ghzhost
diff --git a/‎app/Extensions/Laravel/Sanctum/NewAccessToken.php‎
Lines changed: 23 additions & 0 deletions b/‎app/Extensions/Laravel/Sanctum/NewAccessToken.php‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎app/Http/Kernel.php‎
Lines changed: 8 additions & 22 deletions b/‎app/Http/Kernel.php‎
Lines changed: 8 additions & 22 deletions
diff --git a/‎app/Http/Middleware/Api/AuthenticateIPAccess.php‎
Lines changed: 9 additions & 3 deletions b/‎app/Http/Middleware/Api/AuthenticateIPAccess.php‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎app/Http/Middleware/Api/AuthenticateKey.php‎
Lines changed: 0 additions & 109 deletions b/‎app/Http/Middleware/Api/AuthenticateKey.php‎
Lines changed: 0 additions & 109 deletions
diff --git a/‎app/Http/Middleware/Api/HandleStatelessRequest.php‎
Lines changed: 0 additions & 35 deletions b/‎app/Http/Middleware/Api/HandleStatelessRequest.php‎
Lines changed: 0 additions & 35 deletions
diff --git a/‎app/Http/Middleware/VerifyCsrfToken.php‎
Lines changed: 0 additions & 29 deletions b/‎app/Http/Middleware/VerifyCsrfToken.php‎
Lines changed: 0 additions & 29 deletions
@@ -0,0 +1,23 @@
+<?php
+
+namespace Pterodactyl\Extensions\Laravel\Sanctum;
+
+use Pterodactyl\Models\ApiKey;
+use Laravel\Sanctum\NewAccessToken as SanctumAccessToken;
+
+/**
+ * @property \Pterodactyl\Models\ApiKey $accessToken
+ */
+class NewAccessToken extends SanctumAccessToken
+{
+    /**
+     * NewAccessToken constructor.
+     *
+     * @noinspection PhpMissingParentConstructorInspection
+     */
+    public function __construct(ApiKey $accessToken, string $plainTextToken)
+    {
+        $this->accessToken = $accessToken;
+        $this->plainTextToken = $plainTextToken;
+    }
+}
@@ -2,7 +2,6 @@
 
 namespace Pterodactyl\Http;
 
-use Pterodactyl\Models\ApiKey;
 use Illuminate\Auth\Middleware\Authorize;
 use Illuminate\Auth\Middleware\Authenticate;
 use Illuminate\Http\Middleware\TrustProxies;
@@ -16,7 +15,6 @@
 use Illuminate\Routing\Middleware\ThrottleRequests;
 use Pterodactyl\Http\Middleware\LanguageMiddleware;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
-use Pterodactyl\Http\Middleware\Api\AuthenticateKey;
 use Illuminate\Routing\Middleware\SubstituteBindings;
 use Illuminate\Session\Middleware\AuthenticateSession;
 use Illuminate\View\Middleware\ShareErrorsFromSession;
@@ -25,13 +23,13 @@
 use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
 use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
 use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
-use Pterodactyl\Http\Middleware\Api\HandleStatelessRequest;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
 use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
 use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
 use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
 use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
+use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
 use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
 
 class Kernel extends HttpKernel
@@ -67,29 +65,19 @@ class Kernel extends HttpKernel
             RequireTwoFactorAuthentication::class,
         ],
         'api' => [
-            HandleStatelessRequest::class,
             IsValidJson::class,
-            StartSession::class,
-            AuthenticateSession::class,
-            VerifyCsrfToken::class,
+            EnsureFrontendRequestsAreStateful::class,
+            'auth:sanctum',
+            RequireTwoFactorAuthentication::class,
+            AuthenticateIPAccess::class,
         ],
         'application-api' => [
             SubstituteBindings::class,
-            'api..key:' . ApiKey::TYPE_APPLICATION,
             AuthenticateApplicationUser::class,
-            AuthenticateIPAccess::class,
-        ],
-        'client-api' => [
-            SubstituteClientBindings::class,
-            'api..key:' . ApiKey::TYPE_ACCOUNT,
-            AuthenticateIPAccess::class,
-            // This is perhaps a little backwards with the Client API, but logically you'd be unable
-            // to create/get an API key without first enabling 2FA on the account, so I suppose in the
-            // end it makes sense.
-            //
-            // You just wouldn't be authenticating with the API by providing a 2FA token.
-            RequireTwoFactorAuthentication::class,
         ],
+        // TODO: don't allow an application key to use the client API, but do allow a client
+        //  api key to access the application API.
+        'client-api' => [SubstituteClientBindings::class],
         'daemon' => [
             SubstituteBindings::class,
             DaemonAuthenticate::class,
@@ -112,7 +100,5 @@ class Kernel extends HttpKernel
         'bindings' => SubstituteBindings::class,
         'recaptcha' => VerifyReCaptcha::class,
         'node.maintenance' => MaintenanceMiddleware::class,
-        // API Specific Middleware
-        'api..key' => AuthenticateKey::class,
     ];
 }
@@ -6,6 +6,7 @@
 use IPTools\IP;
 use IPTools\Range;
 use Illuminate\Http\Request;
+use Laravel\Sanctum\TransientToken;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 class AuthenticateIPAccess
@@ -20,14 +21,19 @@ class AuthenticateIPAccess
      */
     public function handle(Request $request, Closure $next)
     {
-        $model = $request->attributes->get('api_key');
+        /** @var \Laravel\Sanctum\TransientToken|\Pterodactyl\Models\ApiKey $token */
+        $token = $request->user()->currentAccessToken();
 
-        if (is_null($model->allowed_ips) || empty($model->allowed_ips)) {
+        // If this is a stateful request just push the request through to the next
+        // middleware in the stack, there is nothing we need to explicitly check. If
+        // this is a valid API Key, but there is no allowed IP restriction, also pass
+        // the request through.
+        if ($token instanceof TransientToken || empty($token->allowed_ips)) {
             return $next($request);
         }
 
         $find = new IP($request->ip());
-        foreach ($model->allowed_ips as $ip) {
+        foreach ($token->allowed_ips as $ip) {
             if (Range::parse($ip)->contains($find)) {
                 return $next($request);
             }
 
@@ -2,8 +2,6 @@
 
 namespace Pterodactyl\Http\Middleware;
 
-use Closure;
-use Pterodactyl\Models\ApiKey;
 use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as BaseVerifier;
 
 class VerifyCsrfToken extends BaseVerifier
@@ -16,31 +14,4 @@ class VerifyCsrfToken extends BaseVerifier
      * @var string[]
      */
     protected $except = ['remote/*', 'daemon/*'];
-
-    /**
-     * Manually apply CSRF protection to routes depending on the authentication
-     * mechanism being used. If the API request is using an API key that exists
-     * in the database we can safely ignore CSRF protections, since that would be
-     * a manually initiated request by a user or server.
-     *
-     * All other requests should go through the standard CSRF protections that
-     * Laravel affords us. This code will be removed in v2 since we have switched
-     * to using Sanctum for the API endpoints, which handles that for us automatically.
-     *
-     * @param \Illuminate\Http\Request $request
-     *
-     * @return mixed
-     *
-     * @throws \Illuminate\Session\TokenMismatchException
-     */
-    public function handle($request, Closure $next)
-    {
-        $key = $request->attributes->get('api_key');
-
-        if ($key instanceof ApiKey && $key->exists) {
-            return $next($request);
-        }
-
-        return parent::handle($request, $next);
-    }
 }