Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							dfa329ddf2 
							
						 
					 
					
						
						
							
							[security] ensure session is only for that request when authenticating user API key  
						
						... 
						
						
						
						https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv  
					
						2022-01-19 21:09:17 -05:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							bf9cbe2c6d 
							
						 
					 
					
						
						
							
							Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints  
						
						
						
						
					 
					
						2021-11-16 20:02:18 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							60eff40a0c 
							
						 
					 
					
						
						
							
							Fix session management on client API requests;  closes   #3727  
						
						... 
						
						
						
						Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.
Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).
This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.
In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response. 
						
						
					 
					
						2021-11-03 20:51:39 -07:00 
						 
				 
			
				
					
						
							
							
								Alex 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							9656378783 
							
						 
					 
					
						
						
							
							Fix 401 error typo ( #3393 )  
						
						
						
						
					 
					
						2021-06-03 13:35:51 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							e30a765071 
							
						 
					 
					
						
						
							
							Simplify logic when a server is in an unsupported state  
						
						
						
						
					 
					
						2021-01-30 13:28:31 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0a2c89e9f4 
							
						 
					 
					
						
						
							
							Reeformat with new rules post merge  
						
						
						
						
					 
					
						2021-01-25 19:20:51 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							663143de0b 
							
						 
					 
					
						
						
							
							Merge branch 'develop' into dane/restore-backups  
						
						
						
						
					 
					
						2021-01-25 19:16:40 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c449ca5155 
							
						 
					 
					
						
						
							
							Use more standardized phpcs  
						
						
						
						
					 
					
						2021-01-23 12:33:34 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							a043071e3c 
							
						 
					 
					
						
						
							
							Update to Laravel 8  
						
						... 
						
						
						
						Co-authored-by: Matthew Penner <me@matthewp.io> 
						
						
					 
					
						2021-01-23 12:12:54 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							e8dcd30e0c 
							
						 
					 
					
						
						
							
							[security] fix resources not properly returning an error when they don't match the server in the URL  
						
						... 
						
						
						
						Prior to this fix certain resources were accessible even when their assigned server was not the same as the server in the URL. This causes the resource server relationship to not match the server variable present on the request.
Due to this failed logic it was possible for users to access resources they should not have been able to access otherwise for some areas of the panel. 
						
						
					 
					
						2021-01-19 21:19:17 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							a75a347d65 
							
						 
					 
					
						
						
							
							Remove suspended & installing fields, replace with single status field  
						
						
						
						
					 
					
						2021-01-17 15:51:56 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							6c39288def 
							
						 
					 
					
						
						
							
							Clarify error messaging for transfers  
						
						
						
						
					 
					
						2020-12-24 10:14:10 -08:00 
						 
				 
			
				
					
						
							
							
								Matthew Penner 
							
						 
					 
					
						
						
						
						
							
						
						
							37cfa151b6 
							
						 
					 
					
						
						
							
							Use ServerTransferringException  
						
						
						
						
					 
					
						2020-12-17 10:37:14 -07:00 
						 
				 
			
				
					
						
							
							
								Matthew Penner 
							
						 
					 
					
						
						
						
						
							
						
						
							e69d9b2c26 
							
						 
					 
					
						
						
							
							Update comment in AuthenticateServerAccess.php  
						
						
						
						
					 
					
						2020-12-17 10:35:54 -07:00 
						 
				 
			
				
					
						
							
							
								Matthew Penner 
							
						 
					 
					
						
						
						
						
							
						
						
							fd848985ee 
							
						 
					 
					
						
						
							
							Add ServerTransferringException, use is_null  
						
						
						
						
					 
					
						2020-12-17 10:35:54 -07:00 
						 
				 
			
				
					
						
							
							
								Matthew Penner 
							
						 
					 
					
						
						
						
						
							
						
						
							e6c4a68e4a 
							
						 
					 
					
						
						
							
							Update logic for tracking a server's transfer state  
						
						
						
						
					 
					
						2020-12-17 10:35:54 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							d22456d9ca 
							
						 
					 
					
						
						
							
							Block API access when 2FA is required on account;  closes   #2791  
						
						
						
						
					 
					
						2020-12-06 13:56:14 -08:00 
						 
				 
			
				
					
						
							
							
								Matt Malec 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							df64026449 
							
						 
					 
					
						
						
							
							Update AuthenticateIPAccess.php  
						
						... 
						
						
						
						Fix a 500 error when processing a request with an IP filter 
						
						
					 
					
						2020-11-08 21:57:22 -05:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c00e5b36a5 
							
						 
					 
					
						
						
							
							Return all servers for a node as a paginated response  
						
						... 
						
						
						
						Avoids crashing the PHP process and avoids a bad runaway N+1 query issue that previously existed. 
						
						
					 
					
						2020-10-31 11:14:28 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							f31a6d3967 
							
						 
					 
					
						
						
							
							Fix parameter bindings for client API routes;  closes   pterodactyl/panel#2359  
						
						
						
						
					 
					
						2020-09-27 10:39:18 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							906cfce81c 
							
						 
					 
					
						
						
							
							Don't return a 403 when returning resources for a suspended server;  closes   #2279  
						
						
						
						
					 
					
						2020-08-30 09:54:59 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							540cc82e3d 
							
						 
					 
					
						
						
							
							Don't resolve database hosts;  closes   #2237  
						
						
						
						
					 
					
						2020-08-19 20:38:51 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							61e9771333 
							
						 
					 
					
						
						
							
							Code cleanup for subuser API endpoints;  closes   #2247  
						
						
						
						
					 
					
						2020-08-19 20:21:12 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							2278927fb6 
							
						 
					 
					
						
						
							
							Update allocations to support ids; protect endpoints; support notes  
						
						
						
						
					 
					
						2020-07-09 20:36:08 -07:00 
						 
				 
			
				
					
						
							
							
								DarthShmev 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							06ece0e624 
							
						 
					 
					
						
						
							
							Fix AuthenticateServerAccess middleware spelling issue.  
						
