misc_pterodactyl-panel/app/Http/Controllers/Auth/LoginCheckpointController.php

<?php

namespace Pterodactyl\Http\Controllers\Auth;

use Pterodactyl\Models\User;
use Illuminate\Auth\AuthManager;
use Illuminate\Http\JsonResponse;
use PragmaRX\Google2FA\Google2FA;
use Illuminate\Contracts\Config\Repository;
use Illuminate\Contracts\Encryption\Encrypter;
use Illuminate\Database\Eloquent\ModelNotFoundException;
use Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest;
use Illuminate\Contracts\Cache\Repository as CacheRepository;
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
use Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository;

class LoginCheckpointController extends AbstractLoginController
{
    /**
     * @var \Illuminate\Contracts\Cache\Repository
     */
    private $cache;

    /**
     * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
     */
    private $repository;

    /**
     * @var \PragmaRX\Google2FA\Google2FA
     */
    private $google2FA;

    /**
     * @var \Illuminate\Contracts\Encryption\Encrypter
     */
    private $encrypter;

    /**
     * @var \Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository
     */
    private $recoveryTokenRepository;

    /**
     * LoginCheckpointController constructor.
     */
    public function __construct(
        AuthManager $auth,
        Encrypter $encrypter,
        Google2FA $google2FA,
        Repository $config,
        CacheRepository $cache,
        RecoveryTokenRepository $recoveryTokenRepository,
        UserRepositoryInterface $repository
    ) {
        parent::__construct($auth, $config);

        $this->google2FA = $google2FA;
        $this->cache = $cache;
        $this->repository = $repository;
        $this->encrypter = $encrypter;
        $this->recoveryTokenRepository = $recoveryTokenRepository;
    }

    /**
     * Handle a login where the user is required to provide a TOTP authentication
     * token. Once a user has reached this stage it is assumed that they have already
     * provided a valid username and password.
     *
     * @return \Illuminate\Http\JsonResponse|void
     *
     * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
     * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
     * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
     * @throws \Exception
     * @throws \Illuminate\Validation\ValidationException
     */
    public function __invoke(LoginCheckpointRequest $request): JsonResponse
    {
        if ($this->hasTooManyLoginAttempts($request)) {
            $this->sendLockoutResponse($request);
        }

        $token = $request->input('confirmation_token');
        try {
            /** @var \Pterodactyl\Models\User $user */
            $user = User::query()->findOrFail($this->cache->get($token, 0));
        } catch (ModelNotFoundException $exception) {
            $this->incrementLoginAttempts($request);

            return $this->sendFailedLoginResponse(
                $request,
                null,
                'The authentication token provided has expired, please refresh the page and try again.'
            );
        }

        // Recovery tokens go through a slightly different pathway for usage.
        if (!is_null($recoveryToken = $request->input('recovery_token'))) {
            if ($this->isValidRecoveryToken($user, $recoveryToken)) {
                return $this->sendLoginResponse($user, $request);
            }
        } else {
            $decrypted = $this->encrypter->decrypt($user->totp_secret);

            if ($this->google2FA->verifyKey($decrypted, (string) $request->input('authentication_code') ?? '', config('pterodactyl.auth.2fa.window'))) {
                $this->cache->delete($token);

                return $this->sendLoginResponse($user, $request);
            }
        }

        $this->incrementLoginAttempts($request);

        return $this->sendFailedLoginResponse($request, $user, !empty($recoveryToken) ? 'The recovery token provided is not valid.' : null);
    }

    /**
     * Determines if a given recovery token is valid for the user account. If we find a matching token
     * it will be deleted from the database.
     *
     * @return bool
     *
     * @throws \Exception
     */
    protected function isValidRecoveryToken(User $user, string $value)
    {
        foreach ($user->recoveryTokens as $token) {
            if (password_verify($value, $token->token)) {
                $token->delete();

                return true;
            }
        }

        return false;
    }
}
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`<?php`

			`namespace Pterodactyl\Http\Controllers\Auth;`

[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`use Pterodactyl\Models\User;`
Finish authentication flow for 2FA 2019-06-22 20:33:11 +00:00			`use Illuminate\Auth\AuthManager;`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`use Illuminate\Http\JsonResponse;`
Finish authentication flow for 2FA 2019-06-22 20:33:11 +00:00			`use PragmaRX\Google2FA\Google2FA;`
			`use Illuminate\Contracts\Config\Repository;`
			`use Illuminate\Contracts\Encryption\Encrypter;`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`use Illuminate\Database\Eloquent\ModelNotFoundException;`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`use Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest;`
Finish authentication flow for 2FA 2019-06-22 20:33:11 +00:00			`use Illuminate\Contracts\Cache\Repository as CacheRepository;`
			`use Pterodactyl\Contracts\Repository\UserRepositoryInterface;`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00			`use Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository;`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00
			`class LoginCheckpointController extends AbstractLoginController`
			`{`
Finish authentication flow for 2FA 2019-06-22 20:33:11 +00:00			`/**`
			`* @var \Illuminate\Contracts\Cache\Repository`
			`*/`
			`private $cache;`

