Ensure a created_at value is set on recovery tokens; closes #3163

2021-03-21 10:43:01 -07:00 · 2021-03-21 10:43:01 -07:00 · 8c7d785c9e
commit 8c7d785c9e
parent 983a337fd4
4 changed files with 17 additions and 3 deletions
--- a/app/Exceptions/Service/User/TwoFactorAuthenticationTokenInvalid.php
+++ b/app/Exceptions/Service/User/TwoFactorAuthenticationTokenInvalid.php
@ -6,4 +6,11 @@ use Pterodactyl\Exceptions\DisplayException;

 class TwoFactorAuthenticationTokenInvalid extends DisplayException
 {
+    /**
+     * TwoFactorAuthenticationTokenInvalid constructor.
+     */
+    public function __construct()
+    {
+        parent::__construct('The provided two-factor authentication token was not valid.');
+    }
 }
--- a/app/Http/Controllers/Api/Client/TwoFactorController.php
+++ b/app/Http/Controllers/Api/Client/TwoFactorController.php
@ -72,12 +72,11 @@ class TwoFactorController extends ClientApiController
     *
     * @return \Illuminate\Http\JsonResponse
     *
+     * @throws \Throwable
     * @throws \Illuminate\Validation\ValidationException
     * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
     * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
     * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
-     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     * @throws \Pterodactyl\Exceptions\Service\User\TwoFactorAuthenticationTokenInvalid
     */
    public function store(Request $request)
--- a/app/Services/Users/ToggleTwoFactorService.php
+++ b/app/Services/Users/ToggleTwoFactorService.php
@ -74,7 +74,7 @@ class ToggleTwoFactorService
        $isValidToken = $this->google2FA->verifyKey($secret, $token, config()->get('pterodactyl.auth.2fa.window'));

        if (!$isValidToken) {
-            throw new TwoFactorAuthenticationTokenInvalid('The token provided is not valid.');
+            throw new TwoFactorAuthenticationTokenInvalid();
        }

        return $this->connection->transaction(function () use ($user, $toggleState) {
@ -94,6 +94,9 @@ class ToggleTwoFactorService
                    $inserts[] = [
                        'user_id' => $user->id,
                        'token' => password_hash($token, PASSWORD_DEFAULT),
+                        // insert() won't actually set the time on the models, so make sure we do this
+                        // manually here.
+                        'created_at' => Carbon::now(),
                    ];

                    $tokens[] = $token;
--- a/tests/Integration/Api/Client/TwoFactorControllerTest.php
+++ b/tests/Integration/Api/Client/TwoFactorControllerTest.php
@ -101,6 +101,11 @@ class TwoFactorControllerTest extends ClientApiIntegrationTestCase
        $tokens = RecoveryToken::query()->where('user_id', $user->id)->get();
        $this->assertCount(10, $tokens);
        $this->assertStringStartsWith('$2y$10$', $tokens[0]->token);
+        // Ensure the recovery tokens that were created include a "created_at" timestamp
+        // value on them.
+        //
+        // @see https://github.com/pterodactyl/panel/issues/3163
+        $this->assertNotNull($tokens[0]->created_at);

        $tokens = $tokens->pluck('token')->toArray();