ghzhost
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/Contracts/Repository/ApiKeyRepositoryInterface.php‎
Lines changed: 10 additions & 0 deletions b/‎app/Contracts/Repository/ApiKeyRepositoryInterface.php‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎app/Http/Controllers/Base/APIController.php‎
Lines changed: 2 additions & 25 deletions b/‎app/Http/Controllers/Base/APIController.php‎
Lines changed: 2 additions & 25 deletions
diff --git a/‎app/Http/Kernel.php‎
Lines changed: 11 additions & 7 deletions b/‎app/Http/Kernel.php‎
Lines changed: 11 additions & 7 deletions
diff --git a/‎app/Http/Middleware/API/AuthenticateIPAccess.php‎
Lines changed: 40 additions & 0 deletions b/‎app/Http/Middleware/API/AuthenticateIPAccess.php‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎app/Http/Middleware/API/AuthenticateKey.php‎
Lines changed: 68 additions & 0 deletions b/‎app/Http/Middleware/API/AuthenticateKey.php‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎app/Http/Middleware/API/HasPermissionToResource.php‎
Lines changed: 58 additions & 0 deletions b/‎app/Http/Middleware/API/HasPermissionToResource.php‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎app/Http/Middleware/API/SetSessionDriver.php‎
Lines changed: 52 additions & 0 deletions b/‎app/Http/Middleware/API/SetSessionDriver.php‎
Lines changed: 52 additions & 0 deletions
@@ -19,6 +19,9 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 ### Added
 * Added star indicators to user listing in Admin CP to indicate users who are set as a root admin.
 
+### Changed
+* API keys have been changed to only use a single public key passed in a bearer token. All existing keys can continue being used, however only the first 32 characters should be sent.
+
 ## v0.7.0-beta.2 (Derelict Dermodactylus)
 ### Fixed
 * `[beta.1]` — Fixes a CORS header issue due to a wrong API endpoint being provided in the administrative node listing.
 
@@ -9,6 +9,16 @@
 
 namespace Pterodactyl\Contracts\Repository;
 
+use Pterodactyl\Models\APIKey;
+
 interface ApiKeyRepositoryInterface extends RepositoryInterface
 {
+    /**
+     * Load permissions for a key onto the model.
+     *
+     * @param \Pterodactyl\Models\APIKey $model
+     * @param bool                       $refresh
+     * @return \Pterodactyl\Models\APIKey
+     */
+    public function loadPermissions(APIKey $model, bool $refresh = false): APIKey;
 }
@@ -1,27 +1,4 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>
- * Some Modifications (c) 2015 Dylan Seidt <dylan.seidt@gmail.com>.
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
 
 namespace Pterodactyl\Http\Controllers\Base;
 
@@ -120,7 +97,7 @@ public function store(ApiKeyFormRequest $request)
             'memo' => $request->input('memo'),
         ], $request->input('permissions', []), $adminPermissions);
 
-        $this->alert->success(trans('base.api.index.keypair_created', ['token' => $secret]))->flash();
+        $this->alert->success(trans('base.api.index.keypair_created'))->flash();
 
         return redirect()->route('account.api');
     }
@@ -136,7 +113,7 @@ public function revoke(Request $request, $key)
     {
         $this->repository->deleteWhere([
             ['user_id', '=', $request->user()->id],
-            ['public', '=', $key],
+            ['token', '=', $key],
         ]);
 
         return response('', 204);
 
@@ -11,17 +11,20 @@
 use Pterodactyl\Http\Middleware\VerifyCsrfToken;
 use Pterodactyl\Http\Middleware\VerifyReCaptcha;
 use Pterodactyl\Http\Middleware\AdminAuthenticate;
-use Pterodactyl\Http\Middleware\HMACAuthorization;
 use Illuminate\Routing\Middleware\ThrottleRequests;
 use Pterodactyl\Http\Middleware\LanguageMiddleware;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
+use Pterodactyl\Http\Middleware\API\AuthenticateKey;
 use Illuminate\Routing\Middleware\SubstituteBindings;
 use Pterodactyl\Http\Middleware\AccessingValidServer;
+use Pterodactyl\Http\Middleware\API\SetSessionDriver;
 use Illuminate\View\Middleware\ShareErrorsFromSession;
 use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
 use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
+use Pterodactyl\Http\Middleware\API\AuthenticateIPAccess;
 use Pterodactyl\Http\Middleware\Daemon\DaemonAuthenticate;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
+use Pterodactyl\Http\Middleware\API\HasPermissionToResource;
 use Pterodactyl\Http\Middleware\Server\AuthenticateAsSubuser;
 use Pterodactyl\Http\Middleware\Server\SubuserBelongsToServer;
 use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
@@ -42,10 +45,6 @@ class Kernel extends HttpKernel
         EncryptCookies::class,
         AddQueuedCookiesToResponse::class,
         TrimStrings::class,
-
-        /*
-         * Custom middleware applied to all routes.
-         */
         TrustProxies::class,
     ];
 
