misc_pterodactyl-panel/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php

<?php

namespace Pterodactyl\Http\Controllers\Api\Remote;

use Illuminate\Http\Request;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Models\Permission;
use Pterodactyl\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\ThrottlesLogins;
use Pterodactyl\Repositories\Eloquent\UserRepository;
use Pterodactyl\Exceptions\Http\HttpForbiddenException;
use Pterodactyl\Repositories\Eloquent\ServerRepository;
use Pterodactyl\Services\Servers\GetUserPermissionsService;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Pterodactyl\Http\Requests\Api\Remote\SftpAuthenticationFormRequest;

class SftpAuthenticationController extends Controller
{
    use ThrottlesLogins;

    /**
     * @var \Pterodactyl\Repositories\Eloquent\UserRepository
     */
    private $userRepository;

    /**
     * @var \Pterodactyl\Repositories\Eloquent\ServerRepository
     */
    private $serverRepository;

    /**
     * @var \Pterodactyl\Services\Servers\GetUserPermissionsService
     */
    private $permissionsService;

    /**
     * SftpController constructor.
     *
     * @param \Pterodactyl\Services\Servers\GetUserPermissionsService $permissionsService
     * @param \Pterodactyl\Repositories\Eloquent\UserRepository $userRepository
     * @param \Pterodactyl\Repositories\Eloquent\ServerRepository $serverRepository
     */
    public function __construct(
        GetUserPermissionsService $permissionsService,
        UserRepository $userRepository,
        ServerRepository $serverRepository
    ) {
        $this->userRepository = $userRepository;
        $this->serverRepository = $serverRepository;
        $this->permissionsService = $permissionsService;
    }

    /**
     * Authenticate a set of credentials and return the associated server details
     * for a SFTP connection on the daemon.
     *
     * @param \Pterodactyl\Http\Requests\Api\Remote\SftpAuthenticationFormRequest $request
     * @return \Illuminate\Http\JsonResponse
     *
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
    public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse
    {
        // Reverse the string to avoid issues with usernames that contain periods.
        $parts = explode('.', strrev($request->input('username')), 2);

        // Unreverse the strings after parsing them apart.
        $connection = [
            'username' => strrev(array_get($parts, 1)),
            'server' => strrev(array_get($parts, 0)),
        ];

        $this->incrementLoginAttempts($request);
        if ($this->hasTooManyLoginAttempts($request)) {
            return JsonResponse::create([
                'error' => 'Too many logins attempted too quickly.',
            ], JsonResponse::HTTP_TOO_MANY_REQUESTS);
        }

        /** @var \Pterodactyl\Models\Node $node */
        $node = $request->attributes->get('node');
        if (empty($connection['server'])) {
            throw new NotFoundHttpException;
        }

        /** @var \Pterodactyl\Models\User $user */
        $user = $this->userRepository->findFirstWhere([
            ['username', '=', $connection['username']],
        ]);

        $server = $this->serverRepository->getByUuid($connection['server'] ?? '');
        if (! password_verify($request->input('password'), $user->password) || $server->node_id !== $node->id) {
            throw new HttpForbiddenException(
                'Authorization credentials were not correct, please try again.'
            );
        }

        if (! $user->root_admin && $server->owner_id !== $user->id) {
            $permissions = $this->permissionsService->handle($server, $user);

            if (! in_array(Permission::ACTION_FILE_SFTP, $permissions)) {
                throw new HttpForbiddenException(
                    'You do not have permission to access SFTP for this server.'
                );
            }
        }

        // Remeber, for security purposes, only reveal the existence of the server to people that
        // have provided valid credentials, and have permissions to know about it.
        if ($server->installed !== 1 || $server->suspended) {
            throw new BadRequestHttpException(
                'Server is not installed or is currently suspended.'
            );
        }

        return JsonResponse::create([
            'server' => $server->uuid,
            // Deprecated, but still needed at the moment for Wings.
            'token' => '',
            'permissions' => $permissions ?? ['*'],
        ]);
    }

    /**
     * Get the throttle key for the given request.
     *
     * @param \Illuminate\Http\Request $request
     * @return string
     */
    protected function throttleKey(Request $request)
    {
        $username = explode('.', strrev($request->input('username', '')));

        return strtolower(strrev($username[0] ?? '') . '|' . $request->ip());
    }
}