misc_pterodactyl-panel/app/Http/Controllers/Auth/LoginCheckpointController.php

<?php

namespace Pterodactyl\Http\Controllers\Auth;

use Carbon\CarbonImmutable;
use Carbon\CarbonInterface;
use Pterodactyl\Models\User;
use Illuminate\Http\JsonResponse;
use PragmaRX\Google2FA\Google2FA;
use Illuminate\Support\Facades\Event;
use Illuminate\Contracts\Encryption\Encrypter;
use Illuminate\Database\Eloquent\ModelNotFoundException;
use Pterodactyl\Events\Auth\ProvidedAuthenticationToken;
use Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest;
use Illuminate\Contracts\Validation\Factory as ValidationFactory;

class LoginCheckpointController extends AbstractLoginController
{
    private const TOKEN_EXPIRED_MESSAGE = 'The authentication token provided has expired, please refresh the page and try again.';

    /**
     * LoginCheckpointController constructor.
     */
    public function __construct(
        private Encrypter $encrypter,
        private Google2FA $google2FA,
        private ValidationFactory $validation
    ) {
        parent::__construct();
    }

    /**
     * Handle a login where the user is required to provide a TOTP authentication
     * token. Once a user has reached this stage it is assumed that they have already
     * provided a valid username and password.
     *
     * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
     * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
     * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
     * @throws \Exception
     * @throws \Illuminate\Validation\ValidationException
     */
    public function __invoke(LoginCheckpointRequest $request): JsonResponse
    {
        if ($this->hasTooManyLoginAttempts($request)) {
            $this->sendLockoutResponse($request);
        }

        $details = $request->session()->get('auth_confirmation_token');
        if (!$this->hasValidSessionData($details)) {
            $this->sendFailedLoginResponse($request, null, self::TOKEN_EXPIRED_MESSAGE);
        }

        if (!hash_equals($request->input('confirmation_token') ?? '', $details['token_value'])) {
            $this->sendFailedLoginResponse($request);
        }

        try {
            /** @var \Pterodactyl\Models\User $user */
            $user = User::query()->findOrFail($details['user_id']);
        } catch (ModelNotFoundException) {
            $this->sendFailedLoginResponse($request, null, self::TOKEN_EXPIRED_MESSAGE);
        }

        // Recovery tokens go through a slightly different pathway for usage.
        if (!is_null($recoveryToken = $request->input('recovery_token'))) {
            if ($this->isValidRecoveryToken($user, $recoveryToken)) {
                Event::dispatch(new ProvidedAuthenticationToken($user, true));

                return $this->sendLoginResponse($user, $request);
            }
        } else {
            $decrypted = $this->encrypter->decrypt($user->totp_secret);

            if ($this->google2FA->verifyKey($decrypted, $request->input('authentication_code') ?? '', config('pterodactyl.auth.2fa.window'))) {
                Event::dispatch(new ProvidedAuthenticationToken($user));

                return $this->sendLoginResponse($user, $request);
            }
        }

        $this->sendFailedLoginResponse($request, $user, !empty($recoveryToken) ? 'The recovery token provided is not valid.' : null);
    }

    /**
     * Determines if a given recovery token is valid for the user account. If we find a matching token
     * it will be deleted from the database.
     *
     * @throws \Exception
     */
    protected function isValidRecoveryToken(User $user, string $value): bool
    {
        foreach ($user->recoveryTokens as $token) {
            if (password_verify($value, $token->token)) {
                $token->delete();

                return true;
            }
        }

        return false;
    }

    /**
     * Determines if the data provided from the session is valid or not. This
     * will return false if the data is invalid, or if more time has passed than
     * was configured when the session was written.
     */
    protected function hasValidSessionData(array $data): bool
    {
        $validator = $this->validation->make($data, [
            'user_id' => 'required|integer|min:1',
            'token_value' => 'required|string',
            'expires_at' => 'required',
        ]);

        if ($validator->fails()) {
            return false;
        }

        if (!$data['expires_at'] instanceof CarbonInterface) {
            return false;
        }

        if ($data['expires_at']->isBefore(CarbonImmutable::now())) {
            return false;
        }

        return true;
    }
}
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`<?php`

			`namespace Pterodactyl\Http\Controllers\Auth;`

Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`use Carbon\CarbonImmutable;`
Run cs-fix, ensure we only install dependency versions supporting 7.4+ 2022-05-04 19:01:29 -04:00			`use Carbon\CarbonInterface;`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`use Pterodactyl\Models\User;`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`use Illuminate\Http\JsonResponse;`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00			`use PragmaRX\Google2FA\Google2FA;`
Add activity logging for authentication events 2022-05-28 17:03:58 -04:00			`use Illuminate\Support\Facades\Event;`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00			`use Illuminate\Contracts\Encryption\Encrypter;`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`use Illuminate\Database\Eloquent\ModelNotFoundException;`
Add activity logging for authentication events 2022-05-28 17:03:58 -04:00			`use Pterodactyl\Events\Auth\ProvidedAuthenticationToken;`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`use Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest;`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`use Illuminate\Contracts\Validation\Factory as ValidationFactory;`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00
			`class LoginCheckpointController extends AbstractLoginController`
			`{`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`private const TOKEN_EXPIRED_MESSAGE = 'The authentication token provided has expired, please refresh the page and try again.';`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00
			`/**`
			`* LoginCheckpointController constructor.`
			`*/`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`public function __construct(`
			`private Encrypter $encrypter,`
			`private Google2FA $google2FA,`
			`private ValidationFactory $validation`
			`) {`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`parent::__construct();`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00			`}`

Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`/**`
			`* Handle a login where the user is required to provide a TOTP authentication`
Cleanup login/reset functionality, address security issue with 2FA pathways 2018-04-07 16:17:51 -05:00			`* token. Once a user has reached this stage it is assumed that they have already`
			`* provided a valid username and password.`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`*`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00			`* @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException`
			`* @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException`
			`* @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`* @throws \Exception`
			`* @throws \Illuminate\Validation\ValidationException`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`*/`
Working login form with password reset functionality. 2018-04-08 15:18:13 -05:00			`public function __invoke(LoginCheckpointRequest $request): JsonResponse`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`{`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`if ($this->hasTooManyLoginAttempts($request)) {`
			`$this->sendLockoutResponse($request);`
			`}`
Fix 2FA handling; closes #1962 2020-04-25 13:01:16 -07:00
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`$details = $request->session()->get('auth_confirmation_token');`
			`if (!$this->hasValidSessionData($details)) {`
			`$this->sendFailedLoginResponse($request, null, self::TOKEN_EXPIRED_MESSAGE);`
			`}`

			`if (!hash_equals($request->input('confirmation_token') ?? '', $details['token_value'])) {`
			`$this->sendFailedLoginResponse($request);`
			`}`

Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`try {`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-02 23:01:02 -07:00			`/** @var \Pterodactyl\Models\User $user */`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`$user = User::query()->findOrFail($details['user_id']);`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`} catch (ModelNotFoundException) {`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`$this->sendFailedLoginResponse($request, null, self::TOKEN_EXPIRED_MESSAGE);`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`}`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-02 23:01:02 -07:00
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`// Recovery tokens go through a slightly different pathway for usage.`
Use more standardized phpcs 2021-01-23 12:33:34 -08:00			`if (!is_null($recoveryToken = $request->input('recovery_token'))) {`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`if ($this->isValidRecoveryToken($user, $recoveryToken)) {`
Add activity logging for authentication events 2022-05-28 17:03:58 -04:00			`Event::dispatch(new ProvidedAuthenticationToken($user, true));`

[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`return $this->sendLoginResponse($user, $request);`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-02 23:01:02 -07:00			`}`
			`} else {`
			`$decrypted = $this->encrypter->decrypt($user->totp_secret);`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00
chore: add phpstan static analysis minimum (#4511) 2022-11-28 11:56:03 -05:00			`if ($this->google2FA->verifyKey($decrypted, $request->input('authentication_code') ?? '', config('pterodactyl.auth.2fa.window'))) {`
Add activity logging for authentication events 2022-05-28 17:03:58 -04:00			`Event::dispatch(new ProvidedAuthenticationToken($user));`

Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-02 23:01:02 -07:00			`return $this->sendLoginResponse($user, $request);`
			`}`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`}`

Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`$this->sendFailedLoginResponse($request, $user, !empty($recoveryToken) ? 'The recovery token provided is not valid.' : null);`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`}`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00
			`/**`
			`* Determines if a given recovery token is valid for the user account. If we find a matching token`
			`* it will be deleted from the database.`
			`*`
			`* @throws \Exception`
			`*/`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`protected function isValidRecoveryToken(User $user, string $value): bool`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00			`{`
			`foreach ($user->recoveryTokens as $token) {`
			`if (password_verify($value, $token->token)) {`
			`$token->delete();`

			`return true;`
			`}`
			`}`

			`return false;`
			`}`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00
			`/**`
			`* Determines if the data provided from the session is valid or not. This`
			`* will return false if the data is invalid, or if more time has passed than`
			`* was configured when the session was written.`
			`*/`
			`protected function hasValidSessionData(array $data): bool`
			`{`
			`$validator = $this->validation->make($data, [`
			`'user_id' => 'required\|integer\|min:1',`
			`'token_value' => 'required\|string',`
			`'expires_at' => 'required',`
			`]);`

			`if ($validator->fails()) {`
			`return false;`
			`}`

			`if (!$data['expires_at'] instanceof CarbonInterface) {`
			`return false;`
			`}`

			`if ($data['expires_at']->isBefore(CarbonImmutable::now())) {`
			`return false;`
			`}`

			`return true;`
			`}`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`}`