From 79f616f7914164c3c6112e5333fcd28418576cd6 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sun, 13 Sep 2020 13:54:41 -0700 Subject: [PATCH] Fix authentication lockout when doing multiple SFTP uploads; closes #2221 --- .../Api/Remote/SftpAuthenticationController.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php index fc13c8f29..b62d6e5c1 100644 --- a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php +++ b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php @@ -14,6 +14,7 @@ use Pterodactyl\Services\Servers\GetUserPermissionsService; use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Pterodactyl\Http\Requests\Api\Remote\SftpAuthenticationFormRequest; +use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException; class SftpAuthenticationController extends Controller { @@ -71,11 +72,12 @@ class SftpAuthenticationController extends Controller 'server' => strrev(array_get($parts, 0)), ]; - $this->incrementLoginAttempts($request); if ($this->hasTooManyLoginAttempts($request)) { - return JsonResponse::create([ - 'error' => 'Too many logins attempted too quickly.', - ], JsonResponse::HTTP_TOO_MANY_REQUESTS); + $seconds = $this->limiter()->availableIn($this->throttleKey($request)); + + throw new TooManyRequestsHttpException( + $seconds, "Too many login attempts for this account, please try again in {$seconds} seconds." + ); } /** @var \Pterodactyl\Models\Node $node */ @@ -91,6 +93,8 @@ class SftpAuthenticationController extends Controller $server = $this->serverRepository->getByUuid($connection['server'] ?? ''); if (! password_verify($request->input('password'), $user->password) || $server->node_id !== $node->id) { + $this->incrementLoginAttempts($request); + throw new HttpForbiddenException( 'Authorization credentials were not correct, please try again.' );