Finalize two-factor handling on account.

This commit is contained in:
Dane Everitt 2018-06-20 23:05:35 -07:00
parent 0cc895f2d5
commit 7711b697ad
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
13 changed files with 299 additions and 137 deletions

View file

@ -3,6 +3,7 @@
namespace Pterodactyl\Http\Controllers\Base;
use Illuminate\Http\Request;
use Illuminate\Http\JsonResponse;
use Prologue\Alerts\AlertsMessageBag;
use Pterodactyl\Http\Controllers\Controller;
use Pterodactyl\Services\Users\TwoFactorSetupService;
@ -62,36 +63,28 @@ class SecurityController extends Controller
}
/**
* Returns Security Management Page.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\View\View
*/
public function index(Request $request)
{
if ($this->config->get('session.driver') === 'database') {
$activeSessions = $this->repository->getUserSessions($request->user()->id);
}
return view('base.security', [
'sessions' => $activeSessions ?? null,
]);
}
/**
* Generates TOTP Secret and returns popup data for user to verify
* that they can generate a valid response.
* Return information about the user's two-factor authentication status. If not enabled setup their
* secret and return information to allow the user to proceede with setup.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\JsonResponse
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function generateTotp(Request $request)
public function index(Request $request): JsonResponse
{
return response()->json([
'qrImage' => $this->twoFactorSetupService->handle($request->user()),
if ($request->user()->use_totp) {
return JsonResponse::create([
'enabled' => true,
]);
}
$response = $this->twoFactorSetupService->handle($request->user());
return JsonResponse::create([
'enabled' => false,
'qr_image' => $response->get('image'),
'secret' => $response->get('secret'),
]);
}
@ -99,53 +92,43 @@ class SecurityController extends Controller
* Verifies that 2FA token received is valid and will work on the account.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\Response
* @return \Illuminate\Http\JsonResponse
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function setTotp(Request $request)
public function store(Request $request): JsonResponse
{
try {
$this->toggleTwoFactorService->handle($request->user(), $request->input('token') ?? '');
return response('true');
} catch (TwoFactorAuthenticationTokenInvalid $exception) {
return response('false');
$error = true;
}
return JsonResponse::create([
'success' => ! isset($error),
]);
}
/**
* Disables TOTP on an account.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\RedirectResponse
* @return \Illuminate\Http\JsonResponse
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function disableTotp(Request $request)
public function delete(Request $request): JsonResponse
{
try {
$this->toggleTwoFactorService->handle($request->user(), $request->input('token') ?? '', false);
} catch (TwoFactorAuthenticationTokenInvalid $exception) {
$this->alert->danger(trans('base.security.2fa_disable_error'))->flash();
$error = true;
}
return redirect()->route('account.security');
}
/**
* Revokes a user session.
*
* @param \Illuminate\Http\Request $request
* @param string $id
* @return \Illuminate\Http\RedirectResponse
*/
public function revoke(Request $request, string $id)
{
$this->repository->deleteUserSession($request->user()->id, $id);
return redirect()->route('account.security');
return JsonResponse::create([
'success' => ! isset($error),
]);
}
}

View file

@ -11,17 +11,12 @@ namespace Pterodactyl\Services\Users;
use Pterodactyl\Models\User;
use PragmaRX\Google2FA\Google2FA;
use Illuminate\Support\Collection;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
use Illuminate\Contracts\Config\Repository as ConfigRepository;
class TwoFactorSetupService
{
/**
* @var \Illuminate\Contracts\Config\Repository
*/
private $config;
/**
* @var \Illuminate\Contracts\Encryption\Encrypter
*/
@ -40,18 +35,15 @@ class TwoFactorSetupService
/**
* TwoFactorSetupService constructor.
*
* @param \Illuminate\Contracts\Config\Repository $config
* @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
* @param \PragmaRX\Google2FA\Google2FA $google2FA
* @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
*/
public function __construct(
ConfigRepository $config,
Encrypter $encrypter,
Google2FA $google2FA,
UserRepositoryInterface $repository
) {
$this->config = $config;
$this->encrypter = $encrypter;
$this->google2FA = $google2FA;
$this->repository = $repository;
@ -62,20 +54,23 @@ class TwoFactorSetupService
* QR code image.
*
* @param \Pterodactyl\Models\User $user
* @return string
* @return \Illuminate\Support\Collection
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function handle(User $user): string
public function handle(User $user): Collection
{
$secret = $this->google2FA->generateSecretKey($this->config->get('pterodactyl.auth.2fa.bytes'));
$image = $this->google2FA->getQRCodeGoogleUrl($this->config->get('app.name'), $user->email, $secret);
$secret = $this->google2FA->generateSecretKey(config('pterodactyl.auth.2fa.bytes'));
$image = $this->google2FA->getQRCodeGoogleUrl(config('app.name'), $user->email, $secret);
$this->repository->withoutFreshModel()->update($user->id, [
'totp_secret' => $this->encrypter->encrypt($secret),
]);
return $image;
return new Collection([
'image' => $image,
'secret' => $secret,
]);
}
}

