     * Daemon routes that this middleware should be skipped on.
      * @var array
      */
-    protected $except = ['daemon.configuration'];
+    protected $except = [
+        'daemon.configuration',
+    ];
 
     /**
      * @var \Pterodactyl\Contracts\Repository\NodeRepositoryInterface
@@ -63,6 +66,10 @@ public function __construct(NodeRepositoryInterface $repository)
      */
     public function handle(Request $request, Closure $next)
     {
+        if (in_array($request->route()->getName(), $this->except)) {
+            return $next($request);
+        }
+
         $token = $request->bearerToken();
 
         if (is_null($token)) {

app/Http/Middleware/DaemonAuthenticate.php

@@ -10,35 +10,36 @@
 namespace Pterodactyl\Http\Middleware;
 
 use Closure;
+use Illuminate\Http\Request;
 use Pterodactyl\Models\Node;
-use Illuminate\Contracts\Auth\Guard;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Pterodactyl\Contracts\Repository\NodeRepositoryInterface;
+use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
 
 class DaemonAuthenticate
 {
-    /**
-     * The Guard implementation.
-     *
-     * @var \Illuminate\Contracts\Auth\Guard
-     */
-    protected $auth;
-
     /**
      * An array of route names to not apply this middleware to.
      *
      * @var array
      */
-    protected $except = [
+    private $except = [
         'daemon.configuration',
     ];
 
+    /**
+     * @var \Pterodactyl\Contracts\Repository\NodeRepositoryInterface
+     */
+    private $repository;
+
     /**
      * Create a new filter instance.
      *
-     * @param \Illuminate\Contracts\Auth\Guard $auth
+     * @param \Pterodactyl\Contracts\Repository\NodeRepositoryInterface $repository
      */
-    public function __construct(Guard $auth)
+    public function __construct(NodeRepositoryInterface $repository)
     {
-        $this->auth = $auth;
+        $this->repository = $repository;
     }
 
     /**
@@ -48,21 +49,24 @@ public function __construct(Guard $auth)
      * @param \Closure                 $next
      * @return mixed
      */
-    public function handle($request, Closure $next)
+    public function handle(Request $request, Closure $next)
     {
         if (in_array($request->route()->getName(), $this->except)) {
             return $next($request);
         }
 
         if (! $request->header('X-Access-Node')) {
-            return abort(403);
+            throw new HttpException(403);
         }
 
-        $node = Node::where('daemonSecret', $request->header('X-Access-Node'))->first();
-        if (! $node) {
-            return abort(401);
+        try {
+            $node = $this->repository->findWhere(['daemonSecret' => $request->header('X-Access-Node')]);
+        } catch (RecordNotFoundException $exception) {
+            throw new HttpException(401);
         }
 
+        $request->attributes->set('node', $node);
+
         return $next($request);
     }
 }

app/Http/Middleware/EncryptCookies.php

@@ -11,6 +11,5 @@ class EncryptCookies extends BaseEncrypter
      *
      * @var array
      */
-    protected $except = [
-    ];
+    protected $except = [];
 }

app/Http/Middleware/LanguageMiddleware.php

@@ -9,32 +9,38 @@
 
 namespace Pterodactyl\Http\Middleware;
 
-use Auth;
 use Closure;
-use Session;
-use Settings;
+use Illuminate\Http\Request;
 use Illuminate\Support\Facades\App;
+use Illuminate\Contracts\Config\Repository;
 
 class LanguageMiddleware
 {
+    /**
+     * @var \Illuminate\Contracts\Config\Repository
+     */
+    private $config;
+
+    /**
+     * LanguageMiddleware constructor.
+     *
+     * @param \Illuminate\Contracts\Config\Repository $config
+     */
+    public function __construct(Repository $config)
+    {
+        $this->config = $config;
+    }
+
     /**
      * Handle an incoming request.
      *
      * @param \Illuminate\Http\Request $request
      * @param \Closure                 $next
      * @return mixed
      */
-    public function handle($request, Closure $next)
+    public function handle(Request $request, Closure $next)
     {
-        // if (Session::has('applocale')) {
-        //     App::setLocale(Session::get('applocale'));
-        // } elseif (Auth::check() && isset(Auth::user()->language)) {
-        //     Session::put('applocale', Auth::user()->language);
-        //     App::setLocale(Auth::user()->language);
-        // } else {
-        //     App::setLocale(Settings::get('default_language', 'en'));
-        // }
-        App::setLocale('en');
+        App::setLocale($this->config->get('app.locale', 'en'));
 
