StarMC/Astral-nook
StarMC/Astral-nook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix changing a user password to not incorrectly handle logging out old sessions; closes #3531

Browse source
This commit is contained in:
Dane Everitt 2021-08-15 17:37:12 -07:00
parent 25d9ba4779
commit 2b3303c46b
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
5 changed files with 32 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

11
app/Http/Controllers/Api/Client/AccountController.php
View file

@ -58,12 +58,17 @@ class AccountController extends ClientApiController
* Update the authenticated user's password. All existing sessions will be logged
* out immediately.
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
* @throws \Throwable
*/
public function updatePassword(UpdatePasswordRequest $request): JsonResponse
{
$this->updateService->handle($request->user(), $request->validated());
$user = $this->updateService->handle($request->user(), $request->validated());
// If you do not update the user in the session you'll end up working with a
// cached copy of the user that does not include the updated password. Do this
// to correctly store the new user details in the guard and allow the logout
// other devices functionality to work.
$this->sessionGuard->setUser($user);
$this->sessionGuard->logoutOtherDevices($request->input('password'));

6
app/Http/Requests/Api/Client/Account/UpdateEmailRequest.php
View file

@ -3,6 +3,8 @@
namespace Pterodactyl\Http\Requests\Api\Client\Account;
use Pterodactyl\Models\User;
use Illuminate\Container\Container;
use Illuminate\Contracts\Hashing\Hasher;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;
@ -17,8 +19,10 @@ class UpdateEmailRequest extends ClientApiRequest
return false;
}
$hasher = Container::getInstance()->make(Hasher::class);
// Verify password matches when changing password or email.
if (!password_verify($this->input('password'), $this->user()->password)) {
if (!$hasher->check($this->input('password'), $this->user()->password)) {
throw new InvalidPasswordProvidedException(trans('validation.internal.invalid_password'));
}

6
app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
View file

@ -2,6 +2,8 @@
namespace Pterodactyl\Http\Requests\Api\Client\Account;
use Illuminate\Container\Container;
use Illuminate\Contracts\Hashing\Hasher;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;
@ -16,8 +18,10 @@ class UpdatePasswordRequest extends ClientApiRequest
return false;
}
$hasher = Container::getInstance()->make(Hasher::class);
// Verify password matches when changing password or email.
if (!password_verify($this->input('current_password'), $this->user()->password)) {
if (!$hasher->check($this->input('current_password'), $this->user()->password)) {
throw new InvalidPasswordProvidedException(trans('validation.internal.invalid_password'));
}