Merge branch 'feature/react' into develop

Author: DaneEveritt

.gitignore

@@ -12,7 +12,7 @@ node_modules
 _ide_helper.php
 .phpstorm.meta.php
 .php_cs.cache
-public/assets/*
+public/assets/manifest.json
 
 # For local development with docker
 # Remove if we ever put the Dockerfile in the repo

CHANGELOG.md

@@ -3,6 +3,21 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.7.14 (Derelict Dermodactylus)
+### Fixed
+* **[SECURITY]** Fixes an XSS vulnerability when performing certain actions in the file manager.
+* **[SECURITY]** Attempting to login as a user who has 2FA enabled will no longer request the 2FA token before validating
+that their password is correct. This closes a user existence leak that would expose that an account exists if
+it had 2FA enabled.
+
+### Changed
+* Support for setting a node to listen on ports lower than 1024.
+* QR code URLs are now generated without the use of an external library to reduce the dependency tree.
+* Regenerated database passwords now respect the same settings that were used when initially created.
+* Cleaned up 2FA QR code generation to use a more up-to-date library and API.
+* Console charts now properly start at 0 and scale based on server configuration. No more crazy spikes that
+are due to a change of one unit.
+
 ## v0.7.13 (Derelict Dermodactylus)
 ### Fixed
 * Fixes a bug with the location update API endpoint throwing an error due to an unexected response value.

app/Http/Controllers/Auth/AbstractLoginController.php

@@ -6,45 +6,17 @@
 use Pterodactyl\Models\User;
 use Illuminate\Auth\AuthManager;
 use Illuminate\Http\JsonResponse;
-use PragmaRX\Google2FA\Google2FA;
 use Illuminate\Auth\Events\Failed;
+use Illuminate\Contracts\Config\Repository;
 use Pterodactyl\Exceptions\DisplayException;
 use Pterodactyl\Http\Controllers\Controller;
 use Illuminate\Contracts\Auth\Authenticatable;
-use Illuminate\Contracts\Encryption\Encrypter;
 use Illuminate\Foundation\Auth\AuthenticatesUsers;
-use Illuminate\Contracts\Cache\Repository as CacheRepository;
-use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 
 abstract class AbstractLoginController extends Controller
 {
     use AuthenticatesUsers;
 
-    /**
-     * @var \Illuminate\Auth\AuthManager
-     */
-    protected $auth;
-
-    /**
-     * @var \Illuminate\Contracts\Cache\Repository
-     */
-    protected $cache;
-
-    /**
-     * @var \Illuminate\Contracts\Encryption\Encrypter
-     */
-    protected $encrypter;
-
-    /**
-     * @var \PragmaRX\Google2FA\Google2FA
-     */
-    protected $google2FA;
-
-    /**
-     * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
-     */
-    protected $repository;
-
     /**
      * Lockout time for failed login requests.
      *
@@ -66,30 +38,29 @@ abstract class AbstractLoginController extends Controller
      */
     protected $redirectTo = '/';
 
+    /**
+     * @var \Illuminate\Auth\AuthManager
+     */
+    protected $auth;
+
+    /**
+     * @var \Illuminate\Contracts\Config\Repository
+     */
+    protected $config;
+
     /**
      * LoginController constructor.
      *
-     * @param \Illuminate\Auth\AuthManager                              $auth
-     * @param \Illuminate\Contracts\Cache\Repository                    $cache
-     * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
-     * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
-     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
+     * @param \Illuminate\Auth\AuthManager            $auth
+     * @param \Illuminate\Contracts\Config\Repository $config
      */
-    public function __construct(
-        AuthManager $auth,
-        CacheRepository $cache,
-        Encrypter $encrypter,
-        Google2FA $google2FA,
-        UserRepositoryInterface $repository
-    ) {
-        $this->auth = $auth;
-        $this->cache = $cache;
-        $this->encrypter = $encrypter;
-        $this->google2FA = $google2FA;
-        $this->repository = $repository;
+    public function __construct(AuthManager $auth, Repository $config)
+    {
+        $this->lockoutTime = $config->get('auth.lockout.time');
+        $this->maxLoginAttempts = $config->get('auth.lockout.attempts');
 
