From 412ac5ef39589dd48adf61600dca6dc4320f00cc Mon Sep 17 00:00:00 2001
From: DaneEveritt <dane@daneeveritt.com>
Date: Sun, 15 May 2022 16:00:08 -0400
Subject: [PATCH] Have the panel handle all of the authorization for both
 public key and password based attempts

---
 .../Api/Remote/SftpAuthenticationController.php            | 7 +++----
 .../Requests/Api/Remote/SftpAuthenticationFormRequest.php  | 5 +----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
index 51b02ddf6..3259cd8f3 100644
--- a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
+++ b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
@@ -28,7 +28,8 @@ abstract class SftpAuthenticationController extends Controller
 
     /**
      * Authenticate a set of credentials and return the associated server details
-     * for a SFTP connection on the daemon.
+     * for a SFTP connection on the daemon. This supports both public key and password
+     * based credentials.
      */
     public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse
     {
@@ -44,9 +45,7 @@ abstract class SftpAuthenticationController extends Controller
                 $this->reject($request);
             }
         } else {
-            // Start blocking requests when the user has no public keys in the first place —
-            // don't let the user spam this endpoint.
-            if ($user->sshKeys->isEmpty()) {
+            if (!$user->sshKeys()->where('public_key', $request->input('password'))->exists()) {
                 $this->reject($request);
             }
         }
diff --git a/app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php b/app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php
index bb6ec5be8..f1e06cb3f 100644
--- a/app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php
+++ b/app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php
@@ -2,7 +2,6 @@
 
 namespace Pterodactyl\Http\Requests\Api\Remote;
 
-use Illuminate\Validation\Rule;
 use Illuminate\Foundation\Http\FormRequest;
 
 class SftpAuthenticationFormRequest extends FormRequest
@@ -27,9 +26,7 @@ class SftpAuthenticationFormRequest extends FormRequest
         return [
             'type' => ['nullable', 'in:password,public_key'],
             'username' => ['required', 'string'],
-            'password' => [
-                Rule::when(fn () => $this->input('type') !== 'public_key', ['required', 'string'], ['nullable']),
-            ],
+            'password' => ['required', 'string'],
         ];
     }