Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improved login controller func. for 2FA, throws Failed event correctly now

Browse source
This commit is contained in:
Dane Everitt 2017-04-14 14:33:15 -04:00
parent 13742ef10a
commit f1024ad1a8
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
2 changed files with 82 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

125
app/Http/Controllers/Auth/LoginController.php
View file

@ -28,9 +28,11 @@ namespace Pterodactyl\Http\Controllers\Auth;
use Auth; use Auth;
use Alert; use Alert;
use Cache; use Cache;
use Crypt;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Pterodactyl\Models\User; use Pterodactyl\Models\User;
use PragmaRX\Google2FA\Google2FA; use PragmaRX\Google2FA\Google2FA;
use Pterodactyl\Events\Auth\FailedLogin;
use Pterodactyl\Http\Controllers\Controller; use Pterodactyl\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\AuthenticatesUsers; use Illuminate\Foundation\Auth\AuthenticatesUsers;
@ -79,6 +81,27 @@ class LoginController extends Controller
$this->middleware('guest', ['except' => 'logout']); $this->middleware('guest', ['except' => 'logout']);
} }
/**
* Get the failed login response instance.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\RedirectResponse
*/
protected function sendFailedLoginResponse(Request $request)
{
$this->incrementLoginAttempts($request);
$errors = [$this->username() => trans('auth.failed')];
if ($request->expectsJson()) {
return response()->json($errors, 422);
}
return redirect()->route('auth.login')
->withInput($request->only($this->username(), 'remember'))
->withErrors($errors);
}
/** /**
* Handle a login request to the application. * Handle a login request to the application.
* *
@ -88,42 +111,46 @@ class LoginController extends Controller
public function login(Request $request) public function login(Request $request)
{ {
// Check wether the user identifier is an email address or a username // Check wether the user identifier is an email address or a username
$isEmail = str_contains($request->input('user'), '@'); $checkField = str_contains($request->input('user'), '@') ? 'email' : 'username';
$this->validate($request, [ if ($this->hasTooManyLoginAttempts($request)) {
'user' => $isEmail ? 'required|email' : 'required|string',
'password' => 'required',
]);
if ($lockedOut = $this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request); $this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request); return $this->sendLockoutResponse($request);
} }
// Is the user (email or username) & password valid? // Determine if the user even exists.
if (! Auth::once([ $user = User::where($checkField, $request->input($this->username()))->first();
$isEmail ? 'email' : 'username' => $request->input('user'), if (! $user) {
'password' => $request->input('password'),
], $request->has('remember'))) {
if (! $lockedOut) {
$this->incrementLoginAttempts($request);
}
return $this->sendFailedLoginResponse($request); return $this->sendFailedLoginResponse($request);
} }
// Verify TOTP Token was Valid // If user uses 2FA, redirect to that page.
if (Auth::user()->use_totp) { if ($user->use_totp) {
$verifyKey = str_random(64); $token = str_random(64);
Cache::put($verifyKey, Auth::user()->id, 5); Cache::put($token, [
'user_id' => $user->id,
'credentials' => Crypt::encrypt(serialize([
$checkField => $request->input($this->username()),
'password' => $request->input('password'),
])),
], 5);
return redirect()->route('auth.totp')->with('authentication_token', $verifyKey); return redirect()->route('auth.totp')->with('authentication_token', $token);
} else { }
Auth::login(Auth::user(), $request->has('remember'));
$attempt = Auth::attempt([
$checkField => $request->input($this->username()),
'password' => $request->input('password'),
'use_totp' => 0,
], $request->has('remember'));
if ($attempt) {
return $this->sendLoginResponse($request); return $this->sendLoginResponse($request);
} }
// Login failed, send response.
return $this->sendFailedLoginResponse($request);
} }
/** /**
@ -134,14 +161,14 @@ class LoginController extends Controller
*/ */
public function totp(Request $request) public function totp(Request $request)
{ {
$verifyKey = $request->session()->get('authentication_token'); $token = $request->session()->get('authentication_token');
if (is_null($verifyKey) || Auth::user()) { if (is_null($token) || Auth::user()) {
return redirect()->route('auth.login'); return redirect()->route('auth.login');
} }
return view('auth.totp', [ return view('auth.totp', [
'verify_key' => $verifyKey, 'verify_key' => $token,
'remember' => $request->has('remember'), 'remember' => $request->has('remember'),
]); ]);
} }
@ -157,30 +184,40 @@ class LoginController extends Controller
$G2FA = new Google2FA(); $G2FA = new Google2FA();
if (is_null($request->input('verify_token'))) { if (is_null($request->input('verify_token'))) {
$this->incrementLoginAttempts($request); return $this->sendFailedLoginResponse($request);
Alert::danger(trans('auth.totp_failed'))->flash();
return redirect()->route('auth.login');
} }
$user = User::where('id', Cache::pull($request->input('verify_token')))->first(); $cache = Cache::pull($request->input('verify_token'));
if (! $user) { $user = User::where('id', $cache['user_id'])->first();
$this->incrementLoginAttempts($request);
Alert::danger(trans('auth.totp_failed'))->flash();
return redirect()->route('auth.login'); if (! $user || ! $cache) {
$this->sendFailedLoginResponse($request);
} }
if (! is_null($request->input('2fa_token')) && $G2FA->verifyKey($user->totp_secret, $request->input('2fa_token'), 1)) { if (is_null($request->input('2fa_token'))) {
Auth::login($user, $request->has('remember')); return $this->sendFailedLoginResponse($request);
return redirect()->intended($this->redirectPath());
} else {
$this->incrementLoginAttempts($request);
Alert::danger(trans('auth.2fa_failed'))->flash();
return redirect()->route('auth.login');
} }
try {
$credentials = unserialize(Crypt::decrypt($cache['credentials']));
} catch (\Illuminate\Contracts\Encryption\DecryptException $ex) {
return $this->sendFailedLoginResponse($request);
}
if (! $G2FA->verifyKey($user->totp_secret, $request->input('2fa_token'), 2)) {
event(new \Illuminate\Auth\Events\Failed($user, $credentials));
return $this->sendFailedLoginResponse($request);
}
$attempt = Auth::attempt($credentials, $request->has('remember'));
if ($attempt) {
return $this->sendLoginResponse($request);
}
// Login failed, send response.
return $this->sendFailedLoginResponse($request);
} }
/** /**

2
resources/lang/en/auth.php
View file

@ -11,7 +11,7 @@ return [
'reset_password_text' => 'Reset your account password.', 'reset_password_text' => 'Reset your account password.',
'reset_password' => 'Reset Account Password', 'reset_password' => 'Reset Account Password',
'email_sent' => 'An email has been sent to you with further instructions for resetting your password.', 'email_sent' => 'An email has been sent to you with further instructions for resetting your password.',
'failed' => 'These credentials do not match our records.', 'failed' => 'The credentials provided to not match those we have on record, or the 2FA token provided was invalid.',
'throttle' => 'Too many login attempts. Please try again in :seconds seconds.', 'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
'password_requirements' => 'Passwords must contain at least one uppercase, lowecase, and numeric character and must be at least 8 characters in length.', 'password_requirements' => 'Passwords must contain at least one uppercase, lowecase, and numeric character and must be at least 8 characters in length.',
'request_reset' => 'Locate Account', 'request_reset' => 'Locate Account',