Pterodactyl-Panel/app
Dane Everitt 60eff40a0c
Fix session management on client API requests; closes #3727
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.

Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).

This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.

In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
2021-11-03 20:51:39 -07:00
..
Console cmd(upgrade): Attempt to gain users attention during upgrade (#3678) 2021-10-10 11:08:22 -07:00
Contracts Fix tests 2021-01-30 19:12:22 -08:00
Events Use more standardized phpcs 2021-01-23 12:33:34 -08:00
Exceptions Add support for locking backups to prevent any accidental deletions 2021-05-03 21:26:09 -07:00
Extensions Turns out I hate that huge space formatting, disable that mess 2021-01-27 20:52:11 -08:00
Helpers Use more standardized phpcs 2021-01-23 12:33:34 -08:00
Http Fix session management on client API requests; closes #3727 2021-11-03 20:51:39 -07:00
Jobs Add test coverage for RunTaskJob 2021-05-01 12:24:42 -07:00
Models Fix missing user agent headers to store an empty string rather than null value 2021-09-11 13:00:53 -07:00
Notifications Use more standardized phpcs 2021-01-23 12:33:34 -08:00
Observers Use more standardized phpcs 2021-01-23 12:33:34 -08:00
Policies Turns out I hate that huge space formatting, disable that mess 2021-01-27 20:52:11 -08:00
Providers Use more standardized rate limiting in Laravel; apply limits to auth routes 2021-10-23 12:17:16 -07:00
Repositories Update API calls to Wings to only pass the required details with the changes to the installer system 2021-08-29 14:09:43 -07:00
Rules Turns out I hate that huge space formatting, disable that mess 2021-01-27 20:52:11 -08:00
Services Fix wings receiving wrong suspended status on sync (#3667) 2021-10-07 08:46:09 -07:00
Traits Additional coverage to ensure values are wrapped as expected; ref #3287 2021-04-24 16:39:56 -07:00
Transformers expose uptime to client resources API endpoint (#3705) 2021-10-24 10:12:17 -07:00
helpers.php Turns out I hate that huge space formatting, disable that mess 2021-01-27 20:52:11 -08:00