Refactor auth controllers to be cleaner and easier to maintain

Author: DaneEveritt

app/Http/Controllers/Auth/AbstractLoginController.php

@@ -0,0 +1,151 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\Auth;
+
+use Illuminate\Http\Request;
+use Illuminate\Auth\AuthManager;
+use Illuminate\Http\JsonResponse;
+use PragmaRX\Google2FA\Google2FA;
+use Illuminate\Auth\Events\Failed;
+use Pterodactyl\Exceptions\DisplayException;
+use Pterodactyl\Http\Controllers\Controller;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Encryption\Encrypter;
+use Illuminate\Foundation\Auth\AuthenticatesUsers;
+use Illuminate\Contracts\Cache\Repository as CacheRepository;
+use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
+
+abstract class AbstractLoginController extends Controller
+{
+    use AuthenticatesUsers;
+
+    /**
+     * @var \Illuminate\Auth\AuthManager
+     */
+    protected $auth;
+
+    /**
+     * @var \Illuminate\Contracts\Cache\Repository
+     */
+    protected $cache;
+
+    /**
+     * @var \Illuminate\Contracts\Encryption\Encrypter
+     */
+    protected $encrypter;
+
+    /**
+     * @var \PragmaRX\Google2FA\Google2FA
+     */
+    protected $google2FA;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
+     */
+    protected $repository;
+
+    /**
+     * Lockout time for failed login requests.
+     *
+     * @var int
+     */
+    protected $lockoutTime;
+
+    /**
+     * After how many attempts should logins be throttled and locked.
+     *
+     * @var int
+     */
+    protected $maxLoginAttempts;
+
+    /**
+     * Where to redirect users after login / registration.
+     *
+     * @var string
+     */
+    protected $redirectTo = '/';
+
+    /**
+     * LoginController constructor.
+     *
+     * @param \Illuminate\Auth\AuthManager                              $auth
+     * @param \Illuminate\Contracts\Cache\Repository                    $cache
+     * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
+     * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
+     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
+     */
+    public function __construct(
+        AuthManager $auth,
+        CacheRepository $cache,
+        Encrypter $encrypter,
+        Google2FA $google2FA,
+        UserRepositoryInterface $repository
+    ) {
+        $this->auth = $auth;
+        $this->cache = $cache;
+        $this->encrypter = $encrypter;
+        $this->google2FA = $google2FA;
+        $this->repository = $repository;
+
+        $this->lockoutTime = config('auth.lockout.time');
+        $this->maxLoginAttempts = config('auth.lockout.attempts');
+    }
+
+    /**
+     * Get the failed login response instance.
+     *
+     * @param \Illuminate\Http\Request                        $request
+     * @param \Illuminate\Contracts\Auth\Authenticatable|null $user
+     *
+     * @throws \Pterodactyl\Exceptions\DisplayException
+     */
+    protected function sendFailedLoginResponse(Request $request, Authenticatable $user = null)
+    {
+        $this->incrementLoginAttempts($request);
+        $this->fireFailedLoginEvent($user, [
+            $this->getField($request->input('user')) => $request->input('user'),
+        ]);
+
+        throw new DisplayException(trans('auth.failed'));
+    }
+
+    /**
+     * Send the response after the user was authenticated.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\Http\JsonResponse
+     */
+    protected function sendLoginResponse(Request $request): JsonResponse
+    {
+        $request->session()->regenerate();
+
+        $this->clearLoginAttempts($request);
+
+        return $this->authenticated($request, $this->guard()->user())
+            ?: response()->json([
+                'intended' => $this->redirectPath(),
+            ]);
+    }
+
+    /**
+     * Determine if the user is logging in using an email or username,.
+     *
+     * @param string $input
+     * @return string
+     */
+    protected function getField(string $input = null): string
+    {
+        return str_contains($input, '@') ? 'email' : 'username';
+    }
+
+    /**
+     * Fire a failed login event.
+     *
+     * @param \Illuminate\Contracts\Auth\Authenticatable|null $user
+     * @param array                                           $credentials
+     */
+    protected function fireFailedLoginEvent(Authenticatable $user = null, array $credentials = [])
+    {
+        event(new Failed($user, $credentials));
+    }
+}

app/Http/Controllers/Auth/ForgotPasswordController.php

@@ -29,4 +29,17 @@ protected function sendResetLinkFailedResponse(Request $request, $response): Red
 
         return $this->sendResetLinkResponse(Password::RESET_LINK_SENT);
     }
+
+    /**
+     * Get the response for a successful password reset link.
+     *
+     * @param string $response
+     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
+     */
+    protected function sendResetLinkResponse($response)
+    {
+        return response()->json([
+            'status' => trans($response),
+        ]);
+    }
 }

app/Http/Controllers/Auth/LoginCheckpointController.php

@@ -0,0 +1,47 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\Auth;
+
+use Illuminate\Http\JsonResponse;
+use Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest;
+use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+
+class LoginCheckpointController extends AbstractLoginController
+{
+    /**
+     * Handle a login where the user is required to provide a TOTP authentication
+     * token. In order to add additional layers of security, users are not
+     * informed of an incorrect password until this stage, forcing them to
+     * provide a token on each login attempt.
+     *
+     * @param \Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest $request
+     * @return \Illuminate\Http\JsonResponse
+     *
+     * @throws \Pterodactyl\Exceptions\DisplayException
+     */
+    public function index(LoginCheckpointRequest $request): JsonResponse
+    {
+        try {
+            $cache = $this->cache->pull($request->input('confirmation_token'), []);
+            $user = $this->repository->find(array_get($cache, 'user_id', 0));
+        } catch (RecordNotFoundException $exception) {
+            return $this->sendFailedLoginResponse($request);
+        }
+
+        if (! array_get($cache, 'valid_credentials') || array_get($cache, 'request_ip') !== $request->ip()) {
+            return $this->sendFailedLoginResponse($request, $user);
+        }
+
+        if (! $this->google2FA->verifyKey(
+            $this->encrypter->decrypt($user->totp_secret),
+            $request->input('authentication_code'),
+            config('pterodactyl.auth.2fa.window')
+        )) {
+            return $this->sendFailedLoginResponse($request, $user);
+        }
+
+        $this->authManager->guard()->login($user, true);
+
+        return $this->sendLoginResponse($request);
+    }
+}