			`/**`
			`* @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface`
			`*/`
			`private $repository;`

			`/**`
			`* @var \PragmaRX\Google2FA\Google2FA`
			`*/`
			`private $google2FA;`

			`/**`
			`* @var \Illuminate\Contracts\Encryption\Encrypter`
			`*/`
			`private $encrypter;`

Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00			`/**`
			`* @var \Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository`
			`*/`
			`private $recoveryTokenRepository;`

Finish authentication flow for 2FA 2019-06-22 20:33:11 +00:00			`/**`
			`* LoginCheckpointController constructor.`
			`*/`
			`public function __construct(`
			`AuthManager $auth,`
			`Encrypter $encrypter,`
			`Google2FA $google2FA,`
			`Repository $config,`
			`CacheRepository $cache,`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00			`RecoveryTokenRepository $recoveryTokenRepository,`
Finish authentication flow for 2FA 2019-06-22 20:33:11 +00:00			`UserRepositoryInterface $repository`
			`) {`
			`parent::__construct($auth, $config);`

			`$this->google2FA = $google2FA;`
			`$this->cache = $cache;`
			`$this->repository = $repository;`
			`$this->encrypter = $encrypter;`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00			`$this->recoveryTokenRepository = $recoveryTokenRepository;`
Finish authentication flow for 2FA 2019-06-22 20:33:11 +00:00			`}`

Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`/**`
			`* Handle a login where the user is required to provide a TOTP authentication`
Cleanup login/reset functionality, address security issue with 2FA pathways 2018-04-07 21:17:51 +00:00			`* token. Once a user has reached this stage it is assumed that they have already`
			`* provided a valid username and password.`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`*`
Fix 2FA handling; closes #1962 2020-04-25 20:01:16 +00:00			`* @return \Illuminate\Http\JsonResponse\|void`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`*`
Finish authentication flow for 2FA 2019-06-22 20:33:11 +00:00			`* @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException`
			`* @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException`
			`* @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`* @throws \Exception`
			`* @throws \Illuminate\Validation\ValidationException`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`*/`
Working login form with password reset functionality. 2018-04-08 20:18:13 +00:00			`public function __invoke(LoginCheckpointRequest $request): JsonResponse`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`{`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`if ($this->hasTooManyLoginAttempts($request)) {`
			`$this->sendLockoutResponse($request);`
			`}`
Fix 2FA handling; closes #1962 2020-04-25 20:01:16 +00:00
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`$token = $request->input('confirmation_token');`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`try {`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00			`/** @var \Pterodactyl\Models\User $user */`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`$user = User::query()->findOrFail($this->cache->get($token, 0));`
			`} catch (ModelNotFoundException $exception) {`
			`$this->incrementLoginAttempts($request);`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`return $this->sendFailedLoginResponse(`
Use more standardized phpcs 2021-01-23 20:33:34 +00:00			`$request,`
			`null,`
			`'The authentication token provided has expired, please refresh the page and try again.'`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`);`
			`}`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`// Recovery tokens go through a slightly different pathway for usage.`
Use more standardized phpcs 2021-01-23 20:33:34 +00:00			`if (!is_null($recoveryToken = $request->input('recovery_token'))) {`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`if ($this->isValidRecoveryToken($user, $recoveryToken)) {`
			`return $this->sendLoginResponse($user, $request);`
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00			`}`
			`} else {`
			`$decrypted = $this->encrypter->decrypt($user->totp_secret);`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00			`if ($this->google2FA->verifyKey($decrypted, (string) $request->input('authentication_code') ?? '', config('pterodactyl.auth.2fa.window'))) {`
			`$this->cache->delete($token);`
Fix 2FA handling; closes #1962 2020-04-25 20:01:16 +00:00
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-03 06:01:02 +00:00			`return $this->sendLoginResponse($user, $request);`
			`}`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`}`

[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00			`$this->incrementLoginAttempts($request);`

Use more standardized phpcs 2021-01-23 20:33:34 +00:00			`return $this->sendFailedLoginResponse($request, $user, !empty($recoveryToken) ? 'The recovery token provided is not valid.' : null);`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`}`
[security] add login throttling to the 2FA verification endpoint 2020-10-17 21:46:10 +00:00
			`/**`
			`* Determines if a given recovery token is valid for the user account. If we find a matching token`
			`* it will be deleted from the database.`
			`*`
			`* @return bool`
			`*`
			`* @throws \Exception`
			`*/`
			`protected function isValidRecoveryToken(User $user, string $value)`
			`{`
			`foreach ($user->recoveryTokens as $token) {`
			`if (password_verify($value, $token->token)) {`
			`$token->delete();`

			`return true;`
			`}`
			`}`

			`return false;`
			`}`
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 17:35:15 +00:00			`}`