1
<?php
2

3
namespace Pterodactyl\Http\Middleware\Api;
4

5
use IPTools\IP;
6
use IPTools\Range;
7
use Illuminate\Http\Request;
8
use Pterodactyl\Facades\Activity;
9
use Laravel\Sanctum\TransientToken;
10
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
11

12
class AuthenticateIPAccess
13
{
14
    /**
15
     * Determine if a request IP has permission to access the API.
16
     *
17
     * @throws \Exception
18
     * @throws AccessDeniedHttpException
19
     */
20
    public function handle(Request $request, \Closure $next): mixed
21
    {
22
        /** @var TransientToken|\Pterodactyl\Models\ApiKey $token */
23
        $token = $request->user()->currentAccessToken();
24

25
        // If this is a stateful request just push the request through to the next
26
        // middleware in the stack, there is nothing we need to explicitly check. If
27
        // this is a valid API Key, but there is no allowed IP restriction, also pass
28
        // the request through.
29
        if ($token instanceof TransientToken || empty($token->allowed_ips)) {
30
            return $next($request);
31
        }
32

33
        $find = new IP($request->ip());
34
        foreach ($token->allowed_ips as $ip) {
35
            if (Range::parse($ip)->contains($find)) {
36
                return $next($request);
37
            }
38
        }
39

40
        Activity::event('auth:ip-blocked')
41
            ->actor($request->user())
42
            ->subject($request->user(), $token)
43
            ->property('identifier', $token->identifier)
44
            ->log();
45

46
        throw new AccessDeniedHttpException('This IP address (' . $request->ip() . ') does not have permission to access the API using these credentials.');
47
    }
48
}
49

50