Skip to content

Added support for viewing and deleting of any Application API Keys #5176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MackenzieMolloy wants to merge 11 commits into
base: 1.0-develop
Choose a base branch
from
Open

Added support for viewing and deleting of any Application API Keys #5176

MackenzieMolloy wants to merge 11 commits into from
+23 −49

Conversation

@MackenzieMolloy
Copy link
Contributor

@MackenzieMolloy MackenzieMolloy commented Jul 31, 2024
edited
Loading

This PR closes Issue #5175.

For context, I am aware that Application API Keys are deprecated in favour of Client API Keys however they are still operational within Pterodactyl and thus, not fully removed.

Currently in Pterodactyl, as an Admin, you can only view your Application API Keys on the Admin Panel. In this PR, I made it so all Application Keys are visible and deletable. The key strings are obfuscated if the key does not belong to the user viewing.

image

The reason for adding this is primarily so other admin users can be aware of and delete another admin user's Application API keys from the UI. This functionality is useful in the event of a malicious user compromising an admin account, creating some API Keys to continue their attacks and the owner of the compromised admin account being unaware of Application API Keys. In this instance, even after a password reset, the attack could continue via the Application API without the admin realising it.

I've tested the creation and deleting of keys along with using keys via the Application API to ensure no breakages have occurred.

@MackenzieMolloy MackenzieMolloy changed the title Added support for viewing and deleting of other Application API Keys Added support for viewing and deleting of any Application API Keys Jul 31, 2024
@DaneEveritt DaneEveritt added this to the v1.12.0 milestone Jan 4, 2026
DaneEveritt
DaneEveritt requested changes Jan 4, 2026
View reviewed changes
app/Http/Controllers/Admin/NodeAutoDeployController.php Outdated
{
/** @var ApiKey|null $key */
$key = $this->repository->getApplicationKeys($request->user())
$key = $this->repository->getApplicationKeys()
Copy link
Member

@DaneEveritt DaneEveritt Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep getApplicationKeys as supporting a ?User $user = null parameter, or even just ?User $user and explicitly passing null or the user depending on the context so it is clear we're intentionally requesting all, or only requesting user specific ones.

DaneEveritt
DaneEveritt requested changes Jan 4, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DaneEveritt DaneEveritt DaneEveritt approved these changes

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.12.0

Development

Successfully merging this pull request may close these issues.

2 participants

@MackenzieMolloy @DaneEveritt