						
						
						
					 
					
						2020-07-05 15:48:02 -04:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							fde8465f35 
							
						 
					 
					
						
						
							
							Show a better error when JSON data cannot be parsed in the request  
						
						
						
						
					 
					
						2020-06-30 20:05:11 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							756a21ff04 
							
						 
					 
					
						
						
							
							Remove unused code  
						
						
						
						
					 
					
						2020-06-24 20:38:13 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							536180ed0c 
							
						 
					 
					
						
						
							
							Return Http test cases to a passing state  
						
						
						
						
					 
					
						2020-06-23 21:59:37 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							16e14621c8 
							
						 
					 
					
						
						
							
							Better error messaging when server is suspended  
						
						
						
						
					 
					
						2020-06-22 20:22:52 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							6056b6f45d 
							
						 
					 
					
						
						
							
							Show console when an admin is viewing an installing server  
						
						
						
						
					 
					
						2020-04-26 13:21:39 -07:00 
						 
				 
			
				
					
						
							
							
								Matthew Penner 
							
						 
					 
					
						
						
						
						
							
						
						
							658a959e5d 
							
						 
					 
					
						
						
							
							Fix trailing comma in DaemonAuthenticate.php, change ServerDetailsController.php to use node authentication  
						
						
						
						
					 
					
						2020-04-10 17:54:50 -06:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							2532a73425 
							
						 
					 
					
						
						
							
							Don't throw errors if bad data is sent in the header  
						
						
						
						
					 
					
						2020-04-10 15:53:19 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							7557dddf49 
							
						 
					 
					
						
						
							
							Store node daemon tokens in an encrypted manner  
						
						
						
						
					 
					
						2020-04-10 15:15:38 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							be05d2df81 
							
						 
					 
					
						
						
							
							Add support for generating a signed URL for downloading a file from the daemon  
						
						
						
						
					 
					
						2020-04-04 19:54:59 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							1f92a7de33 
							
						 
					 
					
						
						
							
							Authenticate that the request is coming from someone that should even know about the server  
						
						
						
						
					 
					
						2020-03-28 16:23:18 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							d9d4c0590c 
							
						 
					 
					
						
						
							
							Fix silent failure mode when recaptcha is enabled  
						
						
						
						
					 
					
						2019-12-15 16:13:44 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c17f9ba8a9 
							
						 
					 
					
						
						
							
							Move server view management parts to new controller and clean up code  
						
						
						
						
					 
					
						2019-11-24 12:50:16 -08:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							7543ef085d 
							
						 
					 
					
						
						
							
							Format files  
						
						
						
						
					 
					
						2019-09-05 21:32:57 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							95d19bf09e 
							
						 
					 
					
						
						
							
							Update logic that handles creation of folders for a server  
						
						
						
						
					 
					
						2019-05-01 21:45:39 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							5ca13839cf 
							
						 
					 
					
						
						
							
							Merge branch 'develop' into feature/vue-serverview  
						
						
						
						
					 
					
						2018-09-05 21:34:59 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							fd49e524c8 
							
						 
					 
					
						
						
							
							Update middleware code  
						
						
						
						
					 
					
						2018-09-03 15:17:53 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							4d62e4c7b9 
							
						 
					 
					
						
						
							
							Merge branch 'develop' into pr/1128  
						
						
						
						
					 
					
						2018-09-03 15:10:23 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							f3efe546da 
							
						 
					 
					
						
						
							
							Fix broken namespace for autoloader  
						
						
						
						
					 
					
						2018-08-31 20:34:57 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0999ec93c3 
							
						 
					 
					
						
						
							
							More logic for deleting databases  
						
						
						
						
					 
					
						2018-08-25 15:07:42 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							9be2aa4ca9 
							
						 
					 
					
						
						
							
							Push beginning of DB deletion stuff  
						
						
						
						
					 
					
						2018-08-25 14:43:21 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							8bbe6bc279 
							
						 
					 
					
						
						
							
							Add test, fix behavior of model creation  
						
						
						
						
					 
					
						2018-07-14 22:58:33 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							550c622d3b 
							
						 
					 
					
						
						
							
							Obliterate JWT from codebase  
						
						
						
						
					 
					
						2018-07-14 22:48:09 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							6336e5191f 
							
						 
					 
					
						
						
							
							Strip out JWT usage and use cookies to track the currently logged in user  
						
						
						
						
					 
					
						2018-07-14 22:42:58 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							eafc4408eb 
							
						 
					 
					
						
						
							
							Fix broken unit tests  
						
						
						
						
					 
					
						2018-07-14 21:49:49 -07:00 
						 
				 
			
				
					
						
							
							
								Dane Everitt 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							c82f273d85 
							
						 
					 
					
						
						
							
							Fix remaining broken tests  
						
						
						
						
					 
					
						2018-07-04 19:38:23 -07:00