Add togglable 2FA user requirements (pterodactyl#635)

Author: lancepioch

app/Http/Controllers/Admin/BaseController.php

@@ -93,6 +93,7 @@ public function getSettings()
     public function postSettings(BaseFormRequest $request)
     {
         $this->settings->set('company', $request->input('company'));
+        $this->settings->set('2fa', $request->input('2fa'));
 
         $this->alert->success('Settings have been successfully updated.')->flash();
 

app/Http/Kernel.php

@@ -37,6 +37,7 @@ class Kernel extends HttpKernel
             \Pterodactyl\Http\Middleware\VerifyCsrfToken::class,
             \Illuminate\Routing\Middleware\SubstituteBindings::class,
             \Pterodactyl\Http\Middleware\LanguageMiddleware::class,
+            \Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication::class,
         ],
         'api' => [
             \Pterodactyl\Http\Middleware\HMACAuthorization::class,

app/Http/Middleware/RequireTwoFactorAuthentication.php

@@ -0,0 +1,115 @@
+<?php
+/**
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Http\Middleware;
+
+use Closure;
+use Krucas\Settings\Settings;
+use Prologue\Alerts\AlertsMessageBag;
+
+class RequireTwoFactorAuthentication
+{
+    const LEVEL_NONE = 0;
+    const LEVEL_ADMIN = 1;
+    const LEVEL_ALL = 2;
+
+    /**
+     * @var \Prologue\Alerts\AlertsMessageBag
+     */
+    protected $alert;
+
+    /**
+     * @var \Krucas\Settings\Settings
+     */
+    protected $settings;
+
+    /**
+     * All TOTP related routes.
+     *
+     * @var array
+     */
+    protected $ignoreRoutes = [
+            'account.security',
+            'account.security.revoke',
+            'account.security.totp',
+            'account.security.totp.set',
+            'account.security.totp.disable',
+            'auth.totp',
+            'auth.logout',
+    ];
+
+    /**
+     * RequireTwoFactorAuthentication constructor.
+     *
+     * @param \Prologue\Alerts\AlertsMessageBag $alert
+     * @param \Krucas\Settings\Settings         $settings
+     */
+    public function __construct(AlertsMessageBag $alert, Settings $settings)
+    {
+        $this->alert = $alert;
+        $this->settings = $settings;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        // Ignore non-users
+        if (! $request->user()) {
+            return $next($request);
+        }
+
+        // Skip the 2FA pages
+        if (in_array($request->route()->getName(), $this->ignoreRoutes)) {
+            return $next($request);
+        }
+
+        // Get the setting
+        switch ((int) $this->settings->get('2fa', 0)) {
+            case self::LEVEL_NONE:
+                return $next($request);
+
+            case self::LEVEL_ADMIN:
+                if (! $request->user()->root_admin) {
+                    return $next($request);
+                }
+                break;
+
+            case self::LEVEL_ALL:
+                if ($request->user()->use_totp) {
+                    return $next($request);
+                }
+                break;
+        }
+
+        $this->alert->danger('The administrator has required 2FA to be enabled. You must enable it before you can do any other action.')->flash();
+
+        return redirect()->route('account.security');
+    }
+}

public/themes/pterodactyl/css/pterodactyl.css

@@ -346,6 +346,10 @@ span[aria-labelledby="select2-pUserId-container"] {
     line-height: 1.5;
 }
 
+.btn.active, .btn.active.focus {
+    background-color: #408fec;
+}
+
 .strong {
     font-weight: bold !important;
 }

resources/themes/pterodactyl/admin/settings.blade.php

@@ -66,6 +66,23 @@
                                 <p class="text-muted"><small>This is the default language that all clients will use unless they manually change it.</small></p>
                             </div>
                         </div> --}}
+                        <div class="form-group col-md-6">
+                            <label class="control-label">2FA Required</label>
+                            <div>
+                                <div class="btn-group" data-toggle="buttons">
+                                    <label class="btn btn-primary @if (old('2fa', Settings::get('2fa', 0)) == 0) active @endif">
+                                        <input type="radio" name="2fa" autocomplete="off" value="0" @if (old('2fa', Settings::get('2fa', 0)) == 0) checked @endif> Nobody
+                                    </label>
+                                    <label class="btn btn-primary @if (old('2fa', Settings::get('2fa', 0)) == 1) active @endif">
+                                        <input type="radio" name="2fa" autocomplete="off" value="1" @if (old('2fa', Settings::get('2fa', 0)) == 1) checked @endif> Admins
+                                    </label>
+                                    <label class="btn btn-primary @if (old('2fa', Settings::get('2fa', 0)) == 2) active @endif">
+                                        <input type="radio" name="2fa" autocomplete="off" value="2" @if (old('2fa', Settings::get('2fa', 0)) == 2) checked @endif> Everybody
+                                    </label>
+                                </div>
+                                <p class="text-muted"><small>Require your administrators or users to have 2FA enabled. Users include Admins. Everybody includes Sub Users.</small></p>
+                            </div>
+                        </div>
                     </div>
                     <div class="row">
                         <div class="col-md-12">

routes/base.php

@@ -69,7 +69,7 @@
 
     Route::put('/totp', 'SecurityController@generateTotp')->name('account.security.totp');
 
-    Route::post('/totp', 'SecurityController@setTotp');
+    Route::post('/totp', 'SecurityController@setTotp')->name('account.security.totp.set');
 
-    Route::delete('/totp', 'SecurityController@disableTotp');
+    Route::delete('/totp', 'SecurityController@disableTotp')->name('account.security.totp.disable');
 });