forked from pterodactyl/panel
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAuthController.php
More file actions
124 lines (103 loc) · 3.66 KB
/
AuthController.php
File metadata and controls
124 lines (103 loc) · 3.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<?php
namespace Pterodactyl\Http\Controllers\API;
use JWTAuth;
use Hash;
use Validator;
use Tymon\JWTAuth\Exceptions\JWTException;
use Dingo\Api\Exception\StoreResourceFailedException;
use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
use Symfony\Component\HttpKernel\Exception\ServiceUnavailableHttpException;
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
use Illuminate\Http\Request;
use Illuminate\Foundation\Auth\ThrottlesLogins;
use Illuminate\Foundation\Auth\AuthenticatesAndRegistersUsers;
use Pterodactyl\Transformers\UserTransformer;
use Pterodactyl\Models;
/**
* @Resource("Auth")
*/
class AuthController extends BaseController
{
use AuthenticatesAndRegistersUsers, ThrottlesLogins;
/**
* Lockout time for failed login requests.
*
* @var integer
*/
protected $lockoutTime = 120;
/**
* After how many attempts should logins be throttled and locked.
*
* @var integer
*/
protected $maxLoginAttempts = 3;
/**
* Create a new authentication controller instance.
*
* @return void
*/
public function __construct()
{
//
}
/**
* Authenticate
*
* Authenticate with the API to recieved a JSON Web Token
*
* @Post("/auth/login")
* @Versions({"v1"})
* @Request({"email": "e@mail.com", "password": "soopersecret"})
* @Response(200, body={"token": "<jwt-token>"})
*/
public function postLogin(Request $request) {
$validator = Validator::make($request->only(['email', 'password']), [
'email' => 'required|email',
'password' => 'required|min:8'
]);
if ($validator->fails()) {
throw new StoreResourceFailedException('Required authentication fields were invalid.', $validator->errors());
}
$throttled = $this->isUsingThrottlesLoginsTrait();
if ($throttled && $this->hasTooManyLoginAttempts($request)) {
throw new TooManyRequestsHttpException('You have been login throttled for 120 seconds.');
}
// Is the email & password valid?
$user = Models\User::where('email', $request->input('email'))->first();
if (!$user || !Hash::check($request->input('password'), $user->password)) {
if ($throttled) {
$this->incrementLoginAttempts($request);
}
throw new UnauthorizedHttpException('A user by those credentials was not found.');
}
// @TODO: validate TOTP if enabled on account?
// Perhaps this could be implemented in such a way that they login to their
// account and generate a one time password that can be used? Would be a pain in
// the butt for multiple API requests though. Maybe just included a 'totp' field
// that can include the token for that timestamp. Would allow for programtic
// generation of the code and API requests.
if ($user->root_admin !== 1) {
throw new UnauthorizedHttpException('This account does not have permission to interface this API.');
}
try {
$token = JWTAuth::fromUser($user);
if (!$token) {
throw new UnauthorizedHttpException('');
}
} catch (JWTException $ex) {
throw new ServiceUnavailableHttpException('');
}
return compact('token');
}
/**
* Check if Authenticated
*
* @Post("/auth/validate")
* @Versions({"v1"})
* @Request(headers={"Authorization": "Bearer <jwt-token>"})
* @Response(204)
*/
public function postValidate(Request $request) {
return $this->response->noContent();
}
}