From e856daee195c5031a8944e739209966cdce83d5b Mon Sep 17 00:00:00 2001
From: DaneEveritt <dane@daneeveritt.com>
Date: Sun, 15 May 2022 15:47:06 -0400
Subject: [PATCH] Reject requests for public key auth when the user has no keys

---
 .../Controllers/Api/Remote/SftpAuthenticationController.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
index b139ab3cf..51b02ddf6 100644
--- a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
+++ b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
@@ -43,6 +43,12 @@ abstract class SftpAuthenticationController extends Controller
             if (!password_verify($request->input('password'), $user->password)) {
                 $this->reject($request);
             }
+        } else {
+            // Start blocking requests when the user has no public keys in the first place —
+            // don't let the user spam this endpoint.
+            if ($user->sshKeys->isEmpty()) {
+                $this->reject($request);
+            }
         }
 
         $this->validateSftpAccess($user, $server);