Fix username validation and auto-generation, closes #927

2018-02-11 16:39:50 -06:00 · 2018-02-11 16:39:50 -06:00 · bf537922a3
commit bf537922a3
parent c3dc376c4c
7 changed files with 159 additions and 41 deletions
--- a/app/Http/Controllers/API/Remote/SftpController.php
+++ b/app/Http/Controllers/API/Remote/SftpController.php
@ -42,7 +42,12 @@ class SftpController extends Controller
     */
    public function index(SftpAuthenticationFormRequest $request): JsonResponse
    {
-        $connection = explode('.', $request->input('username'));
+        $parts = explode('.', strrev($request->input('username')), 2);
+        $connection = [
+            'username' => strrev(array_get($parts, 1)),
+            'server' => strrev(array_get($parts, 0)),
+        ];
+
        $this->incrementLoginAttempts($request);

        if ($this->hasTooManyLoginAttempts($request)) {
@ -53,10 +58,10 @@ class SftpController extends Controller

        try {
            $data = $this->authenticationService->handle(
-                array_get($connection, 0),
+                $connection['username'],
                $request->input('password'),
                object_get($request->attributes->get('node'), 'id', 0),
-                array_get($connection, 1)
+                empty($connection['server']) ? null : $connection['server']
            );

            $this->clearLoginAttempts($request);
--- a/app/Models/User.php
+++ b/app/Models/User.php
@ -4,6 +4,7 @@ namespace Pterodactyl\Models;

 use Sofa\Eloquence\Eloquence;
 use Sofa\Eloquence\Validable;
+use Pterodactyl\Rules\Username;
 use Illuminate\Validation\Rules\In;
 use Illuminate\Auth\Authenticatable;
 use Illuminate\Database\Eloquent\Model;
@ -151,7 +152,7 @@ class User extends Model implements
        'uuid' => 'string|size:36|unique:users,uuid',
        'email' => 'email|unique:users,email',
        'external_id' => 'nullable|string|max:255|unique:users,external_id',
-        'username' => 'alpha_dash|between:1,255|unique:users,username',
+        'username' => 'between:1,255|unique:users,username',
        'name_first' => 'string|between:1,255',
        'name_last' => 'string|between:1,255',
        'password' => 'nullable|string',
@ -169,6 +170,7 @@ class User extends Model implements
    {
        $rules = self::eloquenceGatherRules();
        $rules['language'][] = new In(array_keys((new self)->getAvailableLanguages()));
+        $rules['username'][] = new Username;

        return $rules;
    }
@ -188,9 +190,9 @@ class User extends Model implements
     *
     * @param string $value
     */
-    public function setUsernameAttribute($value)
+    public function setUsernameAttribute(string $value)
    {
-        $this->attributes['username'] = strtolower($value);
+        $this->attributes['username'] = mb_strtolower($value);
    }

    /**
--- a/app/Rules/Username.php
+++ b/app/Rules/Username.php
@ -0,0 +1,36 @@
+<?php
+
+namespace Pterodactyl\Rules;
+
+use Illuminate\Contracts\Validation\Rule;
+
+class Username implements Rule
+{
+    public const VALIDATION_REGEX = '/^[a-z0-9]([\w\.-]+)[a-z0-9]$/';
+
+    /**
+     * Validate that a username contains only the allowed characters and starts/ends
+     * with alpha-numeric characters.
+     *
+     * Allowed characters: a-z0-9_-.
+     *
+     * @param string $attribute
+     * @param mixed  $value
+     * @return bool
+     */
+    public function passes($attribute, $value): bool
+    {
+        return preg_match(self::VALIDATION_REGEX, mb_strtolower($value));
+    }
+
+    /**
+     * Return a validation message for use when this rule fails.
+     *
+     * @return string
+     */
+    public function message(): string
+    {
+        return 'The :attribute must start and end with alpha-numeric characters and
+                contain only letters, numbers, dashes, underscores, and periods.';
+    }
+}
--- a/app/Services/Subusers/SubuserCreationService.php
+++ b/app/Services/Subusers/SubuserCreationService.php
@ -10,6 +10,7 @@
 namespace Pterodactyl\Services\Subusers;

 use Pterodactyl\Models\Server;
+use Pterodactyl\Rules\Username;
 use Illuminate\Database\ConnectionInterface;
 use Pterodactyl\Services\Users\UserCreationService;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
@ -117,9 +118,10 @@ class SubuserCreationService
                throw new ServerSubuserExistsException(trans('exceptions.subusers.subuser_exists'));
            }
        } catch (RecordNotFoundException $exception) {
+            $username = preg_replace('/([^\w\.-]+)/', '', strtok($email, '@'));
            $user = $this->userCreationService->handle([
                'email' => $email,
-                'username' => substr(strtok($email, '@'), 0, 8) . '_' . str_random(6),
+                'username' => $username . str_random(3),
                'name_first' => 'Server',
                'name_last' => 'Subuser',
                'root_admin' => false,