Finalize two-factor handling on account.

Author: DaneEveritt

app/Http/Controllers/Base/SecurityController.php

@@ -3,6 +3,7 @@
 namespace Pterodactyl\Http\Controllers\Base;
 
 use Illuminate\Http\Request;
+use Illuminate\Http\JsonResponse;
 use Prologue\Alerts\AlertsMessageBag;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Services\Users\TwoFactorSetupService;
@@ -62,90 +63,72 @@ public function __construct(
     }
 
     /**
-     * Returns Security Management Page.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @return \Illuminate\View\View
-     */
-    public function index(Request $request)
-    {
-        if ($this->config->get('session.driver') === 'database') {
-            $activeSessions = $this->repository->getUserSessions($request->user()->id);
-        }
-
-        return view('base.security', [
-            'sessions' => $activeSessions ?? null,
-        ]);
-    }
-
-    /**
-     * Generates TOTP Secret and returns popup data for user to verify
-     * that they can generate a valid response.
+     * Return information about the user's two-factor authentication status. If not enabled setup their
+     * secret and return information to allow the user to proceede with setup.
      *
      * @param \Illuminate\Http\Request $request
      * @return \Illuminate\Http\JsonResponse
-     *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
-    public function generateTotp(Request $request)
+    public function index(Request $request): JsonResponse
     {
-        return response()->json([
-            'qrImage' => $this->twoFactorSetupService->handle($request->user()),
+        if ($request->user()->use_totp) {
+            return JsonResponse::create([
+                'enabled' => true,
+            ]);
+        }
+
+        $response = $this->twoFactorSetupService->handle($request->user());
+
+        return JsonResponse::create([
+            'enabled' => false,
+            'qr_image' => $response->get('image'),
+            'secret' => $response->get('secret'),
         ]);
     }
 
     /**
      * Verifies that 2FA token received is valid and will work on the account.
      *
      * @param \Illuminate\Http\Request $request
-     * @return \Illuminate\Http\Response
+     * @return \Illuminate\Http\JsonResponse
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
-    public function setTotp(Request $request)
+    public function store(Request $request): JsonResponse
     {
         try {
             $this->toggleTwoFactorService->handle($request->user(), $request->input('token') ?? '');
-
-            return response('true');
         } catch (TwoFactorAuthenticationTokenInvalid $exception) {
-            return response('false');
+            $error = true;
         }
+
+        return JsonResponse::create([
+            'success' => ! isset($error),
+        ]);
     }
 
     /**
      * Disables TOTP on an account.
      *
      * @param \Illuminate\Http\Request $request
-     * @return \Illuminate\Http\RedirectResponse
+     * @return \Illuminate\Http\JsonResponse
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
-    public function disableTotp(Request $request)
+    public function delete(Request $request): JsonResponse
     {
         try {
             $this->toggleTwoFactorService->handle($request->user(), $request->input('token') ?? '', false);
         } catch (TwoFactorAuthenticationTokenInvalid $exception) {
-            $this->alert->danger(trans('base.security.2fa_disable_error'))->flash();
+            $error = true;
         }
 
-        return redirect()->route('account.security');
-    }
-
-    /**
-     * Revokes a user session.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @param string                   $id
-     * @return \Illuminate\Http\RedirectResponse
-     */
-    public function revoke(Request $request, string $id)
-    {
-        $this->repository->deleteUserSession($request->user()->id, $id);
-
-        return redirect()->route('account.security');
+        return JsonResponse::create([
+            'success' => ! isset($error),
+        ]);
     }
 }

app/Services/Users/TwoFactorSetupService.php

@@ -11,17 +11,12 @@
 
 use Pterodactyl\Models\User;
 use PragmaRX\Google2FA\Google2FA;
+use Illuminate\Support\Collection;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
-use Illuminate\Contracts\Config\Repository as ConfigRepository;
 
