Commit graph

91 commits

Author SHA1 Message Date
Dane Everitt
fb1f75353d
Run cs-fixer on files 2022-02-13 19:06:53 -05:00
Dane Everitt
e683c0a518
Fix failing tests related to these changes 2022-02-13 18:32:02 -05:00
Dane Everitt
fac4902ccc
Don't trigger an internal error if hitting 2fa endpoint and it isn't enabled 2022-02-13 17:33:12 -05:00
Dane Everitt
b43e8835bb
Don't store a new key on every login 2022-02-13 15:06:08 -05:00
Dane Everitt
2d2352017d
Fix login authentication using security key 2022-02-13 14:57:45 -05:00
Dane Everitt
09497c234a
Support authenticating the provided key when loggin in 2022-02-13 14:44:50 -05:00
Dane Everitt
54c7207836
Fix authentication request creation 2022-02-13 14:23:20 -05:00
Dane Everitt
969d40d6c1
Logic cleanup after a bit of dust collection 2022-02-13 14:15:18 -05:00
Dane Everitt
8971e78ab5
Merge branch 'v2' into dane/webauthn 2022-02-13 13:46:15 -05:00
Dane Everitt
cdd8eabcc0
Add phpstan for static analysis (#3718) 2021-10-30 13:41:38 -07:00
Matthew Penner
e2de673488
Merge branch 'develop' into v2 2021-09-30 16:08:11 -06:00
Dane Everitt
4a84c36009
Fix security vulnerability when authenticating a two-factor authentication token for a user
See associated security advisory for technical details on the content of this security fix.

GHSA ID: GHSA-5vfx-8w6m-h3v4
2021-09-21 21:30:08 -07:00
Dane Everitt
eaf12aec60
Clean out existing webauthn logic, implement base logic for base package 2021-09-19 11:24:31 -07:00
Dane Everitt
436e686037
Apply php-cs-fixer changes 2021-08-07 16:10:24 -07:00
Dane Everitt
d60e8a193b
Very basic working implementation of sanctum for API validation 2021-08-04 21:15:16 -07:00
Matthew Penner
59f2ea37d8 ui(auth): add support for using a security key 2021-07-17 14:45:23 -06:00
Matthew Penner
31c2ef5279 webauthn: update login flow to support other 2fa methods 2021-07-17 14:45:23 -06:00
Matthew Penner
28146f5bb6 webauthn: add controllers and transformers 2021-07-17 14:45:23 -06:00
Matthew Penner
b856ab17bd Merge branch 'develop' into feature/react-admin 2021-01-27 23:18:06 -07:00
Dane Everitt
5515871b2f
Turns out I hate that huge space formatting, disable that mess 2021-01-27 20:52:11 -08:00
Matthew Penner
8feb87de7c Merge branch 'develop' into feature/react-admin 2021-01-23 14:39:23 -07:00
Dane Everitt
c449ca5155
Use more standardized phpcs 2021-01-23 12:33:34 -08:00
Dane Everitt
a043071e3c
Update to Laravel 8
Co-authored-by: Matthew Penner <me@matthewp.io>
2021-01-23 12:12:54 -08:00
Matthew Penner
4dab137b51 auth: fix call to renamed method 2021-01-14 10:36:05 -07:00
Dane Everitt
c370e08f65
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00
Dane Everitt
7b75e7a648
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-02 23:01:02 -07:00
Dane Everitt
9eb31a16d9
Fix 2FA handling; closes #1962 2020-04-25 13:01:16 -07:00
Dane Everitt
7543ef085d
Format files 2019-09-05 21:32:57 -07:00
Dane Everitt
bd8b708c32
[L6] Update cache methods to use defined times and not ints 2019-09-04 20:24:46 -07:00
Dane Everitt
212773d63c
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00
Dane Everitt
56640253b9
Merge branch 'release/v0.7.14' into feature/react 2019-06-22 12:28:44 -07:00
Dane Everitt
2db7928b76
Don't expose existence of account when an incorrect password is provided and the user has 2FA enabled 2019-06-21 21:39:24 -07:00
Dane Everitt
19ef901768
Show success message to the user 2019-06-11 23:19:43 -07:00
Dane Everitt
136e4b5b7b
Fix some issues 2018-12-30 12:45:57 -08:00
Dane Everitt
21ffa08d66
Merge branch 'develop' into feature/vuejs 2018-12-16 14:20:35 -08:00
Oreo Oreoniv
adcf0c9fee
Fixed Failed event
Thank you very much Laravel for not pointing out the changes to be made when upgrading from 5.6 to 5.7
2018-11-28 23:24:43 +03:00
zKoz210
2d7e889bcc Fixed StyleCI 2018-11-26 03:28:14 +03:00
zKoz210
0b4b1a3443 Initial update 2018-11-26 03:25:18 +03:00
Dane Everitt
550c622d3b
Obliterate JWT from codebase 2018-07-14 22:48:09 -07:00
Dane Everitt
6336e5191f
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-14 22:42:58 -07:00
Dane Everitt
5010c0c756
Merge branch 'feature/vuejs' into feature/vuejs-account 2018-07-04 18:12:57 -07:00
Dane Everitt
af9af78938
Merge branch 'develop' into feature/vuejs 2018-07-04 18:09:07 -07:00
Dane Everitt
8f5bd214a4
[Security] Address 2FA bypass in password reset functionality
Thanks to Trixter#0001 on Discord for this security report.

There was a two-factor authentication bypass present in all previous versions of Pterodactyl that would allow a user to login without providing a token by going through the password reset process. A person would still have to have access to the targeted account's email, but if they did manage to get a password reset link they would be able to reset the account password and then proceede to login without a token being required.

This logic has since been changed to check if 2FA is enabled on an account, and if so they will NOT be logged in when their password is changed. This will force them to continue through the normal login pathway where a token will be needed.

Overall the impact of this issue is minor, but I am still addressing it and disclosing the mechanism behind it.
2018-07-04 11:41:56 -07:00
Dane Everitt
e7faf979a1
Change login handling to automatically redirect a user if their session will need renewal. 2018-06-16 14:05:39 -07:00
Dane Everitt
03c83c084a
Revert use of cookies, go back to using a JWT 2018-06-06 22:49:44 -07:00
Dane Everitt
e948d81d8a
Base attempt at using vuex to handle logins 2018-06-05 23:00:01 -07:00
Dane Everitt
a1444b047e
Fix JWT handling for API access when logging in 2018-05-28 14:59:48 -07:00
Dane Everitt
ad69193ac0
Add JWT to login forms 2018-05-28 12:48:42 -07:00
Dane Everitt
4fad244073
Show correct auth error. 2018-04-08 16:16:04 -05:00
Dane Everitt
b6e94d9a1e
Code cleanup 2018-04-08 16:00:52 -05:00