Update SFTP authentication endpoint to support returning user public keys

app/Http/Controllers/Api/Remote/SftpAuthenticationController.php

@@ -2,94 +2,133 @@
 
 namespace Pterodactyl\Http\Controllers\Api\Remote;
 
+use Pterodactyl\Models\User;
 use Illuminate\Http\Request;
+use Pterodactyl\Models\Server;
 use Illuminate\Http\JsonResponse;
 use Pterodactyl\Models\Permission;
 use Pterodactyl\Http\Controllers\Controller;
 use Illuminate\Foundation\Auth\ThrottlesLogins;
-use Pterodactyl\Repositories\Eloquent\UserRepository;
 use Pterodactyl\Exceptions\Http\HttpForbiddenException;
-use Pterodactyl\Repositories\Eloquent\ServerRepository;
 use Pterodactyl\Services\Servers\GetUserPermissionsService;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Pterodactyl\Http\Requests\Api\Remote\SftpAuthenticationFormRequest;
 use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
 
-class SftpAuthenticationController extends Controller
+abstract class SftpAuthenticationController extends Controller
 {
     use ThrottlesLogins;
 
-    /**
+    protected GetUserPermissionsService $permissions;
-     * @var \Pterodactyl\Repositories\Eloquent\UserRepository
-     */
-    private $userRepository;
 
-    /**
+    public function __construct(GetUserPermissionsService $permissions)
-     * @var \Pterodactyl\Repositories\Eloquent\ServerRepository
+    {
-     */
+        $this->permissions = $permissions;
-    private $serverRepository;
-
-    /**
-     * @var \Pterodactyl\Services\Servers\GetUserPermissionsService
-     */
-    private $permissionsService;
-
-    /**
-     * SftpController constructor.
-     */
-    public function __construct(
-        GetUserPermissionsService $permissionsService,
-        UserRepository $userRepository,
-        ServerRepository $serverRepository
-    ) {
-        $this->userRepository = $userRepository;
-        $this->serverRepository = $serverRepository;
-        $this->permissionsService = $permissionsService;
     }
 
     /**
      * Authenticate a set of credentials and return the associated server details
      * for a SFTP connection on the daemon.
-     *
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
     public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse
+    {
+        $connection = $this->parseUsername($request->input('username'));
+
+        $this->validateRequestState($request);
+
+        $user = $this->getUser($request, $connection['username']);
+        $server = $this->getServer($request, $connection['server']);
+
+        if ($request->input('type') !== 'public_key') {
+            if (!password_verify($request->input('password'), $user->password)) {
+                $this->reject($request);
+            }
+        }
+
+        $this->validateSftpAccess($user, $server);
+
+        return new JsonResponse([
+            'server' => $server->uuid,
+            'public_keys' => $user->sshKeys->map(fn ($value) => $value->public_key)->toArray(),
+            'permissions' => $permissions ?? ['*'],
+        ]);
+    }
+
+    /**
+     * Finds the server being requested and ensures that it belongs to the node this
+     * request stems from.
+     */
+    protected function getServer(Request $request, string $uuid): Server
+    {
+        return Server::query()
+            ->where(fn ($builder) => $builder->where('uuid', $uuid)->orWhere('uuidShort', $uuid))
+            ->where('node_id', $request->attributes->get('node')->id)
+            ->firstOr(function () use ($request) {
+                $this->reject($request);
+            });
+    }
+
+    /**
+     * Finds a user with the given username or increments the login attempts.
+     */
+    protected function getUser(Request $request, string $username): User
+    {
+        return User::query()->where('username', $username)->firstOr(function () use ($request) {
+            $this->reject($request);
+        });
+    }
+
+    /**
+     * Parses the username provided to the request.
+     *
+     * @return array{"username": string, "server": string}
+     */
+    protected function parseUsername(string $value): array
     {
         // Reverse the string to avoid issues with usernames that contain periods.
-        $parts = explode('.', strrev($request->input('username')), 2);
+        $parts = explode('.', strrev($value), 2);
 
         // Unreverse the strings after parsing them apart.
-        $connection = [
+        return [
             'username' => strrev(array_get($parts, 1)),
             'server' => strrev(array_get($parts, 0)),
         ];
+    }
 
+    /**
+     * Checks that the request should not be throttled yet, and that the server was
+     * provided in the username.
+     */
+    protected function validateRequestState(Request $request): void
+    {
         if ($this->hasTooManyLoginAttempts($request)) {
             $seconds = $this->limiter()->availableIn($this->throttleKey($request));
 
             throw new TooManyRequestsHttpException($seconds, "Too many login attempts for this account, please try again in {$seconds} seconds.");
         }
 
-        /** @var \Pterodactyl\Models\Node $node */
-        $node = $request->attributes->get('node');
         if (empty($connection['server'])) {
             throw new NotFoundHttpException();
         }
+    }
 
-        /** @var \Pterodactyl\Models\User $user */
+    /**
-        $user = $this->userRepository->findFirstWhere([
+     * Rejects the request and increments the login attempts.
-            ['username', '=', $connection['username']],
+     */
-        ]);
+    protected function reject(Request $request): void
+    {
+        $this->incrementLoginAttempts($request);
 
-        $server = $this->serverRepository->getByUuid($connection['server'] ?? '');
+        throw new HttpForbiddenException('Authorization credentials were not correct, please try again.');
-        if (!password_verify($request->input('password'), $user->password) || $server->node_id !== $node->id) {
+    }
-            $this->incrementLoginAttempts($request);
-
-            throw new HttpForbiddenException('Authorization credentials were not correct, please try again.');
-        }
 
+    /**
+     * Validates that a user should have permission to use SFTP for the given server.
+     */
+    protected function validateSftpAccess(User $user, Server $server): void
+    {
         if (!$user->root_admin && $server->owner_id !== $user->id) {
-            $permissions = $this->permissionsService->handle($server, $user);
+            $permissions = $this->permissions->handle($server, $user);
 
             if (!in_array(Permission::ACTION_FILE_SFTP, $permissions)) {
                 throw new HttpForbiddenException('You do not have permission to access SFTP for this server.');
@@ -97,13 +136,6 @@ class SftpAuthenticationController extends Controller
         }
 
         $server->validateCurrentState();
-
-        return new JsonResponse([
-            'server' => $server->uuid,
-            // Deprecated, but still needed at the moment for Wings.
-            'token' => '',
-            'permissions' => $permissions ?? ['*'],
-        ]);
     }
 
     /**

app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php

@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Remote;
 
+use Illuminate\Validation\Rule;
 use Illuminate\Foundation\Http\FormRequest;
 
 class SftpAuthenticationFormRequest extends FormRequest
@@ -24,8 +25,11 @@ class SftpAuthenticationFormRequest extends FormRequest
     public function rules()
     {
         return [
-            'username' => 'required|string',
+            'type' => ['nullable', 'in:password,public_key'],
-            'password' => 'required|string',
+            'username' => ['required', 'string'],
+            'password' => [
+                Rule::when(fn () => $this->input('type') !== 'public_key', ['required', 'string'], ['nullable']),
+            ],
         ];
     }