View file

@ -3,7 +3,7 @@
<navigation/>
<div class="container animate fadein mt-2 sm:mt-6">
<modal :show="modalVisible" v-on:close="modalVisible = false">
<TwoFactorAuthentication/>
<TwoFactorAuthentication v-on:close="modalVisible = false"/>
</modal>
<flash container="mt-2 sm:mt-6 mb-2"/>
<div class="flex flex-wrap">
@ -11,7 +11,7 @@
<div class="sm:m-4 md:ml-0">
<update-email class="mb-4 sm:mb-8"/>
<div class="content-box text-center mb-4 sm:mb-0">
<button class="btn btn-green btn-sm" type="submit" v-on:click="modalVisible = true">Configure 2-Factor Authentication</button>
<button class="btn btn-green btn-sm" type="submit" v-on:click="openModal">Configure 2-Factor Authentication</button>
</div>
</div>
</div>
@ -39,5 +39,11 @@
modalVisible: false,
};
},
methods: {
openModal: function () {
this.$data.modalVisible = true;
window.events.$emit('two_factor:open');
},
}
};
</script>

View file

@ -2,26 +2,26 @@
<div>
<form method="post" v-on:submit.prevent="submitForm">
<div class="content-box">
<h2 class="mb-6 text-grey-darkest font-medium">Change your password</h2>
<h2 class="mb-6 text-grey-darkest font-medium">{{ $t('dashboard.account.password.title') }}</h2>
<div class="mt-6">
<label for="grid-password-current" class="input-label">Current password</label>
<label for="grid-password-current" class="input-label">{{ $t('strings.password') }}</label>
<input id="grid-password-current" name="current_password" type="password" class="input" required
ref="current"
v-model="current"
>
</div>
<div class="mt-6">
<label for="grid-password-new" class="input-label">New password</label>
<label for="grid-password-new" class="input-label">{{ $t('strings.new_password') }}</label>
<input id="grid-password-new" name="password" type="password" class="input" required
:class="{ error: errors.has('password') }"
v-model="newPassword"
v-validate="'min:8'"
>
<p class="input-help error" v-show="errors.has('password')">{{ errors.first('password') }}</p>
<p class="input-help">Your new password should be at least 8 characters in length.</p>
<p class="input-help">{{ $t('dashboard.account.password.requirements') }}</p>
</div>
<div class="mt-6">
<label for="grid-password-new-confirm" class="input-label">Confirm new password</label>
<label for="grid-password-new-confirm" class="input-label">{{ $t('strings.confirm_password') }}</label>
<input id="grid-password-new-confirm" name="password_confirmation" type="password" class="input" required
:class="{ error: errors.has('password_confirmation') }"
v-model="confirmNew"
@ -31,7 +31,7 @@
<p class="input-help error" v-show="errors.has('password_confirmation')">{{ errors.first('password_confirmation') }}</p>
</div>
<div class="mt-6 text-right">
<button class="btn btn-blue btn-sm text-right" type="submit">Save</button>
<button class="btn btn-blue btn-sm text-right" type="submit">{{ $t('strings.save') }}</button>
</div>
</div>
</form>
@ -68,7 +68,7 @@
this.$data.newPassword = '';
this.$data.confirmNew = '';
this.success('Your password has been updated.');
this.success(this.$t('dashboard.account.password.updated'));
})
.catch(err => {
if (!err.response) {

