misc_pterodactyl-panel/app/Http/Controllers/Auth/LoginController.php

<?php

namespace Pterodactyl\Http\Controllers\Auth;

use Illuminate\Http\Request;
use Illuminate\Http\JsonResponse;
use Illuminate\Contracts\View\View;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;

class LoginController extends AbstractLoginController
{
    /**
     * Handle all incoming requests for the authentication routes and render the
     * base authentication view component. Vuejs will take over at this point and
     * turn the login area into a SPA.
     *
     * @return \Illuminate\Contracts\View\View
     */
    public function index(): View
    {
        return view('templates/auth.core');
    }

    /**
     * Handle a login request to the application.
     *
     * @param \Illuminate\Http\Request $request
     * @return \Illuminate\Http\JsonResponse
     *
     * @throws \Pterodactyl\Exceptions\DisplayException
     * @throws \Illuminate\Validation\ValidationException
     */
    public function login(Request $request): JsonResponse
    {
        $username = $request->input('user');
        $useColumn = $this->getField($username);

        if ($this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);
            $this->sendLockoutResponse($request);
        }

        try {
            $user = $this->repository->findFirstWhere([[$useColumn, '=', $username]]);
        } catch (RecordNotFoundException $exception) {
            return $this->sendFailedLoginResponse($request);
        }

        // Ensure that the account is using a valid username and password before trying to
        // continue. Previously this was handled in the 2FA checkpoint, however that has
        // a flaw in which you can discover if an account exists simply by seeing if you
        // can proceede to the next step in the login process.
        if (! password_verify($request->input('password'), $user->password)) {
            return $this->sendFailedLoginResponse($request, $user);
        }

        if ($user->use_totp) {
            $token = str_random(64);
            $this->cache->put($token, ['user_id' => $user->id, 'valid_credentials' => true], 5);

            return redirect()->route('auth.totp')->with('authentication_token', $token);
        }

        $this->auth->guard()->login($user, true);

        return $this->sendLoginResponse($user, $request);
    }

    /**
     * Handle a TOTP implementation page.
     *
     * @param \Illuminate\Http\Request $request
     * @return \Illuminate\Http\RedirectResponse|\Illuminate\View\View
     */
    public function totp(Request $request)
    {
        $token = $request->session()->get('authentication_token');
        if (is_null($token) || $this->auth->guard()->user()) {
            return redirect()->route('auth.login');
        }

        return view('auth.totp', ['verify_key' => $token]);
    }

    /**
     * Handle a login where the user is required to provide a TOTP authentication
     * token.
     *
     * @param \Illuminate\Http\Request $request
     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response
     *
     * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
     * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
     * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
     * @throws \Pterodactyl\Exceptions\DisplayException
     */
    public function loginUsingTotp(Request $request)
    {
        if (is_null($request->input('verify_token'))) {
            return $this->sendFailedLoginResponse($request);
        }

        try {
            $cache = $this->cache->pull($request->input('verify_token'), []);
            $user = $this->repository->find(array_get($cache, 'user_id', 0));
        } catch (RecordNotFoundException $exception) {
            return $this->sendFailedLoginResponse($request);
        }

        if (is_null($request->input('2fa_token'))) {
            return $this->sendFailedLoginResponse($request, $user);
        }

        if (! $this->google2FA->verifyKey(
            $this->encrypter->decrypt($user->totp_secret),
            $request->input('2fa_token'),
            $this->config->get('pterodactyl.auth.2fa.window')
        )) {
            return $this->sendFailedLoginResponse($request, $user);
        }

        // If the user is using 2FA we do not actually log them in at this step, we return
        // a one-time token to link the 2FA credentials to this account via the UI.
        if ($user->use_totp) {
            $token = str_random(128);
            $this->cache->put($token, [
                'user_id' => $user->id,
                'request_ip' => $request->ip(),
            ], 5);

            return response()->json([
                'complete' => false,
                'login_token' => $token,
            ]);
        }

        return $this->sendLoginResponse($user, $request);
    }
}
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 18:58:49 +00:00			`<?php`

