Better 2FA implementation on logins

Author: DaneEveritt

CHANGELOG.md

@@ -18,8 +18,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 ### Changed
 * Admin API and base routes for user management now define the fields that should be passed to repositories rather than passing all fields.
 * User model now defines mass assignment fields using `$fillable` rather than `$guarded`.
-
-### Deprecated
+* 2FA checkpoint on login is now its own page, and not an AJAX based call. Improves security on that front.
 
 ## v0.5.6 (Bodacious Boreopterus)
 ### Added

app/Http/Controllers/Auth/LoginController.php

@@ -27,6 +27,7 @@
 
 use Auth;
 use Alert;
+use Cache;
 use Illuminate\Http\Request;
 use Pterodactyl\Models\User;
 use PragmaRX\Google2FA\Google2FA;
@@ -110,33 +111,62 @@ public function login(Request $request)
         }
 
         // Verify TOTP Token was Valid
-        if (Auth::user()->use_totp === 1) {
-            $G2FA = new Google2FA();
-            if (is_null($request->input('totp_token')) || ! $G2FA->verifyKey(Auth::user()->totp_secret, $request->input('totp_token'))) {
-                if (! $lockedOut) {
-                    $this->incrementLoginAttempts($request);
-                }
+        if (Auth::user()->use_totp) {
+            $verifyKey = str_random(64);
+            Cache::put($verifyKey, Auth::user()->id, 5);
 
-                Alert::danger(trans('auth.totp_failed'))->flash();
+            return redirect()->route('auth.totp')->with('authentication_token', $verifyKey);
+        } else {
+            Auth::login(Auth::user(), $request->has('remember'));
 
-                return $this->sendFailedLoginResponse($request);
-            }
+            return $this->sendLoginResponse($request);
         }
+    }
+
+    public function totp(Request $request)
+    {
+        $verifyKey = $request->session()->get('authentication_token');
 
-        // Successfully Authenticated.
-        Auth::login(Auth::user(), $request->has('remember'));
+        if (is_null($verifyKey) || Auth::user()) {
+            return redirect()->route('auth.login');
+        }
 
-        return $this->sendLoginResponse($request);
+        return view('auth.totp', [
+            'verify_key' => $verifyKey,
+            'remember' => $request->has('remember'),
+        ]);
     }
 
-    /**
-     * Check if the provided user has TOTP enabled.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @return \Illuminate\Http\Response
-     */
-    public function checkTotp(Request $request)
+    public function totpCheckpoint(Request $request)
     {
-        return response()->json(User::select('id')->where('email', $request->input('email'))->where('use_totp', 1)->first());
+        $G2FA = new Google2FA();
+
+        if (is_null($request->input('verify_token'))) {
+            $this->incrementLoginAttempts($request);
+            Alert::danger(trans('auth.totp_failed'))->flash();
+
+            return redirect()->route('auth.login');
+        }
+
+        $user = User::where('id', Cache::pull($request->input('verify_token')))->first();
+        if (! $user) {
+            $this->incrementLoginAttempts($request);
+            Alert::danger(trans('auth.totp_failed'))->flash();
+
+            return redirect()->route('auth.login');
+        }
+
+
+        if (! is_null($request->input('2fa_token')) && $G2FA->verifyKey($user->totp_secret, $request->input('2fa_token'))) {
+            Auth::login($user, $request->has('remember'));
+
+            return redirect()->intended($this->redirectPath());
+        } else {
+            $this->incrementLoginAttempts($request);
+            Alert::danger(trans('auth.2fa_failed'))->flash();
+
+            return redirect()->route('auth.login');
+        }
     }
+
 }

app/Http/Routes/AuthRoutes.php

@@ -51,9 +51,13 @@ public function map(Router $router)
                 'uses' => 'Auth\LoginController@login',
             ]);
 
-            // Determine if we need to ask for a TOTP Token
+            $router->get('login/totp', [
+                'as' => 'auth.totp',
+                'uses' => 'Auth\LoginController@totp',
+            ]);
+
             $router->post('login/totp', [
-                'uses' => 'Auth\LoginController@checkTotp',
+                'uses' => 'Auth\LoginController@totpCheckpoint',
             ]);
 
             // Show Password Reset Form

resources/lang/en/auth.php

@@ -15,4 +15,6 @@
     'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
     'password_requirements' => 'Passwords must contain at least one uppercase, lowecase, and numeric character and must be at least 8 characters in length.',
     'request_reset' => 'Locate Account',
+    '2fa_required' => '2-Factor Authentication',
+    '2fa_failed' => 'The 2FA token provided was invalid.',
 ];

resources/themes/pterodactyl/auth/totp.blade.php

@@ -0,0 +1,46 @@
+{{-- Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com> --}}
+
+{{-- Permission is hereby granted, free of charge, to any person obtaining a copy --}}
+{{-- of this software and associated documentation files (the "Software"), to deal --}}
+{{-- in the Software without restriction, including without limitation the rights --}}
+{{-- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell --}}
+{{-- copies of the Software, and to permit persons to whom the Software is --}}
+{{-- furnished to do so, subject to the following conditions: --}}
+
+{{-- The above copyright notice and this permission notice shall be included in all --}}
+{{-- copies or substantial portions of the Software. --}}
+
+{{-- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR --}}
+{{-- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, --}}
+{{-- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE --}}
+{{-- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER --}}
+{{-- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, --}}
+{{-- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE --}}
+{{-- SOFTWARE. --}}
+@extends('layouts.auth')
+
+@section('title')
+    2FA Checkpoint
+@endsection
+
+@section('content')
+<div class="login-box-body">
+    <p class="login-box-msg">@lang('auth.2fa_required')</p>
+    <form action="{{ route('auth.totp') }}" method="POST">
+        <div class="form-group">
+            <input type="text" name="2fa_token" class="form-control" placeholder="@lang('strings.2fa_token')">
+            <span class="fa fa-lock form-control-feedback"></span>
+        </div>
+        <div class="row">
+            <div class="col-xs-12">
+                {!! csrf_field() !!}
+                <input type="hidden" name="verify_token" value="{{ $verify_key }}" />
+                @if($remember)
+                    <input type="hidden" name="remember" value="true" />
+                @endif
+                <button type="submit" class="btn btn-primary btn-block btn-flat">@lang('strings.submit')</button>
+            </div>
+        </div>
+    </form>
+</div>
+@endsection