Block API access when 2FA is required on account; closes #2791

2020-12-06 13:56:14 -08:00 · 2020-12-06 13:56:14 -08:00 · d22456d9ca
commit d22456d9ca
parent 5d23d894ae
8 changed files with 101 additions and 40 deletions
--- a/app/Exceptions/Http/TwoFactorAuthRequiredException.php
+++ b/app/Exceptions/Http/TwoFactorAuthRequiredException.php
@ -0,0 +1,21 @@
+<?php
+
+namespace Pterodactyl\Exceptions\Http;
+
+use Throwable;
+use Illuminate\Http\Response;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
+
+class TwoFactorAuthRequiredException extends HttpException implements HttpExceptionInterface
+{
+    /**
+     * TwoFactorAuthRequiredException constructor.
+     *
+     * @param \Throwable|null $previous
+     */
+    public function __construct(Throwable $previous = null)
+    {
+        parent::__construct(Response::HTTP_BAD_REQUEST, "Two-factor authentication is required on this account in order to access this endpoint.", $previous);
+    }
+}
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -84,6 +84,12 @@ class Kernel extends HttpKernel
            SubstituteClientApiBindings::class,
            'api..key:' . ApiKey::TYPE_ACCOUNT,
            AuthenticateIPAccess::class,
+            // This is perhaps a little backwards with the Client API, but logically you'd be unable
+            // to create/get an API key without first enabling 2FA on the account, so I suppose in the
+            // end it makes sense.
+            //
+            // You just wouldn't be authenticating with the API by providing a 2FA token.
+            RequireTwoFactorAuthentication::class,
        ],
        'daemon' => [
            SubstituteBindings::class,
--- a/app/Http/Middleware/RequireTwoFactorAuthentication.php
+++ b/app/Http/Middleware/RequireTwoFactorAuthentication.php
@ -1,11 +1,4 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */

 namespace Pterodactyl\Http\Middleware;

@ -13,6 +6,7 @@ use Closure;
 use Illuminate\Support\Str;
 use Illuminate\Http\Request;
 use Prologue\Alerts\AlertsMessageBag;
+use Pterodactyl\Exceptions\Http\TwoFactorAuthRequiredException;

 class RequireTwoFactorAuthentication
 {
@ -30,7 +24,7 @@ class RequireTwoFactorAuthentication
     *
     * @var string
     */
-    protected $redirectRoute = 'account';
+    protected $redirectRoute = '/account';

    /**
     * RequireTwoFactorAuthentication constructor.
@ -43,41 +37,46 @@ class RequireTwoFactorAuthentication
    }

    /**
-     * Handle an incoming request.
+     * Check the user state on the incoming request to determine if they should be allowed to
+     * proceed or not. This checks if the Panel is configured to require 2FA on an account in
+     * order to perform actions. If so, we check the level at which it is required (all users
+     * or just admins) and then check if the user has enabled it for their account.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Closure $next
     * @return mixed
+     *
+     * @throws \Pterodactyl\Exceptions\Http\TwoFactorAuthRequiredException
     */
    public function handle(Request $request, Closure $next)
    {
-        if (! $request->user()) {
-            return $next($request);
-        }
-
+        /** @var \Pterodactyl\Models\User $user */
+        $user = $request->user();
+        $uri = rtrim($request->getRequestUri(), '/') . '/';
        $current = $request->route()->getName();
-        if (in_array($current, ['auth', 'account']) || Str::startsWith($current, ['auth.', 'account.'])) {
+
+        if (! $user || Str::startsWith($uri, ['/auth/']) || Str::startsWith($current, ['auth.', 'account.'])) {
            return $next($request);
        }

-        switch ((int) config('pterodactyl.auth.2fa_required')) {
-            case self::LEVEL_ADMIN:
-                if (! $request->user()->root_admin || $request->user()->use_totp) {
-                    return $next($request);
-                }
-                break;
-            case self::LEVEL_ALL:
-                if ($request->user()->use_totp) {
-                    return $next($request);
-                }
-                break;
-            case self::LEVEL_NONE:
-            default:
-                return $next($request);
+        $level = (int)config('pterodactyl.auth.2fa_required');
+        // If this setting is not configured, or the user is already using 2FA then we can just
+        // send them right through, nothing else needs to be checked.
+        //
+        // If the level is set as admin and the user is not an admin, pass them through as well.
+        if ($level === self::LEVEL_NONE || $user->use_totp) {
+            return $next($request);
+        } else if ($level === self::LEVEL_ADMIN && ! $user->root_admin) {
+            return $next($request);
+        }
+
+        // For API calls return an exception which gets rendered nicely in the API response.
+        if ($request->isJson() || Str::startsWith($uri, '/api/')) {
+            throw new TwoFactorAuthRequiredException;
        }

        $this->alert->danger(trans('auth.2fa_must_be_enabled'))->flash();

-        return redirect()->route($this->redirectRoute);
+        return redirect()->to($this->redirectRoute);
    }
 }