-        $this->lockoutTime = config('auth.lockout.time');
-        $this->maxLoginAttempts = config('auth.lockout.attempts');
+        $this->auth = $auth;
+        $this->config = $config;
     }
 
     /**
@@ -128,10 +99,12 @@ protected function sendLoginResponse(User $user, Request $request): JsonResponse
 
         $this->auth->guard()->login($user, true);
 
-        return response()->json([
-            'complete' => true,
-            'intended' => $this->redirectPath(),
-            'user' => $user->toVueObject(),
+        return JsonResponse::create([
+            'data' => [
+                'complete' => true,
+                'intended' => $this->redirectPath(),
+                'user' => $user->toVueObject(),
+            ],
         ]);
     }
 

app/Http/Controllers/Auth/ForgotPasswordController.php

@@ -33,10 +33,11 @@ protected function sendResetLinkFailedResponse(Request $request, $response): Jso
     /**
      * Get the response for a successful password reset link.
      *
-     * @param string $response
+     * @param \Illuminate\Http\Request $request
+     * @param string                   $response
      * @return \Illuminate\Http\JsonResponse
      */
-    protected function sendResetLinkResponse($response): JsonResponse
+    protected function sendResetLinkResponse(Request $request, $response): JsonResponse
     {
         return response()->json([
             'status' => trans($response),

app/Http/Controllers/Auth/LoginCheckpointController.php

@@ -2,12 +2,64 @@
 
 namespace Pterodactyl\Http\Controllers\Auth;
 
+use Illuminate\Auth\AuthManager;
 use Illuminate\Http\JsonResponse;
+use PragmaRX\Google2FA\Google2FA;
+use Illuminate\Contracts\Config\Repository;
+use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest;
+use Illuminate\Contracts\Cache\Repository as CacheRepository;
+use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
 
 class LoginCheckpointController extends AbstractLoginController
 {
+    /**
+     * @var \Illuminate\Contracts\Cache\Repository
+     */
+    private $cache;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
+     */
+    private $repository;
+
+    /**
+     * @var \PragmaRX\Google2FA\Google2FA
+     */
+    private $google2FA;
+
+    /**
+     * @var \Illuminate\Contracts\Encryption\Encrypter
+     */
+    private $encrypter;
+
+    /**
+     * LoginCheckpointController constructor.
+     *
+     * @param \Illuminate\Auth\AuthManager                              $auth
+     * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
+     * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
+     * @param \Illuminate\Contracts\Config\Repository                   $config
+     * @param \Illuminate\Contracts\Cache\Repository                    $cache
+     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
+     */
+    public function __construct(
+        AuthManager $auth,
+        Encrypter $encrypter,
+        Google2FA $google2FA,
+        Repository $config,
+        CacheRepository $cache,
+        UserRepositoryInterface $repository
+    ) {
+        parent::__construct($auth, $config);
+
+        $this->google2FA = $google2FA;
+        $this->cache = $cache;
+        $this->repository = $repository;
+        $this->encrypter = $encrypter;
+    }
+
     /**
      * Handle a login where the user is required to provide a TOTP authentication
      * token. Once a user has reached this stage it is assumed that they have already
@@ -16,29 +68,28 @@ class LoginCheckpointController extends AbstractLoginController
      * @param \Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest $request
      * @return \Illuminate\Http\JsonResponse
      *
+     * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
+     * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
+     * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
      * @throws \Pterodactyl\Exceptions\DisplayException
      */
     public function __invoke(LoginCheckpointRequest $request): JsonResponse
     {
         try {
-            $cache = $this->cache->pull($request->input('confirmation_token'), []);
-            $user = $this->repository->find(array_get($cache, 'user_id', 0));
+            $user = $this->repository->find(
+                $this->cache->pull($request->input('confirmation_token'), 0)
+            );
         } catch (RecordNotFoundException $exception) {
             return $this->sendFailedLoginResponse($request);
         }
 
-        if (array_get($cache, 'request_ip') !== $request->ip()) {
-            return $this->sendFailedLoginResponse($request, $user);
-        }
+        $decrypted = $this->encrypter->decrypt($user->totp_secret);
+        $window = $this->config->get('pterodactyl.auth.2fa.window');
 
