From 317698a84a4e4eef6198596f39c8b1573bdd2a97 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sat, 16 Jan 2016 20:11:31 -0500
Subject: [PATCH] encrypt API keys

---
 app/Http/Middleware/APISecretToken.php        | 11 ++++++-
 app/Repositories/APIRepository.php            |  6 ++--
 .../2016_01_17_005834_modify_api_keys.php     | 31 +++++++++++++++++++
 3 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 database/migrations/2016_01_17_005834_modify_api_keys.php

diff --git a/app/Http/Middleware/APISecretToken.php b/app/Http/Middleware/APISecretToken.php
index 7678a1e89..0ac1fe2db 100644
--- a/app/Http/Middleware/APISecretToken.php
+++ b/app/Http/Middleware/APISecretToken.php
@@ -2,6 +2,8 @@
 
 namespace Pterodactyl\Http\Middleware;
 
+use Crypt;
+
 use Pterodactyl\Models\APIKey;
 use Pterodactyl\Models\APIPermission;
 
@@ -12,6 +14,7 @@ use Dingo\Api\Auth\Provider\Authorization;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; // 400
 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; // 401
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; // 403
+use Symfony\Component\HttpKernel\Exception\HttpException; //500
 
 class APISecretToken extends Authorization
 {
@@ -63,7 +66,13 @@ class APISecretToken extends Authorization
             }
         }
 
-        if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $key->secret) !== base64_decode($hashed)) {
+        try {
+            $decrypted = Crypt::decrypt($key->secret);
+        } catch (\Illuminate\Contracts\Encryption\DecryptException $ex) {
+            throw new HttpException('There was an error while attempting to check your secret key.');
+        }
+
+        if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $decrypted) !== base64_decode($hashed)) {
             throw new BadRequestHttpException('The hashed body was not valid. Potential modification of contents in route.');
         }
 
diff --git a/app/Repositories/APIRepository.php b/app/Repositories/APIRepository.php
index 92dd876e8..b66cc1a3c 100644
--- a/app/Repositories/APIRepository.php
+++ b/app/Repositories/APIRepository.php
@@ -3,6 +3,7 @@
 namespace Pterodactyl\Repositories;
 
 use DB;
+use Crypt;
 use Validator;
 use IPTools\Network;
 
@@ -100,10 +101,11 @@ class APIRepository
 
         DB::beginTransaction();
 
+        $secretKey = str_random(16) . '.' . str_random(15);
         $key = new Models\APIKey;
         $key->fill([
             'public' => str_random(16),
-            'secret' => str_random(16) . '.' . str_random(15),
+            'secret' => Crypt::encrypt($secretKey),
             'allowed_ips' => empty($this->allowed) ? null : json_encode($this->allowed)
         ]);
         $key->save();
@@ -121,7 +123,7 @@ class APIRepository
 
         try {
             DB::commit();
-            return $key->secret;
+            return $secretKey;
         } catch (\Exception $ex) {
             throw $ex;
         }
diff --git a/database/migrations/2016_01_17_005834_modify_api_keys.php b/database/migrations/2016_01_17_005834_modify_api_keys.php
new file mode 100644
index 000000000..e1e391940
--- /dev/null
+++ b/database/migrations/2016_01_17_005834_modify_api_keys.php
@@ -0,0 +1,31 @@
+<?php
+
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+class ModifyApiKeys extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('api_keys', function (Blueprint $table) {
+            DB::statement('ALTER TABLE `api_keys` MODIFY `secret` TINYTEXT NOT NULL');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('api_keys', function (Blueprint $table) {
+            DB::statement('ALTER TABLE `api_keys` MODIFY `secret` TINYTEXT NOT NULL');
+        });
+    }
+}