diff --git a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
index 51b02ddf..3259cd8f 100644
--- a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
+++ b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
@@ -28,7 +28,8 @@ abstract class SftpAuthenticationController extends Controller
/**
* Authenticate a set of credentials and return the associated server details
- * for a SFTP connection on the daemon.
+ * for a SFTP connection on the daemon. This supports both public key and password
+ * based credentials.
*/
public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse
{
@@ -44,9 +45,7 @@ abstract class SftpAuthenticationController extends Controller
$this->reject($request);
}
} else {
- // Start blocking requests when the user has no public keys in the first place —
- // don't let the user spam this endpoint.
- if ($user->sshKeys->isEmpty()) {
+ if (!$user->sshKeys()->where('public_key', $request->input('password'))->exists()) {
$this->reject($request);
}
}
diff --git a/app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php b/app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php
index bb6ec5be..f1e06cb3 100644
--- a/app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php
+++ b/app/Http/Requests/Api/Remote/SftpAuthenticationFormRequest.php
@@ -2,7 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Remote;
-use Illuminate\Validation\Rule;
use Illuminate\Foundation\Http\FormRequest;
class SftpAuthenticationFormRequest extends FormRequest
@@ -27,9 +26,7 @@ class SftpAuthenticationFormRequest extends FormRequest
return [
'type' => ['nullable', 'in:password,public_key'],
'username' => ['required', 'string'],
- 'password' => [
- Rule::when(fn () => $this->input('type') !== 'public_key', ['required', 'string'], ['nullable']),
- ],
+ 'password' => ['required', 'string'],
];
}