Added support for viewing and deleting of any Application API Keys #5176
+108
−96
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MackenzieMolloy
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR closes Issue #5175.
For context, I am aware that Application API Keys are deprecated in favour of Client API Keys however they are still operational within Pterodactyl and thus, not fully removed.
Currently in Pterodactyl, as an Admin, you can only view your Application API Keys on the Admin Panel. In this PR, I made it so all Application Keys are visible and deletable. The key strings are obfuscated if the key does not belong to the user viewing.
The reason for adding this is primarily so other admin users can be aware of and delete another admin user's Application API keys from the UI. This functionality is useful in the event of a malicious user compromising an admin account, creating some API Keys to continue their attacks and the owner of the compromised admin account being unaware of Application API Keys. In this instance, even after a password reset, the attack could continue via the Application API without the admin realising it.
I've tested the creation and deleting of keys along with using keys via the Application API to ensure no breakages have occurred.