View file

@ -1,11 +1,191 @@
<template>
<div>
Todo: put the 2FA magic here!
<div class="h-16 text-center" v-show="spinner">
<span class="spinner spinner-xl text-blue"></span>
</div>
<div v-if="response.enabled" v-show="!spinner">
<h2 class="font-medium text-grey-darkest">{{ $t('dashboard.account.two_factor.disable.title') }}</h2>
<div class="mt-6">
<label class="input-label" for="grid-two-factor-token-disable">{{ $t('dashboard.account.two_factor.disable.field') }}</label>
<input id="grid-two-factor-token-disable" type="number" class="input"
name="token"
v-model="token"
ref="token"
v-validate="'length:6'"
:class="{ error: errors.has('token') }"
>
<p class="input-help error" v-show="errors.has('token')">{{ errors.first('token') }}</p>
</div>
<div class="mt-6 w-full text-right">
<button class="btn btn-sm btn-secondary mr-4" v-on:click="$emit('close')">
Cancel
</button>
<button class="btn btn-sm btn-red" type="submit"
:disabled="submitDisabled"
v-on:click.prevent="disableTwoFactor"
>{{ $t('strings.disable') }}</button>
</div>
</div>
<div v-else v-show="!spinner">
<h2 class="font-medium text-grey-darkest">{{ $t('dashboard.account.two_factor.setup.title') }}</h2>
<div class="flex mt-6">
<div class="flex-none w-full sm:w-1/2 text-center">
<div>
<img :src="response.qr_image" alt="Two-factor qr image" class="w-3/4">
</div>
<div>
<p class="text-xs text-grey-darker mb-2">{{ $t('dashboard.account.two_factor.setup.help') }}</p>
<p class="text-xs"><code>{{response.secret}}</code></p>
</div>
</div>
<div class="flex-none w-full sm:w-1/2">
<div>
<label class="input-label" for="grid-two-factor-token">{{ $t('dashboard.account.two_factor.setup.field') }}</label>
<input id="grid-two-factor-token" type="number" class="input"
name="token"
v-model="token"
ref="token"
v-validate="'length:6'"
:class="{ error: errors.has('token') }"
>
<p class="input-help error" v-show="errors.has('token')">{{ errors.first('token') }}</p>
</div>
<div class="mt-6">
<button class="btn btn-blue btn-jumbo" type="submit"
:disabled="submitDisabled"
v-on:click.prevent="enableTwoFactor"
>{{ $t('strings.enable') }}</button>
</div>
</div>
</div>
</div>
</div>
</template>
<script>
import Vue from 'vue';
import isObject from 'lodash/isObject';
export default {
name: 'TwoFactorAuthentication'
name: 'TwoFactorAuthentication',
data: function () {
return {
spinner: true,
token: '',
submitDisabled: true,
response: {
enabled: false,
qr_image: '',
secret: '',
},
};
},
/**
* Before the component is mounted setup the event listener. This event is fired when a user
* presses the 'Configure 2-Factor' button on their account page. Once this happens we fire off
* a HTTP request to get their information.
*/
mounted: function () {
window.events.$on('two_factor:open', () => {
this.prepareModalContent();
});
},
watch: {
token: function (value) {
this.$data.submitDisabled = value.length !== 6;
},
},
methods: {
/**
* Determine the correct content to show in the modal.
*/
prepareModalContent: function () {
// Reset the data object when the modal is opened again.
Object.assign(this.$data, this.$options.data());
window.axios.get(this.route('account.two_factor'))
.finally(() => {
this.clearFlashes();
})
.then(response => {
this.$data.response = response.data;
this.$data.spinner = false;
Vue.nextTick().then(() => {
this.$refs.token.focus();
})
})
.catch(error => {
if (!error.response) {
this.error(error.message);
}
const response = error.response;
if (response.data && isObject(response.data.errors)) {
response.data.errors.forEach(e => {
this.error(e.detail);
});
}
this.$emit('close');
});
},
/**
* Enable two-factor authentication on the account by validating the token provided by the user.
* Close the modal once the request completes so that the success or error message can be shown
* to the user.
*/
enableTwoFactor: function () {
return this._callInternalApi('account.two_factor.enable', 'enabled');
},
/**
* Disables two-factor authentication for the client account and closes the modal.
*/
disableTwoFactor: function () {
return this._callInternalApi('account.two_factor.disable', 'disabled');
},
/**
* Call the Panel API endpoint and handle errors.
*
* @param {String} route
* @param {String} langKey
* @private
*/
_callInternalApi: function (route, langKey) {
window.axios.post(this.route(route), {
token: this.$data.token,
})
.finally(() => {
this.clearFlashes();
})
.then(response => {
if (response.data.success) {
this.success(this.$t(`dashboard.account.two_factor.${langKey}`));
} else {
this.error(this.$t('dashboard.account.two_factor.invalid'));
}
})
.catch(error => {
if (!error.response) {
this.error(error.message);
}
const response = error.response;
if (response.data && isObject(response.data.errors)) {
response.data.errors.forEach(e => {
this.error(e.detail);
});
}
})
.finally(() => {
this.$emit('close');
})
}
},
};
</script>