Apply fixes from StyleCI 2016-12-07 22:46:38 +00:00			`namespace Pterodactyl\Http\Controllers\Auth;`
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 18:58:49 +00:00
			`use Illuminate\Http\Request;`
Get a working rough copy of the login page 2018-04-01 22:46:16 +00:00			`use Illuminate\Http\JsonResponse;`
Finalize login page! 2018-04-08 20:46:32 +00:00			`use Illuminate\Contracts\View\View;`
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`use Pterodactyl\Exceptions\Repository\RecordNotFoundException;`
Update to Laravel 5.3 [BREAKING] — REMOVES REMOTE API A new API will need to be implemented properly using the new Laravel Passport OAuth2 system. DingoAPI was becoming too unstable and development wasn’t really moving along enough to continue to rely on it. 2016-09-03 21:09:00 +00:00
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`class LoginController extends AbstractLoginController`
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 18:58:49 +00:00			`{`
Finalize login page! 2018-04-08 20:46:32 +00:00			`/**`
			`* Handle all incoming requests for the authentication routes and render the`
			`* base authentication view component. Vuejs will take over at this point and`
			`* turn the login area into a SPA.`
			`*`
			`* @return \Illuminate\Contracts\View\View`
			`*/`
			`public function index(): View`
			`{`
			`return view('templates/auth.core');`
			`}`

Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00			`/**`
			`* Handle a login request to the application.`
			`*`
Massive PHPCS linting 2017-08-22 03:10:48 +00:00			`* @param \Illuminate\Http\Request $request`
Get a working rough copy of the login page 2018-04-01 22:46:16 +00:00			`* @return \Illuminate\Http\JsonResponse`
Update to Laravel 5.5 (#814) 2017-12-17 19:07:38 +00:00			`*`
Get a working rough copy of the login page 2018-04-01 22:46:16 +00:00			`* @throws \Pterodactyl\Exceptions\DisplayException`
Update to Laravel 5.5 (#814) 2017-12-17 19:07:38 +00:00			`* @throws \Illuminate\Validation\ValidationException`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00			`*/`
Get a working rough copy of the login page 2018-04-01 22:46:16 +00:00			`public function login(Request $request): JsonResponse`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00			`{`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`$username = $request->input('user');`
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`$useColumn = $this->getField($username);`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00			`if ($this->hasTooManyLoginAttempts($request)) {`
Update to Laravel 5.3 [BREAKING] — REMOVES REMOTE API A new API will need to be implemented properly using the new Laravel Passport OAuth2 system. DingoAPI was becoming too unstable and development wasn’t really moving along enough to continue to rely on it. 2016-09-03 21:09:00 +00:00			`$this->fireLockoutEvent($request);`
Update to Laravel 5.5 (#814) 2017-12-17 19:07:38 +00:00			`$this->sendLockoutResponse($request);`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00			`}`

Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`try {`
			`$user = $this->repository->findFirstWhere([[$useColumn, '=', $username]]);`
			`} catch (RecordNotFoundException $exception) {`
Update to Laravel 5.3 [BREAKING] — REMOVES REMOTE API A new API will need to be implemented properly using the new Laravel Passport OAuth2 system. DingoAPI was becoming too unstable and development wasn’t really moving along enough to continue to rely on it. 2016-09-03 21:09:00 +00:00			`return $this->sendFailedLoginResponse($request);`
Fix authentication handler Check email & password before token to handle case where email is invalid. 2015-12-14 02:30:57 +00:00			`}`

Cleanup login/reset functionality, address security issue with 2FA pathways 2018-04-07 21:17:51 +00:00			`// Ensure that the account is using a valid username and password before trying to`
			`// continue. Previously this was handled in the 2FA checkpoint, however that has`
			`// a flaw in which you can discover if an account exists simply by seeing if you`
			`// can proceede to the next step in the login process.`
			`if (! password_verify($request->input('password'), $user->password)) {`
			`return $this->sendFailedLoginResponse($request, $user);`
			`}`

Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00			`if ($user->use_totp) {`
			`$token = str_random(64);`
Don't expose existence of account when an incorrect password is provided and the user has 2FA enabled 2019-06-22 04:39:24 +00:00			`$this->cache->put($token, ['user_id' => $user->id, 'valid_credentials' => true], 5);`
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00
			`return redirect()->route('auth.totp')->with('authentication_token', $token);`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00			`}`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00
Don't expose existence of account when an incorrect password is provided and the user has 2FA enabled 2019-06-22 04:39:24 +00:00			`$this->auth->guard()->login($user, true);`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00
Merge branch 'release/v0.7.14' into feature/react 2019-06-22 19:28:44 +00:00			`return $this->sendLoginResponse($user, $request);`
Better 2FA implementation on logins 2017-02-02 03:58:48 +00:00			`}`

