Ensure tokens are found in the database using the expected logic

DaneEveritt · DaneEveritt · commit f7fc67344e13 · 2022-05-22T16:05:58.000-04:00
diff --git a/app/Exceptions/Handler.php b/app/Exceptions/Handler.php
@@ -47,6 +47,18 @@ class Handler extends ExceptionHandler
         ValidationException::class,
     ];
 
+    /**
+     * Maps exceptions to a specific response code. This handles special exception
+     * types that don't have a defined response code.
+     *
+     * @var array<string, int>
+     */
+    protected static array $exceptionResponseCodes = [
+        AuthenticationException::class => 401,
+        AuthorizationException::class => 403,
+        ValidationException::class => 422,
+    ];
+
     /**
      * A list of the inputs that are never flashed for validation exceptions.
      *
@@ -187,12 +199,14 @@ public function invalidJson($request, ValidationException $exception)
      */
     public static function convertToArray(Throwable $exception, array $override = []): array
     {
+        $match = self::$exceptionResponseCodes[get_class($exception)] ?? null;
+
         $error = [
             'code' => class_basename($exception),
             'status' => method_exists($exception, 'getStatusCode')
                 ? strval($exception->getStatusCode())
-                : ($exception instanceof ValidationException ? '422' : '500'),
-            'detail' => $exception instanceof HttpExceptionInterface
+                : strval($match ?? '500'),
+            'detail' => $exception instanceof HttpExceptionInterface || !is_null($match)
                 ? $exception->getMessage()
                 : 'An unexpected error was encountered while processing this request, please try again.',
         ];
diff --git a/app/Http/Controllers/Api/Client/AccountController.php b/app/Http/Controllers/Api/Client/AccountController.php
@@ -19,19 +19,19 @@ class AccountController extends ClientApiController
     private $updateService;
 
     /**
-     * @var \Illuminate\Auth\SessionGuard
+     * @var \Illuminate\Auth\AuthManager
      */
-    private $sessionGuard;
+    private $manager;
 
     /**
      * AccountController constructor.
      */
-    public function __construct(AuthManager $sessionGuard, UserUpdateService $updateService)
+    public function __construct(AuthManager $manager, UserUpdateService $updateService)
     {
         parent::__construct();
 
         $this->updateService = $updateService;
-        $this->sessionGuard = $sessionGuard;
+        $this->manager = $manager;
     }
 
     public function index(Request $request): array
@@ -64,13 +64,17 @@ public function updatePassword(UpdatePasswordRequest $request): JsonResponse
     {
         $user = $this->updateService->handle($request->user(), $request->validated());
 
+        $guard = $this->manager->guard();
         // If you do not update the user in the session you'll end up working with a
         // cached copy of the user that does not include the updated password. Do this
         // to correctly store the new user details in the guard and allow the logout
         // other devices functionality to work.
-        $this->sessionGuard->setUser($user);
+        $guard->setUser($user);
 
-        $this->sessionGuard->logoutOtherDevices($request->input('password'));
+        // This method doesn't exist in the stateless Sanctum world.
+        if (method_exists($guard, 'logoutOtherDevices')) {
+            $guard->logoutOtherDevices($request->input('password'));
+        }
 
         return new JsonResponse([], Response::HTTP_NO_CONTENT);
     }
diff --git a/app/Models/ApiKey.php b/app/Models/ApiKey.php
@@ -195,9 +195,13 @@ public function tokenable()
     public static function findToken($token)
     {
         $id = Str::substr($token, 0, self::IDENTIFIER_LENGTH);
-        $token = Str::substr($token, strlen($id));
 
-        return static::where('identifier', $id)->where('token', encrypt($token))->first();
+        $model = static::where('identifier', $id)->first();
+        if (!is_null($model) && decrypt($model->token) === Str::substr($token, strlen($id))) {
+            return $model;
+        }
+
+        return null;
     }
 
     /**
diff --git a/database/Factories/ApiKeyFactory.php b/database/Factories/ApiKeyFactory.php
@@ -25,7 +25,7 @@ public function definition(): array
 
         return [
             'key_type' => ApiKey::TYPE_APPLICATION,
-            'identifier' => Str::random(ApiKey::IDENTIFIER_LENGTH),
+            'identifier' => ApiKey::generateTokenIdentifier(),
             'token' => $token ?: $token = encrypt(Str::random(ApiKey::KEY_LENGTH)),
             'allowed_ips' => null,
             'memo' => 'Test Function Key',
diff --git a/tests/Integration/Api/Application/ApplicationApiIntegrationTestCase.php b/tests/Integration/Api/Application/ApplicationApiIntegrationTestCase.php
@@ -2,8 +2,8 @@
 
 namespace Pterodactyl\Tests\Integration\Api\Application;
 
-use Pterodactyl\Models\User;
 use Illuminate\Http\Request;
+use Pterodactyl\Models\User;
 use PHPUnit\Framework\Assert;
 use Pterodactyl\Models\ApiKey;
 use Pterodactyl\Services\Acl\Api\AdminAcl;
@@ -41,10 +41,9 @@ public function setUp(): void
         $this->user = $this->createApiUser();
         $this->key = $this->createApiKey($this->user);
 
-        $this->withHeader('Accept', 'application/vnd.pterodactyl.v1+json');
-        $this->withHeader('Authorization', 'Bearer ' . $this->getApiKey()->identifier . decrypt($this->getApiKey()->token));
-
-        $this->withMiddleware('api..key:' . ApiKey::TYPE_APPLICATION);
+        $this
+            ->withHeader('Accept', 'application/vnd.pterodactyl.v1+json')
+            ->withHeader('Authorization', 'Bearer ' . $this->key->identifier . decrypt($this->key->token));
     }
 
     public function getApiUser(): User
@@ -63,17 +62,10 @@ public function getApiKey(): ApiKey
     protected function createNewDefaultApiKey(User $user, array $permissions = []): ApiKey
     {
         $this->key = $this->createApiKey($user, $permissions);
-        $this->refreshHeaders($this->key);
 
-        return $this->key;
-    }
+        $this->withHeader('Authorization', 'Bearer ' . $this->key->identifier . decrypt($this->key->token));
 
-    /**
-     * Refresh the authorization header for a request to use a different API key.
-     */
-    protected function refreshHeaders(ApiKey $key)
-    {
-        $this->withHeader('Authorization', 'Bearer ' . $key->identifier . decrypt($key->token));
+        return $this->key;
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -195,9 +195,13 @@ public function tokenable()`
`195`	`195`	`public static function findToken($token)`
`196`	`196`	`{`
`197`	`197`	`$id = Str::substr($token, 0, self::IDENTIFIER_LENGTH);`
`198`		`- $token = Str::substr($token, strlen($id));`
`199`	`198`
`200`		`- return static::where('identifier', $id)->where('token', encrypt($token))->first();`
	`199`	`+ $model = static::where('identifier', $id)->first();`
	`200`	`+ if (!is_null($model) && decrypt($model->token) === Str::substr($token, strlen($id))) {`
	`201`	`+ return $model;`
	`202`	`+ }`
	`203`	`+`
	`204`	`+ return null;`
`201`	`205`	`}`
`202`	`206`
`203`	`207`	`/**`