This repository was archived by the owner on Aug 8, 2025. It is now read-only.
Merge new pterodactyl#1
Open
BlueTree242 wants to merge 472 commits into
Open
Conversation
* server: track `installed_at`, only send install notification on first install * server: add configuration for install notifications
Allows IPv6 addresses to be used, instead of IPv4 being required. Closes <#4011>
…creating subusers (#4416)
Co-authored-by: DaneEveritt <dane@daneeveritt.com>
Co-authored-by: DaneEveritt <dane@daneeveritt.com>
…5176) This PR closes Issue #5175. For context, I am aware that Application API Keys are deprecated in favour of Client API Keys however they are still operational within Pterodactyl and thus, not fully removed. Currently in Pterodactyl, as an Admin, you can only view your Application API Keys on the Admin Panel. In this PR, I made it so all Application Keys are visible and deletable. The key strings are obfuscated if the key does not belong to the user viewing.  The reason for adding this is primarily so other admin users can be aware of and delete another admin user's Application API keys from the UI. This functionality is useful in the event of a malicious user compromising an admin account, creating some API Keys to continue their attacks and the owner of the compromised admin account being unaware of Application API Keys. In this instance, even after a password reset, the attack could continue via the Application API without the admin realising it. I've tested the creation and deleting of keys along with using keys via the Application API to ensure no breakages have occurred. --------- Co-authored-by: DaneEveritt <dane@daneeveritt.com>
…ckups/transfers (#5476) Improves the security posture of things more by limiting the servers that a node can even communicate about with the Panel.
… deletion (#5568) This expands upon previous work done to better disconnect users from SFTP when different events occur within Pterodactyl. This new logic also accounts for password changes and their account being deleted entirely from the system. These events now trigger background jobs that will reach out to every node they are associated with to ensure they're disconnected if currently connected.
Very minor changes, just adding some default headers in the event people don't configure this on their webserver. Also updating some packages to resolve open security alerts.
#5548) This is a partial implementation to begin moving towards stripe-style identifiers for resources in the system. Any models with an existing `uuid` column can easily be updated to return an identifier in the format of `prfx_xyz` where `prfx` is a four character prefix, and `xyz` is the UUID, encoded using base-32. These are quite easy to use within the API layer because we just need to do one quick transformation to extract the UUID for those models. This PR implements that logic for servers in the `SubstituteClientBindings` logic. A future PR will need to come through and handle identifiers for models that _don't_ currently use UUIDs for reference that we want to expose to clients. In those cases it is easier to just generate base-32 encoded UUID7s that get stored in the database and indexed. They follow the same base approach, but you don't need to do any transformations in the code (other than stripping the prefix, unless we decide to store the prefix). There is also now a `PTERODACTYL_USE_SERVER_IDENTIFIERS` environment variable, that when set to true, updates the front-end and API response to use this new identifier in place of the `uuidShort` value.
This minor change removes the deprecated `version` property from the Docker Compose file to avoid the warning when running it, aligning it with current best practices and recommendations.
This change reverts changes that were made to the traits (direct and inherited) to RunTaskJob in https://github.com/pterodactyl/panel/pull/5568/changes#diff-772e8e2cf1167529b09210b934e9c0ec4fe12d99c35317f293d504aaee5cb95c Closes #5600
) - Fixes issue where the panel would create activity logs even when the value didn't change - Log an empty string instead of displaying "null" when the variable is empty Closes #5604
…hat have been showing up since the v1.12.0 update (#5324)
Update paper egg to use new fill API and add Java 25
This change applies a rate limit to account email changes to prevent enumeration on the system. The throttle is applied at the account level. Administrators can still update an account's email address manually to bypass this restriction if/when necessary.
Adding java 25 to the MC eggs, as needed for the newest versions.
Necessary for proper token identification on Wings.
The API key creation endpoint checks that a user has fewer than 25 keys
before creating a new one. The problem is that the count was read from
an eager-loaded collection (`$user->apiKeys->count()`) with no lock
held, so concurrent requests could both pass the check and each create a
key, pushing the user past the 25-key cap.
The fix wraps the count check and key creation in a single database
transaction with `lockForUpdate()` on the query. Only one request at a
time can evaluate and modify the count, closing the race window.
### Proof of Concept
Run this in the browser console while authenticated with a user that has
24 API keys:
```js
(async () => {
const makeKey = (desc) => fetch('/api/client/account/api-keys', {
method: 'POST',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-Requested-With': 'XMLHttpRequest',
'X-XSRF-TOKEN':
decodeURIComponent(document.cookie.match(/XSRF-TOKEN=([^;]+)/)[1]),
},
body: JSON.stringify({ description: desc, allowed_ips: [] }),
});
const [r1, r2] = await Promise.all([makeKey('0024'), makeKey('0025')]);
console.log('0024:', r1.status, (await r1.text()).slice(0, 200));
console.log('0025:', r2.status, (await r2.text()).slice(0, 200));
})();
```
On the old code, both requests can return 200 (you may need to run this
a few times to hit the race window). After the fix, the second request
correctly returns a 400 error.
This PR is a minimal change that acquires a lock on the target model's row, rather than calling sharedLock() on the model instance.
fixes #5576 --------- Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com>
This simply adds a link to [this page](https://pterodactyl.io/panel/1.0/updating.html) when the panel isn't up to date.
### Description User creation was not properly logged within the action log, neither from sub-user invite or manual user creation. This PR adds the relevant log and includes testing. ### Manual testing scenarios 1. Invite a user within any created server 2. Create a user in the admin 3. Verify both users appear as an action in the action log ### Questions or comments AI was used for secondary testing, QA and code review. No code was written by AI. ### Resolved issues: 1. [x] resolves #5631
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.