Update doc blocks for all app/ 2017-03-19 23:36:50 +00:00			`/**`
			`* Handle a TOTP implementation page.`
			`*`
Massive PHPCS linting 2017-08-22 03:10:48 +00:00			`* @param \Illuminate\Http\Request $request`
Update doc blocks for all app/ 2017-03-19 23:36:50 +00:00			`* @return \Illuminate\Http\RedirectResponse\|\Illuminate\View\View`
			`*/`
Better 2FA implementation on logins 2017-02-02 03:58:48 +00:00			`public function totp(Request $request)`
			`{`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00			`$token = $request->session()->get('authentication_token');`
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`if (is_null($token) \|\| $this->auth->guard()->user()) {`
Better 2FA implementation on logins 2017-02-02 03:58:48 +00:00			`return redirect()->route('auth.login');`
			`}`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`return view('auth.totp', ['verify_key' => $token]);`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00			`}`

Update doc blocks for all app/ 2017-03-19 23:36:50 +00:00			`/**`
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`* Handle a login where the user is required to provide a TOTP authentication`
Don't expose existence of account when an incorrect password is provided and the user has 2FA enabled 2019-06-22 04:39:24 +00:00			`* token.`
Update doc blocks for all app/ 2017-03-19 23:36:50 +00:00			`*`
Massive PHPCS linting 2017-08-22 03:10:48 +00:00			`* @param \Illuminate\Http\Request $request`
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`* @return \Illuminate\Http\RedirectResponse\|\Illuminate\Http\Response`
Merge branch 'release/v0.7.14' into feature/react 2019-06-22 19:28:44 +00:00			`*`
Don't expose existence of account when an incorrect password is provided and the user has 2FA enabled 2019-06-22 04:39:24 +00:00			`* @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException`
			`* @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException`
			`* @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException`
Merge branch 'release/v0.7.14' into feature/react 2019-06-22 19:28:44 +00:00			`* @throws \Pterodactyl\Exceptions\DisplayException`
Update doc blocks for all app/ 2017-03-19 23:36:50 +00:00			`*/`
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`public function loginUsingTotp(Request $request)`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00			`{`
Better 2FA implementation on logins 2017-02-02 03:58:48 +00:00			`if (is_null($request->input('verify_token'))) {`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00			`return $this->sendFailedLoginResponse($request);`
			`}`
Better 2FA implementation on logins 2017-02-02 03:58:48 +00:00
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`try {`
			`$cache = $this->cache->pull($request->input('verify_token'), []);`
			`$user = $this->repository->find(array_get($cache, 'user_id', 0));`
			`} catch (RecordNotFoundException $exception) {`
			`return $this->sendFailedLoginResponse($request);`
Better 2FA implementation on logins 2017-02-02 03:58:48 +00:00			`}`

Don't expose existence of account when an incorrect password is provided and the user has 2FA enabled 2019-06-22 04:39:24 +00:00			`if (is_null($request->input('2fa_token'))) {`
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`return $this->sendFailedLoginResponse($request, $user);`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00			`}`
Better 2FA implementation on logins 2017-02-02 03:58:48 +00:00
Push updates to login page, mostly UI enhancements. 2017-11-18 21:09:58 +00:00			`if (! $this->google2FA->verifyKey(`
			`$this->encrypter->decrypt($user->totp_secret),`
			`$request->input('2fa_token'),`
			`$this->config->get('pterodactyl.auth.2fa.window')`
			`)) {`
			`return $this->sendFailedLoginResponse($request, $user);`
Better 2FA implementation on logins 2017-02-02 03:58:48 +00:00			`}`

Cleanup login/reset functionality, address security issue with 2FA pathways 2018-04-07 21:17:51 +00:00			`// If the user is using 2FA we do not actually log them in at this step, we return`
			`// a one-time token to link the 2FA credentials to this account via the UI.`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00			`if ($user->use_totp) {`
Get a working rough copy of the login page 2018-04-01 22:46:16 +00:00			`$token = str_random(128);`
			`$this->cache->put($token, [`
			`'user_id' => $user->id,`
			`'request_ip' => $request->ip(),`
			`], 5);`

Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return response()->json([`
			`'complete' => false,`
			`'login_token' => $token,`
			`]);`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-11 02:58:17 +00:00			`}`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 18:33:15 +00:00
Fix JWT handling for API access when logging in 2018-05-28 21:59:48 +00:00			`return $this->sendLoginResponse($user, $request);`
fix #363 2017-03-31 23:58:05 +00:00			`}`
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 18:58:49 +00:00			`}`