View file

@ -2,9 +2,9 @@
<div :class>
<form method="post" v-on:submit.prevent="submitForm">
<div class="content-box">
<h2 class="mb-6 text-grey-darkest font-medium">Update your email</h2>
<h2 class="mb-6 text-grey-darkest font-medium">{{ $t('dashboard.account.email.title') }}</h2>
<div>
<label for="grid-email" class="input-label">Email address</label>
<label for="grid-email" class="input-label">{{ $t('strings.email_address') }}</label>
<input id="grid-email" name="email" type="email" class="input" required
:class="{ error: errors.has('email') }"
v-validate
@ -13,13 +13,13 @@
<p class="input-help error" v-show="errors.has('email')">{{ errors.first('email') }}</p>
</div>
<div class="mt-6">
<label for="grid-password" class="input-label">Password</label>
<label for="grid-password" class="input-label">{{ $t('strings.password') }}</label>
<input id="grid-password" name="password" type="password" class="input" required
v-model="password"
>
</div>
<div class="mt-6 text-right">
<button class="btn btn-blue btn-sm text-right" type="submit">Save</button>
<button class="btn btn-blue btn-sm text-right" type="submit">{{ $t('strings.save') }}</button>
</div>
</div>
</form>
@ -57,7 +57,7 @@
this.$data.password = '';
})
.then(() => {
this.success('Your email address has been updated.');
this.success(this.$t('dashboard.account.email.updated'));
})
.catch(error => {
if (!error.response) {
@ -79,7 +79,3 @@
}
};
</script>
<style scoped>
</style>

View file

@ -20,6 +20,14 @@
}
}
&.btn-red {
@apply .bg-red .border-red-dark .border .text-white;
&:hover:enabled {
@apply .bg-red-dark .border-red-darker;
}
}
&.btn-secondary {
@apply .border .border-grey-light .text-grey-dark;

View file

@ -2,6 +2,16 @@ textarea, select, input, button {
outline: none;
}
input[type=number]::-webkit-outer-spin-button,
input[type=number]::-webkit-inner-spin-button {
-webkit-appearance: none !important;
margin: 0;
}
input[type=number] {
-moz-appearance: textfield !important;
}
/**
* Styles for the login form open input boxes. Label floats up above it when content
* is input and then sinks back down into the field if left empty.

View file

@ -31,11 +31,11 @@
/**
* Spinner Colors
*/
&.blue:after {
&.blue:after, &.text-blue:after {
@apply .border-blue;
}
&.white:after {
&.white:after, &.text-white:after {
@apply .border-white;
}

