Have the panel handle all of the authorization for both public key and password based attempts

app/Http/Controllers/Api/Remote/SftpAuthenticationController.php

@@ -28,7 +28,8 @@ abstract class SftpAuthenticationController extends Controller
 
     /**
      * Authenticate a set of credentials and return the associated server details
-     * for a SFTP connection on the daemon.
+     * for a SFTP connection on the daemon. This supports both public key and password
+     * based credentials.
      */
     public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse
     {
@@ -44,9 +45,7 @@ abstract class SftpAuthenticationController extends Controller
                 $this->reject($request);
             }
         } else {
-            // Start blocking requests when the user has no public keys in the first place —
-            // don't let the user spam this endpoint.
-            if ($user->sshKeys->isEmpty()) {
+            if (!$user->sshKeys()->where('public_key', $request->input('password'))->exists()) {
                 $this->reject($request);
             }
         }

app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php

@@ -2,7 +2,6 @@
 
 namespace Pterodactyl\Http\Requests\Api\Remote;
 
-use Illuminate\Validation\Rule;
 use Illuminate\Foundation\Http\FormRequest;
 
 class SftpAuthenticationFormRequest extends FormRequest
@@ -27,9 +26,7 @@ class SftpAuthenticationFormRequest extends FormRequest
         return [
             'type' => ['nullable', 'in:password,public_key'],
             'username' => ['required', 'string'],
-            'password' => [
-                Rule::when(fn () => $this->input('type') !== 'public_key', ['required', 'string'], ['nullable']),
-            ],
+            'password' => ['required', 'string'],
         ];
     }