misc_pterodactyl-panel/app/Http/Controllers/Auth/LoginController.php

<?php

namespace Pterodactyl\Http\Controllers\Auth;

use Carbon\CarbonImmutable;
use Illuminate\Support\Str;
use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Illuminate\Http\JsonResponse;
use Illuminate\Contracts\View\View;
use LaravelWebauthn\Facades\Webauthn;
use Illuminate\Contracts\View\Factory as ViewFactory;
use Illuminate\Database\Eloquent\ModelNotFoundException;

class LoginController extends AbstractLoginController
{
    private const SESSION_PUBLICKEY_REQUEST = 'webauthn.publicKeyRequest';

    private const METHOD_TOTP = 'totp';
    private const METHOD_WEBAUTHN = 'webauthn';

    private ViewFactory $view;

    /**
     * LoginController constructor.
     */
    public function __construct(ViewFactory $view) {
        parent::__construct();

        $this->view = $view;
    }

    /**
     * Handle all incoming requests for the authentication routes and render the
     * base authentication view component. React will take over at this point and
     * turn the login area into an SPA.
     */
    public function index(): View
    {
        return $this->view->make('templates/auth.core');
    }

    /**
     * Handle a login request to the application.
     *
     * @return \Illuminate\Http\JsonResponse|void
     *
     * @throws \Pterodactyl\Exceptions\DisplayException
     * @throws \Illuminate\Validation\ValidationException
     */
    public function login(Request $request)
    {
        if ($this->hasTooManyLoginAttempts($request)) {
            $this->fireLockoutEvent($request);
            $this->sendLockoutResponse($request);

            return;
        }

        try {
            $username = $request->input('user');

            /** @var \Pterodactyl\Models\User $user */
            $user = User::query()->where($this->getField($username), $username)->firstOrFail();
        } catch (ModelNotFoundException $exception) {
            $this->sendFailedLoginResponse($request);
        }

        // Ensure that the account is using a valid username and password before trying to
        // continue. Previously this was handled in the 2FA checkpoint, however that has
        // a flaw in which you can discover if an account exists simply by seeing if you
        // can proceed to the next step in the login process.
        if (!password_verify($request->input('password'), $user->password)) {
            $this->sendFailedLoginResponse($request, $user);

            return;
        }

        $useTotp = $user->use_totp;
        $webauthnKeys = $user->webauthnKeys()->get();

        if (!$useTotp && count($webauthnKeys) < 1) {
            return $this->sendLoginResponse($user, $request);
        }

        $methods = [];
        if ($useTotp) {
            $methods[] = self::METHOD_TOTP;
        }
        if (count($webauthnKeys) > 0) {
            $methods[] = self::METHOD_WEBAUTHN;
        }

        $token = Str::random(64);

        $request->session()->put('auth_confirmation_token', [
            'user_id' => $user->id,
            'token_value' => $token,
            'expires_at' => CarbonImmutable::now()->addMinutes(5),
        ]);

        $response = [
            'complete' => false,
            'methods' => $methods,
            'confirmation_token' => $token,
        ];

        if (count($webauthnKeys) > 0) {
            $publicKey = Webauthn::getAuthenticateData($user);
            $request->session()->put(self::SESSION_PUBLICKEY_REQUEST, $publicKey);

            $response['webauthn'] = [
                'public_key' => $publicKey,
            ];
        }

        return new JsonResponse($response);
    }
}
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 13:58:49 -05:00			`<?php`

Apply fixes from StyleCI 2016-12-07 22:46:38 +00:00			`namespace Pterodactyl\Http\Controllers\Auth;`
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 13:58:49 -05:00
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`use Carbon\CarbonImmutable;`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00			`use Illuminate\Support\Str;`
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 13:58:49 -05:00			`use Illuminate\Http\Request;`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`use Pterodactyl\Models\User;`
Get a working rough copy of the login page 2018-04-01 17:46:16 -05:00			`use Illuminate\Http\JsonResponse;`
Finalize login page! 2018-04-08 15:46:32 -05:00			`use Illuminate\Contracts\View\View;`
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`use LaravelWebauthn\Facades\Webauthn;`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00			`use Illuminate\Contracts\View\Factory as ViewFactory;`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`use Illuminate\Database\Eloquent\ModelNotFoundException;`
Update to Laravel 5.3 [BREAKING] — REMOVES REMOTE API A new API will need to be implemented properly using the new Laravel Passport OAuth2 system. DingoAPI was becoming too unstable and development wasn’t really moving along enough to continue to rely on it. 2016-09-03 17:09:00 -04:00
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00			`class LoginController extends AbstractLoginController`
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 13:58:49 -05:00			`{`
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`private const SESSION_PUBLICKEY_REQUEST = 'webauthn.publicKeyRequest';`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00
webauthn: update login flow to support other 2fa methods 2021-07-17 12:48:14 -06:00			`private const METHOD_TOTP = 'totp';`
			`private const METHOD_WEBAUTHN = 'webauthn';`

webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`private ViewFactory $view;`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00
			`/**`
			`* LoginController constructor.`
			`*/`
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`public function __construct(ViewFactory $view) {`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`parent::__construct();`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`$this->view = $view;`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00			`}`

Finalize login page! 2018-04-08 15:46:32 -05:00			`/**`
			`* Handle all incoming requests for the authentication routes and render the`
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`* base authentication view component. React will take over at this point and`
			`* turn the login area into an SPA.`
Finalize login page! 2018-04-08 15:46:32 -05:00			`*/`
			`public function index(): View`
			`{`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00			`return $this->view->make('templates/auth.core');`
Finalize login page! 2018-04-08 15:46:32 -05:00			`}`

Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-10 21:58:17 -05:00			`/**`
			`* Handle a login request to the application.`
			`*`
Fix 2FA handling; closes #1962 2020-04-25 13:01:16 -07:00			`* @return \Illuminate\Http\JsonResponse\|void`
Update to Laravel 5.5 (#814) 2017-12-17 13:07:38 -06:00			`*`
Get a working rough copy of the login page 2018-04-01 17:46:16 -05:00			`* @throws \Pterodactyl\Exceptions\DisplayException`
Update to Laravel 5.5 (#814) 2017-12-17 13:07:38 -06:00			`* @throws \Illuminate\Validation\ValidationException`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-10 21:58:17 -05:00			`*/`
webauthn: update login flow to support other 2fa methods 2021-07-17 12:48:14 -06:00			`public function login(Request $request)`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-10 21:58:17 -05:00			`{`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 14:33:15 -04:00			`if ($this->hasTooManyLoginAttempts($request)) {`
Update to Laravel 5.3 [BREAKING] — REMOVES REMOTE API A new API will need to be implemented properly using the new Laravel Passport OAuth2 system. DingoAPI was becoming too unstable and development wasn’t really moving along enough to continue to rely on it. 2016-09-03 17:09:00 -04:00			`$this->fireLockoutEvent($request);`
Update to Laravel 5.5 (#814) 2017-12-17 13:07:38 -06:00			`$this->sendLockoutResponse($request);`
Apply php-cs-fixer changes 2021-08-07 16:10:24 -07:00
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`return;`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-10 21:58:17 -05:00			`}`

Push updates to login page, mostly UI enhancements. 2017-11-18 15:09:58 -06:00			`try {`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`$username = $request->input('user');`

webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`/** @var \Pterodactyl\Models\User $user */`
Fix security vulnerability when authenticating a two-factor authentication token for a user See associated security advisory for technical details on the content of this security fix. GHSA ID: GHSA-5vfx-8w6m-h3v4 2021-09-21 21:30:08 -07:00			`$user = User::query()->where($this->getField($username), $username)->firstOrFail();`
			`} catch (ModelNotFoundException $exception) {`
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`$this->sendFailedLoginResponse($request);`
Fix authentication handler Check email & password before token to handle case where email is invalid. 2015-12-13 21:30:57 -05:00			`}`

Cleanup login/reset functionality, address security issue with 2FA pathways 2018-04-07 16:17:51 -05:00			`// Ensure that the account is using a valid username and password before trying to`
			`// continue. Previously this was handled in the 2FA checkpoint, however that has`
			`// a flaw in which you can discover if an account exists simply by seeing if you`
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`// can proceed to the next step in the login process.`
Use more standardized phpcs 2021-01-23 12:33:34 -08:00			`if (!password_verify($request->input('password'), $user->password)) {`
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`$this->sendFailedLoginResponse($request, $user);`
Apply php-cs-fixer changes 2021-08-07 16:10:24 -07:00
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`return;`
Cleanup login/reset functionality, address security issue with 2FA pathways 2018-04-07 16:17:51 -05:00			`}`

Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`$useTotp = $user->use_totp;`
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`$webauthnKeys = $user->webauthnKeys()->get();`

Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`if (!$useTotp && count($webauthnKeys) < 1) {`
			`return $this->sendLoginResponse($user, $request);`
Cleanup login/reset functionality, address security issue with 2FA pathways 2018-04-07 16:17:51 -05:00			`}`

Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`$methods = [];`
			`if ($useTotp) {`
			`$methods[] = self::METHOD_TOTP;`
			`}`
Apply php-cs-fixer changes 2021-08-07 16:10:24 -07:00			`if (count($webauthnKeys) > 0) {`
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`$methods[] = self::METHOD_WEBAUTHN;`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 14:33:15 -04:00			`}`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-10 21:58:17 -05:00
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`$token = Str::random(64);`

			`$request->session()->put('auth_confirmation_token', [`
			`'user_id' => $user->id,`
			`'token_value' => $token,`
			`'expires_at' => CarbonImmutable::now()->addMinutes(5),`
			`]);`
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`$response = [`
			`'complete' => false,`
			`'methods' => $methods,`
			`'confirmation_token' => $token,`
			`];`

			`if (count($webauthnKeys) > 0) {`
webauthn: add controllers and transformers 2021-07-17 11:47:07 -06:00			`$publicKey = Webauthn::getAuthenticateData($user);`
			`$request->session()->put(self::SESSION_PUBLICKEY_REQUEST, $publicKey);`
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00
			`$response['webauthn'] = [`
			`'public_key' => $publicKey,`
			`];`
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 14:33:15 -04:00			`}`
Improved TOTp handling in login. Cleaned up the code a bit, also checks TOTP before attemping to verify user. This addresses the potential for an attacker to try at a password and/or confirm that the password is correct unless they have a valid TOTP code for the request. A failed TOTP response will trigger a throttle count on the login as well. 2015-12-10 21:58:17 -05:00
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00			`return new JsonResponse($response);`
Better 2FA implementation on logins 2017-02-01 22:58:48 -05:00			`}`
Initial Commit of Files PufferPanel v0.9 (Laravel) is now Pterodactyl 1.0 2015-12-06 13:58:49 -05:00			`}`