@@ -66,9 +65,11 @@ class Kernel extends HttpKernel
             RequireTwoFactorAuthentication::class,
         ],
         'api' => [
-            HMACAuthorization::class,
             'throttle:60,1',
-            'bindings',
+            SubstituteBindings::class,
+            SetSessionDriver::class,
+            AuthenticateKey::class,
+            AuthenticateIPAccess::class,
         ],
         'daemon' => [
             SubstituteBindings::class,
@@ -95,6 +96,9 @@ class Kernel extends HttpKernel
         'bindings' => SubstituteBindings::class,
         'recaptcha' => VerifyReCaptcha::class,
 
+        // API specific middleware.
+        'api..user_level' => HasPermissionToResource::class,
+
         // Server specific middleware (used for authenticating access to resources)
         //
         // These are only used for individual server authentication, and not gloabl
 
@@ -0,0 +1,40 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\API;
+
+use Closure;
+use IPTools\IP;
+use IPTools\Range;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class AuthenticateIPAccess
+{
+    /**
+     * Determine if a request IP has permission to access the API.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @return mixed
+     *
+     * @throws \Exception
+     * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $model = $request->attributes->get('api_key');
+
+        if (is_null($model->allowed_ips) || empty($model->allowed_ips)) {
+            return $next($request);
+        }
+
+        $find = new IP($request->ip());
+        foreach ($model->allowed_ips as $ip) {
+            if (Range::parse($ip)->contains($find)) {
+                return $next($request);
+            }
+        }
+
+        throw new AccessDeniedHttpException('This IP address does not have permission to access the API using these credentials.');
+    }
+}
@@ -0,0 +1,68 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\API;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Auth\AuthManager;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class AuthenticateKey
+{
+    /**
+     * @var \Illuminate\Auth\AuthManager
+     */
+    private $auth;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
+     */
+    private $repository;
+
+    /**
+     * AuthenticateKey constructor.
+     *
+     * @param \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface $repository
+     * @param \Illuminate\Auth\AuthManager                                $auth
+     */
+    public function __construct(
+        ApiKeyRepositoryInterface $repository,
+        AuthManager $auth
+    ) {
+        $this->auth = $auth;
+        $this->repository = $repository;
+    }
+
+    /**
+     * Handle an API request by verifying that the provided API key
+     * is in a valid format, and the route being accessed is allowed
+     * for the given key.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @return mixed
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if (is_null($request->bearerToken())) {
+            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
+        }
+
+        try {
+            $model = $this->repository->findFirstWhere([['token', '=', $request->bearerToken()]]);
+        } catch (RecordNotFoundException $exception) {
+            throw new AccessDeniedHttpException;
+        }
+
+        $this->auth->guard()->loginUsingId($model->user_id);
+        $request->attributes->set('api_key', $model);
+
+        return $next($request);
+    }
+}
@@ -0,0 +1,58 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\API;
+
+use Closure;
+use Illuminate\Http\Request;
+use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class HasPermissionToResource
+{
+    /**
+     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
+     */
+    private $repository;
+
+    /**
+     * HasPermissionToResource constructor.
+     *
+     * @param \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface $repository
+     */
+    public function __construct(ApiKeyRepositoryInterface $repository)
+    {
+        $this->repository = $repository;
+    }
+
+    /**
+     * Determine if an API key has permission to access the given route.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @param string                   $role
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next, string $role = 'admin')
+    {
+        /** @var \Pterodactyl\Models\APIKey $model */
+        $model = $request->attributes->get('api_key');
+
+        if ($role === 'admin' && ! $request->user()->root_admin) {
+            throw new NotFoundHttpException;
+        }
+
+        $this->repository->loadPermissions($model);
+        $routeKey = str_replace(['api.', 'admin.'], '', $request->route()->getName());
+
+        $count = $model->getRelation('permissions')->filter(function ($permission) use ($routeKey) {
+            return $routeKey === str_replace('-', '.', $permission->permission);
+        })->count();
+
+        if ($count === 1) {
+            return $next($request);
+        }
+
+        throw new AccessDeniedHttpException('Cannot access resource without required `' . $routeKey . '` permission.');
+    }
+}
@@ -0,0 +1,52 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\API;
+
+use Closure;
+use Illuminate\Http\Request;
+use Barryvdh\Debugbar\LaravelDebugbar;
+use Illuminate\Contracts\Foundation\Application;
+use Illuminate\Contracts\Config\Repository as ConfigRepository;
+
+class SetSessionDriver
+{
+    /**
+     * @var \Illuminate\Contracts\Foundation\Application
+     */
+    private $app;
+
+    /**
+     * @var \Illuminate\Contracts\Config\Repository
+     */
+    private $config;
+
+    /**
+     * SetSessionDriver constructor.
+     *
+     * @param \Illuminate\Contracts\Foundation\Application $app
+     * @param \Illuminate\Contracts\Config\Repository      $config
+     */
+    public function __construct(Application $app, ConfigRepository $config)
+    {
+        $this->app = $app;
+        $this->config = $config;
+    }
+
+    /**
+     * Set the session for API calls to only last for the one request.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if ($this->app->environment() !== 'production') {
+            $this->app->make(LaravelDebugbar::class)->disable();
+        }
+
+        $this->config->set('session.driver', 'array');
+
+        return $next($request);
+    }
+}