[v0.4.4] Added DISABLE_CSRF env option & TRUSTED_PROXIES (#46)

Co-authored-by: Konrad Sroga <[email protected]>

Author: pteroca-com

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 ---
 
+## [0.4.4] - 2025-03-26
+
+### Added
+- Added TRUSTED_PROXIES environment variable to specify trusted proxies for Symfony.
+- Added DISABLE_CSRF environment variable to allow disabling CSRF protection.
+
+### Fixed
+- Fixed an issue where the user with USER_ROLE could not access server console.
+
+---
+
 ## [0.4.3] - 2025-03-24
 
 ### Added

composer.json

@@ -1,7 +1,7 @@
 {
     "name": "pteroca/panel",
     "description": "PteroCA.com is a free, open-source client area and management panel designed specifically for Pterodactyl server users and hosting providers. The platform simplifies and automates server management with a user-friendly interface and robust billing features.",
-    "version": "0.4.3",
+    "version": "0.4.4",
     "type": "project",
     "license": "MIT",
     "minimum-stability": "stable",

config/packages/framework.yaml

@@ -1,7 +1,6 @@
 # see https://symfony.com/doc/current/reference/configuration/framework.html
 framework:
     secret: '%env(APP_SECRET)%'
-    #csrf_protection: true
 
     # Note that the session will be started ONLY if you read or write from it.
     session: true

public/index.php

@@ -1,9 +1,28 @@
 <?php
 
 use App\Kernel;
+use Symfony\Component\Dotenv\Dotenv;
+use Symfony\Component\HttpFoundation\Request;
 
 require_once dirname(__DIR__).'/vendor/autoload_runtime.php';
 
+(new Dotenv())->bootEnv(dirname(__DIR__).'/.env');
+
+$trustedProxies = $_ENV['TRUSTED_PROXIES'] ?? '';
+if (!empty($trustedProxies)) {
+    $proxiesArray = array_map('trim', explode(',', $trustedProxies));
+
+    Request::setTrustedProxies(
+        $proxiesArray,
+        Request::HEADER_X_FORWARDED_FOR
+        | Request::HEADER_X_FORWARDED_HOST
+        | Request::HEADER_X_FORWARDED_PORT
+        | Request::HEADER_X_FORWARDED_PROTO
+        | Request::HEADER_X_FORWARDED_PREFIX
+        | Request::HEADER_X_FORWARDED_AWS_ELB
+    );
+}
+
 return function (array $context) {
     return new Kernel($context['APP_ENV'], (bool) $context['APP_DEBUG']);
 };

src/Core/Controller/API/ServerController.php

@@ -3,7 +3,6 @@
 namespace App\Core\Controller\API;
 
 use App\Core\Entity\Server;
-use App\Core\Enum\UserRoleEnum;
 use App\Core\Repository\ServerRepository;
 use App\Core\Service\Server\ServerService;
 use App\Core\Service\Server\ServerWebsocketService;
@@ -50,7 +49,7 @@ private function getServer(int $id): Server
             throw $this->createNotFoundException();
         }
 
-        if ($server->getUser() !== $this->getUser() || !$this->isGranted(UserRoleEnum::ROLE_ADMIN->name)) {
+        if ($server->getUser() !== $this->getUser()) {
             throw $this->createAccessDeniedException();
         }
 

src/Core/Form/RegistrationFormType.php

@@ -99,9 +99,10 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
 
     public function configureOptions(OptionsResolver $resolver): void
     {
+        $disableCsrf = isset($_ENV['DISABLE_CSRF']) && $_ENV['DISABLE_CSRF'] === 'true';
         $resolver->setDefaults([
             'data_class' => User::class,
-            'csrf_protection' => true,
+            'csrf_protection' => !$disableCsrf,
             'csrf_field_name' => '_token',
             'csrf_token_id'   => 'user_registration',
         ]);

src/Core/Form/ResetPasswordFormType.php

@@ -2,6 +2,7 @@
 
 namespace App\Core\Form;
 
+use App\Core\Entity\User;
 use Symfony\Component\Form\AbstractType;
 use Symfony\Component\Form\Extension\Core\Type\PasswordType;
 use Symfony\Component\Form\FormBuilderInterface;
@@ -63,6 +64,11 @@ public function validatePasswordMatch($object, ExecutionContextInterface $contex
 
     public function configureOptions(OptionsResolver $resolver): void
     {
-        $resolver->setDefaults([]);
+        $disableCsrf = isset($_ENV['DISABLE_CSRF']) && $_ENV['DISABLE_CSRF'] === 'true';
+        $resolver->setDefaults([
+            'csrf_protection' => !$disableCsrf,
+            'csrf_field_name' => '_token',
+            'csrf_token_id'   => 'user_registration',
+        ]);
     }
 }

src/Core/Form/ResetPasswordRequestFormType.php

@@ -25,6 +25,11 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
 
     public function configureOptions(OptionsResolver $resolver): void
     {
-        $resolver->setDefaults([]);
+        $disableCsrf = isset($_ENV['DISABLE_CSRF']) && $_ENV['DISABLE_CSRF'] === 'true';
+        $resolver->setDefaults([
+            'csrf_protection' => !$disableCsrf,
+            'csrf_field_name' => '_token',
+            'csrf_token_id'   => 'user_registration',
+        ]);
     }
 }

src/Core/Resources/config/services.yaml

@@ -1,5 +1,5 @@
 parameters:
-  version: '0.4.3'
+  version: '0.4.4'
   categories_base_path: '/uploads/categories'
   categories_directory: 'public/uploads/categories'
   products_base_path: '/uploads/products'

src/Core/Security/UserAuthenticator.php

@@ -52,13 +52,18 @@ public function authenticate(Request $request): Passport
 
         $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $email);
 
+        $disableCsrf = isset($_ENV['DISABLE_CSRF']) && $_ENV['DISABLE_CSRF'] === 'true';
+        $badges = [
+            new RememberMeBadge(),
+        ];
+        if (!$disableCsrf) {
+            $badges[] = new CsrfTokenBadge('authenticate', $request->request->get('_csrf_token'));
+        }
+
         return new Passport(
             new UserBadge($email),
             new PasswordCredentials($request->request->get('password', '')),
-            [
-                new CsrfTokenBadge('authenticate', $request->request->get('_csrf_token')),
-                new RememberMeBadge(),
-            ]
+            $badges,
         );
     }