Commit graph

12 commits

Author SHA1 Message Date
Dane Everitt
af9af78938
Merge branch 'develop' into feature/vuejs 2018-07-04 18:09:07 -07:00
Dane Everitt
8f5bd214a4
[Security] Address 2FA bypass in password reset functionality
Thanks to Trixter#0001 on Discord for this security report.

There was a two-factor authentication bypass present in all previous versions of Pterodactyl that would allow a user to login without providing a token by going through the password reset process. A person would still have to have access to the targeted account's email, but if they did manage to get a password reset link they would be able to reset the account password and then proceede to login without a token being required.

This logic has since been changed to check if 2FA is enabled on an account, and if so they will NOT be logged in when their password is changed. This will force them to continue through the normal login pathway where a token will be needed.

Overall the impact of this issue is minor, but I am still addressing it and disclosing the mechanism behind it.
2018-07-04 11:41:56 -07:00
Dane Everitt
d63624f607
Working login form with password reset functionality. 2018-04-08 15:18:13 -05:00
Dane Everitt
6f52f4a614
Push updates to login page, mostly UI enhancements. 2017-11-18 15:09:58 -06:00
Dane Everitt
3ee5803416
Massive PHPCS linting 2017-08-21 22:10:48 -05:00
Dane Everitt
aa6060846d
Actually show errors on password reset page. 2017-04-27 23:44:26 -04:00
Dane Everitt
0312c974f5
Update doc blocks for all app/ 2017-03-19 19:36:50 -04:00
Dane Everitt
c1fb0a665f Apply fixes from StyleCI 2016-12-07 22:46:38 +00:00
Dane Everitt
48994c1354
Fix the other user bug... 2016-11-04 21:50:47 -04:00
Jakob
e65dc5708d Validate password on reset according to rules (#158)
* move password rules to Models\User::PASSWORD_RULES

* validate new password according to rules on password reset

* add password requirements info to auth.passwords.reset view
2016-10-30 16:02:39 -04:00
Dane Everitt
b3ca8a3732 Fix password reset redirection path 2016-09-04 19:08:46 -04:00
Dane Everitt
afb5011fbe Update to Laravel 5.3
[BREAKING] — REMOVES REMOTE API

A new API will need to be implemented properly using the new Laravel
Passport OAuth2 system. DingoAPI was becoming too unstable and
development wasn’t really moving along enough to continue to rely on it.
2016-09-03 17:09:00 -04:00