View file

@ -54,35 +54,4 @@ return [
],
],
],
'account' => [
'details_updated' => 'Your account details have been successfully updated.',
'invalid_password' => 'The password provided for your account was not valid.',
'header' => 'Your Account',
'header_sub' => 'Manage your account details.',
'update_pass' => 'Update Password',
'update_email' => 'Update Email Address',
'current_password' => 'Current Password',
'new_password' => 'New Password',
'new_password_again' => 'Repeat New Password',
'new_email' => 'New Email Address',
'first_name' => 'First Name',
'last_name' => 'Last Name',
'update_identity' => 'Update Identity',
'username_help' => 'Your username must be unique to your account, and may only contain the following characters: :requirements.',
],
'security' => [
'session_mgmt_disabled' => 'Your host has not enabled the ability to manage account sessions via this interface.',
'header' => 'Account Security',
'header_sub' => 'Control active sessions and 2-Factor Authentication.',
'sessions' => 'Active Sessions',
'2fa_header' => '2-Factor Authentication',
'2fa_token_help' => 'Enter the 2FA Token generated by your app (Google Authenticator, Authy, etc.).',
'disable_2fa' => 'Disable 2-Factor Authentication',
'2fa_enabled' => '2-Factor Authentication is enabled on this account and will be required in order to login to the panel. If you would like to disable 2FA, simply enter a valid token below and submit the form.',
'2fa_disabled' => '2-Factor Authentication is disabled on your account! You should enable 2FA in order to add an extra level of protection on your account.',
'enable_2fa' => 'Enable 2-Factor Authentication',
'2fa_qr' => 'Configure 2FA on Your Device',
'2fa_checkpoint_help' => 'Use the 2FA application on your phone to take a picture of the QR code to the left, or manually enter the code under it. Once you have done so, generate a token and enter it below.',
'2fa_disable_error' => 'The 2FA token provided was not valid. Protection has not been disabled for this account.',
],
];

View file

@ -0,0 +1,28 @@
<?php
return [
'email' => [
'title' => 'Update your email',
'updated' => 'Your email address has been updated.',
],
'password' => [
'title' => 'Change your password',
'requirements' => 'Your new password should be at least 8 characters in length.',
'updated' => 'Your password has been updated.',
],
'two_factor' => [
'button' => 'Configure 2-Factor Authentication',
'disabled' => 'Two-factor authentication has been disabled on your account. You will no longer be prompted to provide a token when logging in.',
'enabled' => 'Two-factor authentication has been enabled on your account! From now on, when logging in, you will be required to provide the code generated by your device.',
'invalid' => 'The token provided was invalid.',
'setup' => [
'title' => 'Setup two-factor authentication',
'help' => 'Can\'t scan the code? Enter the code below into your application:',
'field' => 'Enter token',
],
'disable' => [
'title' => 'Disable two-factor authentication',
'field' => 'Enter token',
],
],
];

View file

@ -2,9 +2,11 @@
return [
'email' => 'Email',
'email_address' => 'Email address',
'user_identifier' => 'Username or Email',
'password' => 'Password',
'confirm_password' => 'Confirm Password',
'new_password' => 'New password',
'confirm_password' => 'Confirm new password',
'login' => 'Login',
'home' => 'Home',
'servers' => 'Servers',
@ -85,7 +87,8 @@ return [
'sat' => 'Saturday',
],
'last_used' => 'Last Used',
// Copyright Line
'enable' => 'Enable',
'disable' => 'Disable',
'save' => 'Save',
'copyright' => '&copy; 2015 - :year Pterodactyl Software',
];

View file

@ -1,11 +1,5 @@
<?php
/**
* Pterodactyl - Panel
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
*
* This software is licensed under the terms of the MIT license.
* https://opensource.org/licenses/MIT
*/
Route::get('/', 'IndexController@index')->name('index');
/*
@ -16,11 +10,6 @@ Route::get('/', 'IndexController@index')->name('index');
| Endpoint: /account
|
*/
//Route::group(['prefix' => 'account'], function () {
// Route::get('/', 'AccountController@index')->name('account');
//
// Route::post('/', 'AccountController@update');
//});
/*
|--------------------------------------------------------------------------
@ -47,15 +36,10 @@ Route::group(['prefix' => 'account/api'], function () {
| Endpoint: /account/security
|
*/
Route::group(['prefix' => 'account/security'], function () {
Route::get('/', 'SecurityController@index')->name('account.security');
Route::get('/revoke/{id}', 'SecurityController@revoke')->name('account.security.revoke');
Route::put('/totp', 'SecurityController@generateTotp')->name('account.security.totp');
Route::post('/totp', 'SecurityController@setTotp')->name('account.security.totp.set');
Route::delete('/totp', 'SecurityController@disableTotp')->name('account.security.totp.disable');
Route::group(['prefix' => 'account/two_factor'], function () {
Route::get('/', 'SecurityController@index')->name('account.two_factor');
Route::post('/totp', 'SecurityController@store')->name('account.two_factor.enable');
Route::post('/totp/disable', 'SecurityController@delete')->name('account.two_factor.disable');
});
// Catch any other combinations of routes and pass them off to the Vuejs component.