From 8c7d785c9eff304c7f3b0c9a2666dd17cf5b6ea0 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sun, 21 Mar 2021 10:43:01 -0700 Subject: [PATCH] Ensure a created_at value is set on recovery tokens; closes #3163 --- .../Service/User/TwoFactorAuthenticationTokenInvalid.php | 7 +++++++ app/Http/Controllers/Api/Client/TwoFactorController.php | 3 +-- app/Services/Users/ToggleTwoFactorService.php | 5 ++++- tests/Integration/Api/Client/TwoFactorControllerTest.php | 5 +++++ 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/app/Exceptions/Service/User/TwoFactorAuthenticationTokenInvalid.php b/app/Exceptions/Service/User/TwoFactorAuthenticationTokenInvalid.php index a4ea4dd09..b7b819b44 100644 --- a/app/Exceptions/Service/User/TwoFactorAuthenticationTokenInvalid.php +++ b/app/Exceptions/Service/User/TwoFactorAuthenticationTokenInvalid.php @@ -6,4 +6,11 @@ use Pterodactyl\Exceptions\DisplayException; class TwoFactorAuthenticationTokenInvalid extends DisplayException { + /** + * TwoFactorAuthenticationTokenInvalid constructor. + */ + public function __construct() + { + parent::__construct('The provided two-factor authentication token was not valid.'); + } } diff --git a/app/Http/Controllers/Api/Client/TwoFactorController.php b/app/Http/Controllers/Api/Client/TwoFactorController.php index 4f7145add..07eeb2972 100644 --- a/app/Http/Controllers/Api/Client/TwoFactorController.php +++ b/app/Http/Controllers/Api/Client/TwoFactorController.php @@ -72,12 +72,11 @@ class TwoFactorController extends ClientApiController * * @return \Illuminate\Http\JsonResponse * + * @throws \Throwable * @throws \Illuminate\Validation\ValidationException * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException - * @throws \Pterodactyl\Exceptions\Model\DataValidationException - * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException * @throws \Pterodactyl\Exceptions\Service\User\TwoFactorAuthenticationTokenInvalid */ public function store(Request $request) diff --git a/app/Services/Users/ToggleTwoFactorService.php b/app/Services/Users/ToggleTwoFactorService.php index 908fc35d6..28faff7f1 100644 --- a/app/Services/Users/ToggleTwoFactorService.php +++ b/app/Services/Users/ToggleTwoFactorService.php @@ -74,7 +74,7 @@ class ToggleTwoFactorService $isValidToken = $this->google2FA->verifyKey($secret, $token, config()->get('pterodactyl.auth.2fa.window')); if (!$isValidToken) { - throw new TwoFactorAuthenticationTokenInvalid('The token provided is not valid.'); + throw new TwoFactorAuthenticationTokenInvalid(); } return $this->connection->transaction(function () use ($user, $toggleState) { @@ -94,6 +94,9 @@ class ToggleTwoFactorService $inserts[] = [ 'user_id' => $user->id, 'token' => password_hash($token, PASSWORD_DEFAULT), + // insert() won't actually set the time on the models, so make sure we do this + // manually here. + 'created_at' => Carbon::now(), ]; $tokens[] = $token; diff --git a/tests/Integration/Api/Client/TwoFactorControllerTest.php b/tests/Integration/Api/Client/TwoFactorControllerTest.php index 8af7e31a8..903efb853 100644 --- a/tests/Integration/Api/Client/TwoFactorControllerTest.php +++ b/tests/Integration/Api/Client/TwoFactorControllerTest.php @@ -101,6 +101,11 @@ class TwoFactorControllerTest extends ClientApiIntegrationTestCase $tokens = RecoveryToken::query()->where('user_id', $user->id)->get(); $this->assertCount(10, $tokens); $this->assertStringStartsWith('$2y$10$', $tokens[0]->token); + // Ensure the recovery tokens that were created include a "created_at" timestamp + // value on them. + // + // @see https://github.com/pterodactyl/panel/issues/3163 + $this->assertNotNull($tokens[0]->created_at); $tokens = $tokens->pluck('token')->toArray();