forked from pterodactyl/panel
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSftpAuthenticationController.php
More file actions
137 lines (118 loc) · 4.86 KB
/
SftpAuthenticationController.php
File metadata and controls
137 lines (118 loc) · 4.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<?php
namespace Pterodactyl\Http\Controllers\Api\Remote;
use Illuminate\Http\Request;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Models\Permission;
use Pterodactyl\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\ThrottlesLogins;
use Pterodactyl\Repositories\Eloquent\UserRepository;
use Pterodactyl\Exceptions\Http\HttpForbiddenException;
use Pterodactyl\Repositories\Eloquent\ServerRepository;
use Pterodactyl\Services\Servers\GetUserPermissionsService;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Pterodactyl\Http\Requests\Api\Remote\SftpAuthenticationFormRequest;
class SftpAuthenticationController extends Controller
{
use ThrottlesLogins;
/**
* @var \Pterodactyl\Repositories\Eloquent\UserRepository
*/
private $userRepository;
/**
* @var \Pterodactyl\Repositories\Eloquent\ServerRepository
*/
private $serverRepository;
/**
* @var \Pterodactyl\Services\Servers\GetUserPermissionsService
*/
private $permissionsService;
/**
* SftpController constructor.
*
* @param \Pterodactyl\Services\Servers\GetUserPermissionsService $permissionsService
* @param \Pterodactyl\Repositories\Eloquent\UserRepository $userRepository
* @param \Pterodactyl\Repositories\Eloquent\ServerRepository $serverRepository
*/
public function __construct(
GetUserPermissionsService $permissionsService,
UserRepository $userRepository,
ServerRepository $serverRepository
) {
$this->userRepository = $userRepository;
$this->serverRepository = $serverRepository;
$this->permissionsService = $permissionsService;
}
/**
* Authenticate a set of credentials and return the associated server details
* for a SFTP connection on the daemon.
*
* @param \Pterodactyl\Http\Requests\Api\Remote\SftpAuthenticationFormRequest $request
* @return \Illuminate\Http\JsonResponse
*
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse
{
// Reverse the string to avoid issues with usernames that contain periods.
$parts = explode('.', strrev($request->input('username')), 2);
// Unreverse the strings after parsing them apart.
$connection = [
'username' => strrev(array_get($parts, 1)),
'server' => strrev(array_get($parts, 0)),
];
$this->incrementLoginAttempts($request);
if ($this->hasTooManyLoginAttempts($request)) {
return JsonResponse::create([
'error' => 'Too many logins attempted too quickly.',
], JsonResponse::HTTP_TOO_MANY_REQUESTS);
}
/** @var \Pterodactyl\Models\Node $node */
$node = $request->attributes->get('node');
if (empty($connection['server'])) {
throw new NotFoundHttpException;
}
/** @var \Pterodactyl\Models\User $user */
$user = $this->userRepository->findFirstWhere([
['username', '=', $connection['username']],
]);
$server = $this->serverRepository->getByUuid($connection['server'] ?? '');
if (! password_verify($request->input('password'), $user->password) || $server->node_id !== $node->id) {
throw new HttpForbiddenException(
'Authorization credentials were not correct, please try again.'
);
}
if (! $user->root_admin && $server->owner_id !== $user->id) {
$permissions = $this->permissionsService->handle($server, $user);
if (! in_array(Permission::ACTION_FILE_SFTP, $permissions)) {
throw new HttpForbiddenException(
'You do not have permission to access SFTP for this server.'
);
}
}
// Remeber, for security purposes, only reveal the existence of the server to people that
// have provided valid credentials, and have permissions to know about it.
if ($server->installed !== 1 || $server->suspended) {
throw new BadRequestHttpException(
'Server is not installed or is currently suspended.'
);
}
return JsonResponse::create([
'server' => $server->uuid,
// Deprecated, but still needed at the moment for Wings.
'token' => '',
'permissions' => $permissions ?? ['*'],
]);
}
/**
* Get the throttle key for the given request.
*
* @param \Illuminate\Http\Request $request
* @return string
*/
protected function throttleKey(Request $request)
{
$username = explode('.', strrev($request->input('username', '')));
return strtolower(strrev($username[0] ?? '') . '|' . $request->ip());
}
}