Path: blob/1.0-develop/app/Providers/RouteServiceProvider.php
7432 views
<?php12namespace Pterodactyl\Providers;34use Illuminate\Http\Request;5use Pterodactyl\Models\Database;6use Illuminate\Support\Facades\Route;7use Illuminate\Cache\RateLimiting\Limit;8use Illuminate\Support\Facades\RateLimiter;9use Pterodactyl\Http\Middleware\TrimStrings;10use Pterodactyl\Http\Middleware\AdminAuthenticate;11use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;12use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;1314class RouteServiceProvider extends ServiceProvider15{16protected const FILE_PATH_REGEX = '/^\/api\/client\/servers\/([a-z0-9-]{36})\/files(\/?$|\/(.)*$)/i';1718/**19* Define your route model bindings, pattern filters, etc.20*/21public function boot(): void22{23$this->configureRateLimiting();2425// Disable trimming string values when requesting file information — it isn't helpful26// and messes up the ability to actually open a directory that ends with a space.27TrimStrings::skipWhen(function (Request $request) {28return preg_match(self::FILE_PATH_REGEX, $request->getPathInfo()) === 1;29});3031// This is needed to make use of the "resolveRouteBinding" functionality in the32// model. Without it you'll never trigger that logic flow thus resulting in a 40433// error because we request databases with a HashID, and not with a normal ID.34Route::model('database', Database::class);3536$this->routes(function () {37Route::middleware('web')->group(function () {38Route::middleware(['auth.session', RequireTwoFactorAuthentication::class])39->group(base_path('routes/base.php'));4041Route::middleware(['auth.session', RequireTwoFactorAuthentication::class, AdminAuthenticate::class])42->prefix('/admin')43->group(base_path('routes/admin.php'));4445Route::middleware('guest')->prefix('/auth')->group(base_path('routes/auth.php'));46});4748Route::middleware(['api', RequireTwoFactorAuthentication::class])->group(function () {49Route::middleware(['application-api', 'throttle:api.application'])50->prefix('/api/application')51->scopeBindings()52->group(base_path('routes/api-application.php'));5354Route::middleware(['client-api', 'throttle:api.client'])55->prefix('/api/client')56->scopeBindings()57->group(base_path('routes/api-client.php'));58});5960Route::middleware('daemon')61->prefix('/api/remote')62->scopeBindings()63->group(base_path('routes/api-remote.php'));64});65}6667/**68* Configure the rate limiters for the application.69*/70protected function configureRateLimiting(): void71{72// Authentication rate limiting. For login and checkpoint endpoints we'll apply73// a limit of 10 requests per minute, for the forgot password endpoint apply a74// limit of two per minute for the requester so that there is less ability to75// trigger email spam.76RateLimiter::for('authentication', function (Request $request) {77if ($request->route()->named('auth.post.forgot-password')) {78return Limit::perMinute(2)->by($request->ip());79}8081return Limit::perMinute(10);82});8384// Configure the throttles for both the application and client APIs below.85// This is configurable per-instance in "config/http.php". By default this86// limiter will be tied to the specific request user, and falls back to the87// request IP if there is no request user present for the key.88//89// This means that an authenticated API user cannot use IP switching to get90// around the limits.91RateLimiter::for('api.client', function (Request $request) {92$key = optional($request->user())->uuid ?: $request->ip();9394return Limit::perMinutes(95config('http.rate_limit.client_period'),96config('http.rate_limit.client')97)->by($key);98});99100RateLimiter::for('api.application', function (Request $request) {101$key = optional($request->user())->uuid ?: $request->ip();102103return Limit::perMinutes(104config('http.rate_limit.application_period'),105config('http.rate_limit.application')106)->by($key);107});108}109}110111112