-        if (! $this->google2FA->verifyKey(
-            $this->encrypter->decrypt($user->totp_secret),
-            $request->input('authentication_code'),
-            config('pterodactyl.auth.2fa.window')
-        )) {
-            return $this->sendFailedLoginResponse($request, $user);
+        if ($this->google2FA->verifyKey($decrypted, $request->input('authentication_code'), $window)) {
+            return $this->sendLoginResponse($user, $request);
         }
 
-        return $this->sendLoginResponse($user, $request);
+        return $this->sendFailedLoginResponse($request, $user);
     }
 }

app/Http/Controllers/Auth/LoginController.php

@@ -2,13 +2,57 @@
 
 namespace Pterodactyl\Http\Controllers\Auth;
 
+use Illuminate\Support\Str;
 use Illuminate\Http\Request;
+use Illuminate\Auth\AuthManager;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Contracts\View\View;
+use Illuminate\Contracts\Config\Repository;
+use Illuminate\Contracts\View\Factory as ViewFactory;
+use Illuminate\Contracts\Cache\Repository as CacheRepository;
+use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
 
 class LoginController extends AbstractLoginController
 {
+    /**
+     * @var \Illuminate\Contracts\View\Factory
+     */
+    private $view;
+
+    /**
+     * @var \Illuminate\Contracts\Cache\Repository
+     */
+    private $cache;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
+     */
+    private $repository;
+
+    /**
+     * LoginController constructor.
+     *
+     * @param \Illuminate\Auth\AuthManager                              $auth
+     * @param \Illuminate\Contracts\Config\Repository                   $config
+     * @param \Illuminate\Contracts\Cache\Repository                    $cache
+     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
+     * @param \Illuminate\Contracts\View\Factory                        $view
+     */
+    public function __construct(
+        AuthManager $auth,
+        Repository $config,
+        CacheRepository $cache,
+        UserRepositoryInterface $repository,
+        ViewFactory $view
+    ) {
+        parent::__construct($auth, $config);
+
+        $this->view = $view;
+        $this->cache = $cache;
+        $this->repository = $repository;
+    }
+
     /**
      * Handle all incoming requests for the authentication routes and render the
      * base authentication view component. Vuejs will take over at this point and
@@ -18,7 +62,7 @@ class LoginController extends AbstractLoginController
      */
     public function index(): View
     {
-        return view('templates/auth.core');
+        return $this->view->make('templates/auth.core');
     }
 
     /**
@@ -54,21 +98,20 @@ public function login(Request $request): JsonResponse
             return $this->sendFailedLoginResponse($request, $user);
         }
 
-        // If the user is using 2FA we do not actually log them in at this step, we return
-        // a one-time token to link the 2FA credentials to this account via the UI.
         if ($user->use_totp) {
-            $token = str_random(128);
-            $this->cache->put($token, [
-                'user_id' => $user->id,
-                'request_ip' => $request->ip(),
-            ], 5);
-
-            return response()->json([
-                'complete' => false,
-                'login_token' => $token,
+            $token = Str::random(64);
+            $this->cache->put($token, $user->id, 5);
+
+            return JsonResponse::create([
+                'data' => [
+                    'complete' => false,
+                    'confirmation_token' => $token,
+                ],
             ]);
         }
 
+        $this->auth->guard()->login($user, true);
+
         return $this->sendLoginResponse($user, $request);
     }
 }

app/Http/Controllers/Base/SecurityController.php

@@ -83,8 +83,8 @@ public function index(Request $request): JsonResponse
 
         return JsonResponse::create([
             'enabled' => false,
-            'qr_image' => $response->get('image'),
-            'secret' => $response->get('secret'),
+            'qr_image' => $response,
+            'secret' => '',
         ]);
     }
 

app/Http/Requests/Auth/LoginCheckpointRequest.php

@@ -25,7 +25,7 @@ public function rules(): array
     {
         return [
             'confirmation_token' => 'required|string',
-            'authentication_code' => 'required|int',
+            'authentication_code' => 'required|numeric',
         ];
     }
 }