🔒 Don't disclose if account exists when resetting passwords, closes pterodactyl#358

Author: DaneEveritt

CHANGELOG.md

@@ -12,6 +12,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 ### Changed
 * Subuser permissions are now stored in `Permission::list()` to make views way cleaner and make adding to views significantly cleaner.
 * `[pre.7]` — Sidebar for file manager now is a single link rather than a dropdown.
+* Attempting to reset a password for an account that does not exist no longer returns an error, rather it displays a success message. Failed resets trigger a `Pterodactyl\Events\Auth\FailedPasswordReset` event that can be caught if needed to perform other actions.
 
 ## v0.6.0-pre.7 (Courageous Carniadactylus)
 ### Fixed

app/Events/Auth/FailedPasswordReset.php

@@ -0,0 +1,59 @@
+<?php
+/**
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Events\Auth;
+
+use Illuminate\Queue\SerializesModels;
+
+class FailedPasswordReset
+{
+    use SerializesModels;
+
+    /**
+     * The IP that the request originated from.
+     *
+     * @var string
+     */
+    public $ip;
+
+    /**
+     * The email address that was used when the reset request failed.
+     *
+     * @var string
+     */
+    public $email;
+
+    /**
+     * Create a new event instance.
+     *
+     * @param  string  $ip
+     * @param  string  $email
+     * @return void
+     */
+    public function __construct($ip, $email)
+    {
+        $this->ip = $ip;
+        $this->email = $email;
+    }
+}

app/Http/Controllers/Auth/ForgotPasswordController.php

@@ -1,8 +1,33 @@
 <?php
+/**
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
 
 namespace Pterodactyl\Http\Controllers\Auth;
 
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Password;
 use Pterodactyl\Http\Controllers\Controller;
+use Pterodactyl\Events\Auth\FailedPasswordReset;
 use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
 
 class ForgotPasswordController extends Controller
@@ -29,4 +54,21 @@ public function __construct()
     {
         $this->middleware('guest');
     }
+
+    /**
+     * Get the response for a failed password reset link.
+     *
+     * @param  \Illuminate\Http\Request
+     * @param  string  $response
+     * @return \Illuminate\Http\RedirectResponse
+     */
+    protected function sendResetLinkFailedResponse(Request $request, $response)
+    {
+        // As noted in #358 we will return success even if it failed
+        // to avoid pointing out that an account does or does not
+        // exist on the system.
+        event(new FailedPasswordReset($request->ip(), $request->only('email')));
+
+        return $this->sendResetLinkResponse(Password::RESET_LINK_SENT);
+    }
 }

composer.json

@@ -12,7 +12,7 @@
     ],
     "require": {
         "php": ">=5.6.4",
-        "laravel/framework": "5.3.21",
+        "laravel/framework": "5.3.31",
         "barryvdh/laravel-debugbar": "2.2.3",
         "doctrine/dbal": "2.5.5",
         "guzzlehttp/guzzle": "6.2.2",