         return $next($request);
     }

app/Http/Middleware/RedirectIfAuthenticated.php

@@ -3,10 +3,26 @@
 namespace Pterodactyl\Http\Middleware;
 
 use Closure;
-use Illuminate\Support\Facades\Auth;
+use Illuminate\Http\Request;
+use Illuminate\Auth\AuthManager;
 
 class RedirectIfAuthenticated
 {
+    /**
+     * @var \Illuminate\Contracts\Auth\Guard
+     */
+    private $authManager;
+
+    /**
+     * RedirectIfAuthenticated constructor.
+     *
+     * @param \Illuminate\Auth\AuthManager $authManager
+     */
+    public function __construct(AuthManager $authManager)
+    {
+        $this->authManager = $authManager;
+    }
+
     /**
      * Handle an incoming request.
      *
@@ -15,9 +31,9 @@ class RedirectIfAuthenticated
      * @param string|null              $guard
      * @return mixed
      */
-    public function handle($request, Closure $next, $guard = null)
+    public function handle(Request $request, Closure $next, string $guard = null)
     {
-        if (Auth::guard($guard)->check()) {
+        if ($this->authManager->guard($guard)->check()) {
             return redirect(route('index'));
         }
 

app/Http/Middleware/RequireTwoFactorAuthentication.php

@@ -10,6 +10,7 @@
 namespace Pterodactyl\Http\Middleware;
 
 use Closure;
+use Illuminate\Http\Request;
 use Krucas\Settings\Settings;
 use Prologue\Alerts\AlertsMessageBag;
 
@@ -22,28 +23,35 @@ class RequireTwoFactorAuthentication
     /**
      * @var \Prologue\Alerts\AlertsMessageBag
      */
-    protected $alert;
+    private $alert;
 
     /**
      * @var \Krucas\Settings\Settings
      */
-    protected $settings;
+    private $settings;
 
     /**
-     * All TOTP related routes.
+     * The names of routes that should be accessable without 2FA enabled.
      *
      * @var array
      */
-    protected $ignoreRoutes = [
-            'account.security',
-            'account.security.revoke',
-            'account.security.totp',
-            'account.security.totp.set',
-            'account.security.totp.disable',
-            'auth.totp',
-            'auth.logout',
+    protected $except = [
+        'account.security',
+        'account.security.revoke',
+        'account.security.totp',
+        'account.security.totp.set',
+        'account.security.totp.disable',
+        'auth.totp',
+        'auth.logout',
     ];
 
+    /**
+     * The route to redirect a user to to enable 2FA.
+     *
+     * @var string
+     */
+    protected $redirectRoute = 'account.security';
+
     /**
      * RequireTwoFactorAuthentication constructor.
      *
@@ -63,15 +71,15 @@ public function __construct(AlertsMessageBag $alert, Settings $settings)
      * @param \Closure                 $next
      * @return mixed
      */
-    public function handle($request, Closure $next)
+    public function handle(Request $request, Closure $next)
     {
         // Ignore non-users
         if (! $request->user()) {
             return $next($request);
         }
 
         // Skip the 2FA pages
-        if (in_array($request->route()->getName(), $this->ignoreRoutes)) {
+        if (in_array($request->route()->getName(), $this->except)) {
             return $next($request);
         }
 
@@ -93,8 +101,8 @@ public function handle($request, Closure $next)
                 break;
         }
 
-        $this->alert->danger('The administrator has required 2FA to be enabled. You must enable it before you can do any other action.')->flash();
+        $this->alert->danger(trans('auth.2fa_must_be_enabled'))->flash();
 
-        return redirect()->route('account.security');
+        return redirect()->route($this->redirectRoute);
     }
 }