Finalize two-factor handling on account.

2018-06-20 23:05:35 -07:00 · 2018-06-20 23:05:35 -07:00 · 7711b697ad
commit 7711b697ad
parent 0cc895f2d5
13 changed files with 299 additions and 137 deletions
--- a/app/Http/Controllers/Base/SecurityController.php
+++ b/app/Http/Controllers/Base/SecurityController.php
@ -3,6 +3,7 @@
 namespace Pterodactyl\Http\Controllers\Base;

 use Illuminate\Http\Request;
+use Illuminate\Http\JsonResponse;
 use Prologue\Alerts\AlertsMessageBag;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Services\Users\TwoFactorSetupService;
@ -62,36 +63,28 @@ class SecurityController extends Controller
    }

    /**
-     * Returns Security Management Page.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @return \Illuminate\View\View
-     */
-    public function index(Request $request)
-    {
-        if ($this->config->get('session.driver') === 'database') {
-            $activeSessions = $this->repository->getUserSessions($request->user()->id);
-        }
-
-        return view('base.security', [
-            'sessions' => $activeSessions ?? null,
-        ]);
-    }
-
-    /**
-     * Generates TOTP Secret and returns popup data for user to verify
-     * that they can generate a valid response.
+     * Return information about the user's two-factor authentication status. If not enabled setup their
+     * secret and return information to allow the user to proceede with setup.
     *
     * @param \Illuminate\Http\Request $request
     * @return \Illuminate\Http\JsonResponse
-     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
-    public function generateTotp(Request $request)
+    public function index(Request $request): JsonResponse
    {
-        return response()->json([
-            'qrImage' => $this->twoFactorSetupService->handle($request->user()),
+        if ($request->user()->use_totp) {
+            return JsonResponse::create([
+                'enabled' => true,
+            ]);
+        }
+
+        $response = $this->twoFactorSetupService->handle($request->user());
+
+        return JsonResponse::create([
+            'enabled' => false,
+            'qr_image' => $response->get('image'),
+            'secret' => $response->get('secret'),
        ]);
    }

@ -99,53 +92,43 @@ class SecurityController extends Controller
     * Verifies that 2FA token received is valid and will work on the account.
     *
     * @param \Illuminate\Http\Request $request
-     * @return \Illuminate\Http\Response
+     * @return \Illuminate\Http\JsonResponse
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
-    public function setTotp(Request $request)
+    public function store(Request $request): JsonResponse
    {
        try {
            $this->toggleTwoFactorService->handle($request->user(), $request->input('token') ?? '');
-
-            return response('true');
        } catch (TwoFactorAuthenticationTokenInvalid $exception) {
-            return response('false');
+            $error = true;
        }
+
+        return JsonResponse::create([
+            'success' => ! isset($error),
+        ]);
    }

    /**
     * Disables TOTP on an account.
     *
     * @param \Illuminate\Http\Request $request
-     * @return \Illuminate\Http\RedirectResponse
+     * @return \Illuminate\Http\JsonResponse
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
-    public function disableTotp(Request $request)
+    public function delete(Request $request): JsonResponse
    {
        try {
            $this->toggleTwoFactorService->handle($request->user(), $request->input('token') ?? '', false);
        } catch (TwoFactorAuthenticationTokenInvalid $exception) {
-            $this->alert->danger(trans('base.security.2fa_disable_error'))->flash();
+            $error = true;
        }

-        return redirect()->route('account.security');
-    }
-
-    /**
-     * Revokes a user session.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @param string                   $id
-     * @return \Illuminate\Http\RedirectResponse
-     */
-    public function revoke(Request $request, string $id)
-    {
-        $this->repository->deleteUserSession($request->user()->id, $id);
-
-        return redirect()->route('account.security');
+        return JsonResponse::create([
+            'success' => ! isset($error),
+        ]);
    }
 }
--- a/app/Services/Users/TwoFactorSetupService.php
+++ b/app/Services/Users/TwoFactorSetupService.php
@ -11,17 +11,12 @@ namespace Pterodactyl\Services\Users;

 use Pterodactyl\Models\User;
 use PragmaRX\Google2FA\Google2FA;
+use Illuminate\Support\Collection;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
-use Illuminate\Contracts\Config\Repository as ConfigRepository;

 class TwoFactorSetupService
 {
-    /**
-     * @var \Illuminate\Contracts\Config\Repository
-     */
-    private $config;
-
    /**
     * @var \Illuminate\Contracts\Encryption\Encrypter
     */
@ -40,18 +35,15 @@ class TwoFactorSetupService
    /**
     * TwoFactorSetupService constructor.
     *
-     * @param \Illuminate\Contracts\Config\Repository                   $config
     * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
     * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
     */
    public function __construct(
-        ConfigRepository $config,
        Encrypter $encrypter,
        Google2FA $google2FA,
        UserRepositoryInterface $repository
    ) {
-        $this->config = $config;
        $this->encrypter = $encrypter;
        $this->google2FA = $google2FA;
        $this->repository = $repository;
@ -62,20 +54,23 @@ class TwoFactorSetupService
     * QR code image.
     *
     * @param \Pterodactyl\Models\User $user
-     * @return string
+     * @return \Illuminate\Support\Collection
     *
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
     */
-    public function handle(User $user): string
+    public function handle(User $user): Collection
    {
-        $secret = $this->google2FA->generateSecretKey($this->config->get('pterodactyl.auth.2fa.bytes'));
-        $image = $this->google2FA->getQRCodeGoogleUrl($this->config->get('app.name'), $user->email, $secret);
+        $secret = $this->google2FA->generateSecretKey(config('pterodactyl.auth.2fa.bytes'));
+        $image = $this->google2FA->getQRCodeGoogleUrl(config('app.name'), $user->email, $secret);

        $this->repository->withoutFreshModel()->update($user->id, [
            'totp_secret' => $this->encrypter->encrypt($secret),
        ]);

-        return $image;
+        return new Collection([
+            'image' => $image,
+            'secret' => $secret,
+        ]);
    }
 }