Ensure we don't cause a mess with the auth providers

Author: DaneEveritt

app/Http/Kernel.php

@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http;
 
+use Fruitcake\Cors\HandleCors;
 use Illuminate\Auth\Middleware\Authorize;
 use Illuminate\Auth\Middleware\Authenticate;
 use Illuminate\Http\Middleware\TrustProxies;
@@ -26,9 +27,9 @@
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
 use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
-use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
 use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
 use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientBindings;
+use Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance;
 use Pterodactyl\Http\Middleware\Api\Application\AuthenticateApplicationUser;
 
 class Kernel extends HttpKernel
@@ -39,12 +40,12 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $middleware = [
-        CheckForMaintenanceMode::class,
-        EncryptCookies::class,
+        TrustProxies::class,
+        HandleCors::class,
+        PreventRequestsDuringMaintenance::class,
         ValidatePostSize::class,
         TrimStrings::class,
         ConvertEmptyStringsToNull::class,
-        TrustProxies::class,
     ];
 
     /**
@@ -54,14 +55,13 @@ class Kernel extends HttpKernel
      */
     protected $middlewareGroups = [
         'web' => [
+            EncryptCookies::class,
             AddQueuedCookiesToResponse::class,
             StartSession::class,
-            AuthenticateSession::class,
             ShareErrorsFromSession::class,
             VerifyCsrfToken::class,
             SubstituteBindings::class,
             LanguageMiddleware::class,
-            RequireTwoFactorAuthentication::class,
         ],
         'api' => [
             EnsureStatefulRequests::class,
@@ -91,6 +91,7 @@ class Kernel extends HttpKernel
     protected $routeMiddleware = [
         'auth' => Authenticate::class,
         'auth.basic' => AuthenticateWithBasicAuth::class,
+        'auth.session' => AuthenticateSession::class,
         'guest' => RedirectIfAuthenticated::class,
         'csrf' => VerifyCsrfToken::class,
         'throttle' => ThrottleRequests::class,

app/Providers/RouteServiceProvider.php

@@ -9,6 +9,7 @@
 use Illuminate\Support\Facades\RateLimiter;
 use Pterodactyl\Http\Middleware\TrimStrings;
 use Pterodactyl\Http\Middleware\AdminAuthenticate;
+use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
 
 class RouteServiceProvider extends ServiceProvider
@@ -35,12 +36,17 @@ public function boot()
 
         $this->routes(function () {
             Route::middleware('web')->group(function () {
-                Route::middleware('auth')->group(base_path('routes/base.php'));
+                Route::middleware(['auth.session', RequireTwoFactorAuthentication::class])
+                    ->group(base_path('routes/base.php'));
+
+                Route::middleware(['auth.session', RequireTwoFactorAuthentication::class, AdminAuthenticate::class])
+                    ->prefix('/admin')
+                    ->group(base_path('routes/admin.php'));
+
                 Route::middleware('guest')->prefix('/auth')->group(base_path('routes/auth.php'));
-                Route::middleware(['auth', AdminAuthenticate::class])->prefix('/admin')->group(base_path('routes/admin.php'));
             });
 
-            Route::middleware('api')->group(function () {
+            Route::middleware(['api', RequireTwoFactorAuthentication::class])->group(function () {
                 Route::middleware(['application-api', 'throttle:api.application'])
                     ->prefix('/api/application')
                     ->scopeBindings()

composer.json

@@ -19,6 +19,7 @@
         "ext-zip": "*",
         "aws/aws-sdk-php": "^3.171",
         "doctrine/dbal": "~2.13.9",
+        "fruitcake/laravel-cors": "~3.0.0",
         "guzzlehttp/guzzle": "~7.4.2",
         "hashids/hashids": "~4.1.0",
         "laracasts/utilities": "~3.2.1",

composer.lock

@@ -0,0 +1,59 @@
+<?php
+
+return [
+    /*
+    |--------------------------------------------------------------------------
+    | Laravel CORS Options
+    |--------------------------------------------------------------------------
+    |
+    | The allowed_methods and allowed_headers options are case-insensitive.
+    |
+    | You don't need to provide both allowed_origins and allowed_origins_patterns.
+    | If one of the strings passed matches, it is considered a valid origin.
+    |
+    | If ['*'] is provided to allowed_methods, allowed_origins or allowed_headers
+    | all methods / origins / headers are allowed.
+    |
+    */
+
+    /*
+     * You can enable CORS for 1 or multiple paths.
+     * Example: ['api/*']
+     */
+    'paths' => ['/api/client', '/api/application', '/api/client/*', '/api/application/*'],
+
+    /*
+     * Matches the request method. `['*']` allows all methods.
+     */
+    'allowed_methods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD'],
+
+    /*
+     * Matches the request origin. `['*']` allows all origins. Wildcards can be used, eg `*.mydomain.com`
+     */
+    'allowed_origins' => explode(',', env('APP_CORS_ALLOWED_ORIGINS') ?? ''),
+
+    /*
+     * Patterns that can be used with `preg_match` to match the origin.
+     */
+    'allowed_origins_patterns' => [],
+
+    /*
+     * Sets the Access-Control-Allow-Headers response header. `['*']` allows all headers.
+     */
+    'allowed_headers' => ['*'],
+
+    /*
+     * Sets the Access-Control-Expose-Headers response header with these headers.
+     */
+    'exposed_headers' => [],
+
+    /*
+     * Sets the Access-Control-Max-Age response header when > 0.
+     */
+    'max_age' => 0,
+
+    /*
+     * Sets the Access-Control-Allow-Credentials header.
+     */
+    'supports_credentials' => true,
+];

config/cors.php

@@ -14,11 +14,12 @@ export interface LoginData {
 
 export default ({ username, password, recaptchaData }: LoginData): Promise<LoginResponse> => {
     return new Promise((resolve, reject) => {
-        http.post('/auth/login', {
-            user: username,
-            password,
-            'g-recaptcha-response': recaptchaData,
-        })
+        http.get('/sanctum/csrf-cookie')
+            .then(() => http.post('/auth/login', {
+                user: username,
+                password,
+                'g-recaptcha-response': recaptchaData,
+            }))
             .then(response => {
                 if (!(response.data instanceof Object)) {
                     return reject(new Error('An error occurred while processing the login request.'));