[security] ensure session is only for that request when authenticating user API key

DaneEveritt · DaneEveritt · commit dfa329ddf242 · 2022-01-19T21:09:17.000-05:00
GHSA-7v3x-h7r2-34jv
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 * Fixes missing validation of Egg Author email addresses during the setup process that could cause unexpected failures later on.
 * Fixes font rendering issues of the console on Firefox due to an outdated version of xterm.js being used.
 * Fixes display overlap issues of the two-factor configuration form in a user's settings.
+* **[security]** When authenticating using an API key a user session is now only persisted for the duration of the request before being destroyed.
 
 ### Changed
 * CPU graph changed to show the maximum amount of CPU available to a server to better match how the memory graph is displayed.
diff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php
@@ -70,7 +70,7 @@ public function handle(Request $request, Closure $next, int $keyType)
         } else {
             $model = $this->authenticateApiKey($request->bearerToken(), $keyType);
 
-            $this->auth->guard()->loginUsingId($model->user_id);
+            $this->auth->guard()->onceUsingId($model->user_id);
         }
 
         $request->attributes->set('api_key', $model);

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public function handle(Request $request, Closure $next, int $keyType)`
`70`	`70`	`} else {`
`71`	`71`	`$model = $this->authenticateApiKey($request->bearerToken(), $keyType);`
`72`	`72`
`73`		`- $this->auth->guard()->loginUsingId($model->user_id);`
	`73`	`+ $this->auth->guard()->onceUsingId($model->user_id);`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`$request->attributes->set('api_key', $model);`