Support using recovery tokens during the login process to bypass 2fa; closes #479

2020-07-02 23:01:02 -07:00 · 2020-07-02 23:01:02 -07:00 · 7b75e7a648
commit 7b75e7a648
parent 795e045950
7 changed files with 84 additions and 30 deletions
--- a/app/Http/Controllers/Auth/AbstractLoginController.php
+++ b/app/Http/Controllers/Auth/AbstractLoginController.php
@ -68,10 +68,11 @@ abstract class AbstractLoginController extends Controller
     *
     * @param \Illuminate\Http\Request $request
     * @param \Illuminate\Contracts\Auth\Authenticatable|null $user
+     * @param string|null $message
     *
     * @throws \Pterodactyl\Exceptions\DisplayException
     */
-    protected function sendFailedLoginResponse(Request $request, Authenticatable $user = null)
+    protected function sendFailedLoginResponse(Request $request, Authenticatable $user = null, string $message = null)
    {
        $this->incrementLoginAttempts($request);
        $this->fireFailedLoginEvent($user, [
@ -79,7 +80,9 @@ abstract class AbstractLoginController extends Controller
        ]);

        if ($request->route()->named('auth.login-checkpoint')) {
-            throw new DisplayException(trans('auth.two_factor.checkpoint_failed'));
+            throw new DisplayException(
+                $message ?? trans('auth.two_factor.checkpoint_failed')
+            );
        }

        throw new DisplayException(trans('auth.failed'));
@ -116,7 +119,7 @@ abstract class AbstractLoginController extends Controller
     */
    protected function getField(string $input = null): string
    {
-        return str_contains($input, '@') ? 'email' : 'username';
+        return ($input && str_contains($input, '@')) ? 'email' : 'username';
    }

    /**
--- a/app/Http/Controllers/Auth/LoginCheckpointController.php
+++ b/app/Http/Controllers/Auth/LoginCheckpointController.php
@ -11,6 +11,7 @@ use Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest;
 use Illuminate\Contracts\Cache\Repository as CacheRepository;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+use Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository;

 class LoginCheckpointController extends AbstractLoginController
 {
@ -34,6 +35,11 @@ class LoginCheckpointController extends AbstractLoginController
     */
    private $encrypter;

+    /**
+     * @var \Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository
+     */
+    private $recoveryTokenRepository;
+
    /**
     * LoginCheckpointController constructor.
     *
@ -42,6 +48,7 @@ class LoginCheckpointController extends AbstractLoginController
     * @param \PragmaRX\Google2FA\Google2FA $google2FA
     * @param \Illuminate\Contracts\Config\Repository $config
     * @param \Illuminate\Contracts\Cache\Repository $cache
+     * @param \Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository $recoveryTokenRepository
     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
     */
    public function __construct(
@ -50,6 +57,7 @@ class LoginCheckpointController extends AbstractLoginController
        Google2FA $google2FA,
        Repository $config,
        CacheRepository $cache,
+        RecoveryTokenRepository $recoveryTokenRepository,
        UserRepositoryInterface $repository
    ) {
        parent::__construct($auth, $config);
@ -58,6 +66,7 @@ class LoginCheckpointController extends AbstractLoginController
        $this->cache = $cache;
        $this->repository = $repository;
        $this->encrypter = $encrypter;
+        $this->recoveryTokenRepository = $recoveryTokenRepository;
    }

    /**
@ -76,21 +85,35 @@ class LoginCheckpointController extends AbstractLoginController
    public function __invoke(LoginCheckpointRequest $request): JsonResponse
    {
        $token = $request->input('confirmation_token');
+        $recoveryToken = $request->input('recovery_token');

        try {
+            /** @var \Pterodactyl\Models\User $user */
            $user = $this->repository->find($this->cache->get($token, 0));
        } catch (RecordNotFoundException $exception) {
-            return $this->sendFailedLoginResponse($request);
+            return $this->sendFailedLoginResponse($request, null, 'The authentication token provided has expired, please refresh the page and try again.');
        }

-        $decrypted = $this->encrypter->decrypt($user->totp_secret);
+        // If we got a recovery token try to find one that matches for the user and then continue
+        // through the process (and delete the token).
+        if (! is_null($recoveryToken)) {
+            foreach ($user->recoveryTokens as $token) {
+                if (password_verify($recoveryToken, $token->token)) {
+                    $this->recoveryTokenRepository->delete($token->id);

-        if ($this->google2FA->verifyKey($decrypted, (string) $request->input('authentication_code') ?? '', config('pterodactyl.auth.2fa.window'))) {
-            $this->cache->delete($token);
+                    return $this->sendLoginResponse($user, $request);
+                }
+            }
+        } else {
+            $decrypted = $this->encrypter->decrypt($user->totp_secret);

-            return $this->sendLoginResponse($user, $request);
+            if ($this->google2FA->verifyKey($decrypted, (string) $request->input('authentication_code') ?? '', config('pterodactyl.auth.2fa.window'))) {
+                $this->cache->delete($token);
+
+                return $this->sendLoginResponse($user, $request);
+            }
        }

-        return $this->sendFailedLoginResponse($request, $user);
+        return $this->sendFailedLoginResponse($request, $user, ! empty($recoveryToken) ? 'The recovery token provided is not valid.' : null);
    }
 }
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@ -103,7 +103,7 @@ class LoginController extends AbstractLoginController
            $token = Str::random(64);
            $this->cache->put($token, $user->id, Chronos::now()->addMinutes(5));

-            return JsonResponse::create([
+            return new JsonResponse([
                'data' => [
                    'complete' => false,
                    'confirmation_token' => $token,
--- a/app/Http/Requests/Auth/LoginCheckpointRequest.php
+++ b/app/Http/Requests/Auth/LoginCheckpointRequest.php
@ -2,6 +2,7 @@

 namespace Pterodactyl\Http\Requests\Auth;

+use Illuminate\Validation\Rule;
 use Illuminate\Foundation\Http\FormRequest;

 class LoginCheckpointRequest extends FormRequest
@ -25,7 +26,20 @@ class LoginCheckpointRequest extends FormRequest
    {
        return [
            'confirmation_token' => 'required|string',
-            'authentication_code' => 'required|numeric',
+            'authentication_code' => [
+                'nullable',
+                'numeric',
+                Rule::requiredIf(function () {
+                    return empty($this->input('recovery_token'));
+                }),
+            ],
+            'recovery_token' => [
+                'nullable',
+                'string',
+                Rule::requiredIf(function () {
+                    return empty($this->input('authentication_code'));
+                }),
+            ],
        ];
    }
 }