Path: blob/1.0-develop/app/Providers/RouteServiceProvider.php
10277 views
<?php12namespace Pterodactyl\Providers;34use Illuminate\Http\Request;5use Pterodactyl\Models\Database;6use Pterodactyl\Enum\ResourceLimit;7use Illuminate\Support\Facades\Route;8use Illuminate\Cache\RateLimiting\Limit;9use Illuminate\Support\Facades\RateLimiter;10use Pterodactyl\Http\Middleware\TrimStrings;11use Pterodactyl\Http\Middleware\AdminAuthenticate;12use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;13use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;1415class RouteServiceProvider extends ServiceProvider16{17protected const FILE_PATH_REGEX = '/^\/api\/client\/servers\/([a-z0-9-]{36})\/files(\/?$|\/(.)*$)/i';1819/**20* Define your route model bindings, pattern filters, etc.21*/22public function boot(): void23{24$this->configureRateLimiting();2526// Disable trimming string values when requesting file information — it isn't helpful27// and messes up the ability to actually open a directory that ends with a space.28TrimStrings::skipWhen(function (Request $request) {29return preg_match(self::FILE_PATH_REGEX, $request->getPathInfo()) === 1;30});3132// This is needed to make use of the "resolveRouteBinding" functionality in the33// model. Without it you'll never trigger that logic flow thus resulting in a 40434// error because we request databases with a HashID, and not with a normal ID.35Route::model('database', Database::class);3637$this->routes(function () {38Route::middleware('web')->group(function () {39Route::middleware(['auth.session', RequireTwoFactorAuthentication::class])40->group(base_path('routes/base.php'));4142Route::middleware(['auth.session', RequireTwoFactorAuthentication::class, AdminAuthenticate::class])43->prefix('/admin')44->group(base_path('routes/admin.php'));4546Route::middleware('guest')->prefix('/auth')->group(base_path('routes/auth.php'));47});4849Route::middleware(['api', RequireTwoFactorAuthentication::class])->group(function () {50Route::middleware(['application-api', 'throttle:api.application'])51->prefix('/api/application')52->scopeBindings()53->group(base_path('routes/api-application.php'));5455Route::middleware(['client-api', 'throttle:api.client'])56->prefix('/api/client')57->scopeBindings()58->group(base_path('routes/api-client.php'));59});6061Route::middleware('daemon')62->prefix('/api/remote')63->scopeBindings()64->group(base_path('routes/api-remote.php'));65});66}6768/**69* Configure the rate limiters for the application.70*/71protected function configureRateLimiting(): void72{73// Authentication rate limiting. For login and checkpoint endpoints we'll apply74// a limit of 10 requests per minute, for the forgot password endpoint apply a75// limit of two per minute for the requester so that there is less ability to76// trigger email spam.77RateLimiter::for('authentication', function (Request $request) {78if ($request->route()->named('auth.post.forgot-password')) {79return Limit::perMinute(2)->by($request->ip());80}8182return Limit::perMinute(10);83});8485// Configure the throttles for both the application and client APIs below.86// This is configurable per-instance in "config/http.php". By default this87// limiter will be tied to the specific request user, and falls back to the88// request IP if there is no request user present for the key.89//90// This means that an authenticated API user cannot use IP switching to get91// around the limits.92RateLimiter::for('api.client', function (Request $request) {93$key = optional($request->user())->uuid ?: $request->ip();9495return Limit::perMinutes(96config('http.rate_limit.client_period'),97config('http.rate_limit.client')98)->by($key);99});100101RateLimiter::for('api.application', function (Request $request) {102$key = optional($request->user())->uuid ?: $request->ip();103104return Limit::perMinutes(105config('http.rate_limit.application_period'),106config('http.rate_limit.application')107)->by($key);108});109110ResourceLimit::boot();111}112}113114115