 class TwoFactorSetupService
 {
-    /**
-     * @var \Illuminate\Contracts\Config\Repository
-     */
-    private $config;
-
     /**
      * @var \Illuminate\Contracts\Encryption\Encrypter
      */
@@ -40,18 +35,15 @@ class TwoFactorSetupService
     /**
      * TwoFactorSetupService constructor.
      *
-     * @param \Illuminate\Contracts\Config\Repository                   $config
      * @param \Illuminate\Contracts\Encryption\Encrypter                $encrypter
      * @param \PragmaRX\Google2FA\Google2FA                             $google2FA
      * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
      */
     public function __construct(
-        ConfigRepository $config,
         Encrypter $encrypter,
         Google2FA $google2FA,
         UserRepositoryInterface $repository
     ) {
-        $this->config = $config;
         $this->encrypter = $encrypter;
         $this->google2FA = $google2FA;
         $this->repository = $repository;
@@ -62,20 +54,23 @@ public function __construct(
      * QR code image.
      *
      * @param \Pterodactyl\Models\User $user
-     * @return string
+     * @return \Illuminate\Support\Collection
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
-    public function handle(User $user): string
+    public function handle(User $user): Collection
     {
-        $secret = $this->google2FA->generateSecretKey($this->config->get('pterodactyl.auth.2fa.bytes'));
-        $image = $this->google2FA->getQRCodeGoogleUrl($this->config->get('app.name'), $user->email, $secret);
+        $secret = $this->google2FA->generateSecretKey(config('pterodactyl.auth.2fa.bytes'));
+        $image = $this->google2FA->getQRCodeGoogleUrl(config('app.name'), $user->email, $secret);
 
         $this->repository->withoutFreshModel()->update($user->id, [
             'totp_secret' => $this->encrypter->encrypt($secret),
         ]);
 
-        return $image;
+        return new Collection([
+            'image' => $image,
+            'secret' => $secret,
+        ]);
     }
 }

resources/assets/scripts/components/dashboard/Account.vue

@@ -3,15 +3,15 @@
         <navigation/>
         <div class="container animate fadein mt-2 sm:mt-6">
             <modal :show="modalVisible" v-on:close="modalVisible = false">
-                <TwoFactorAuthentication/>
+                <TwoFactorAuthentication v-on:close="modalVisible = false"/>
             </modal>
             <flash container="mt-2 sm:mt-6 mb-2"/>
             <div class="flex flex-wrap">
                 <div class="w-full md:w-1/2">
                     <div class="sm:m-4 md:ml-0">
                         <update-email class="mb-4 sm:mb-8"/>
                         <div class="content-box text-center mb-4 sm:mb-0">
-                            <button class="btn btn-green btn-sm" type="submit" v-on:click="modalVisible = true">Configure 2-Factor Authentication</button>
+                            <button class="btn btn-green btn-sm" type="submit" v-on:click="openModal">Configure 2-Factor Authentication</button>
                         </div>
                     </div>
                 </div>
@@ -39,5 +39,11 @@
                 modalVisible: false,
             };
         },
+        methods: {
+            openModal: function () {
+                this.$data.modalVisible = true;
+                window.events.$emit('two_factor:open');
+            },
+        }
     };
 </script>

resources/assets/scripts/components/dashboard/account/ChangePassword.vue

@@ -2,26 +2,26 @@
     <div>
         <form method="post" v-on:submit.prevent="submitForm">
             <div class="content-box">
-                <h2 class="mb-6 text-grey-darkest font-medium">Change your password</h2>
+                <h2 class="mb-6 text-grey-darkest font-medium">{{ $t('dashboard.account.password.title') }}</h2>
                 <div class="mt-6">
-                    <label for="grid-password-current" class="input-label">Current password</label>
+                    <label for="grid-password-current" class="input-label">{{ $t('strings.password') }}</label>
                     <input id="grid-password-current" name="current_password" type="password" class="input" required
                            ref="current"
                            v-model="current"
                     >
                 </div>
                 <div class="mt-6">
-                    <label for="grid-password-new" class="input-label">New password</label>
+                    <label for="grid-password-new" class="input-label">{{ $t('strings.new_password') }}</label>
                     <input id="grid-password-new" name="password" type="password" class="input" required
                            :class="{ error: errors.has('password') }"
                            v-model="newPassword"
                            v-validate="'min:8'"
                     >
                     <p class="input-help error" v-show="errors.has('password')">{{ errors.first('password') }}</p>
-                    <p class="input-help">Your new password should be at least 8 characters in length.</p>
+                    <p class="input-help">{{ $t('dashboard.account.password.requirements') }}</p>
                 </div>
                 <div class="mt-6">
-                    <label for="grid-password-new-confirm" class="input-label">Confirm new password</label>
+                    <label for="grid-password-new-confirm" class="input-label">{{ $t('strings.confirm_password') }}</label>
                     <input id="grid-password-new-confirm" name="password_confirmation" type="password" class="input" required
                            :class="{ error: errors.has('password_confirmation') }"
                            v-model="confirmNew"
@@ -31,7 +31,7 @@
                     <p class="input-help error" v-show="errors.has('password_confirmation')">{{ errors.first('password_confirmation') }}</p>
                 </div>
                 <div class="mt-6 text-right">
-                    <button class="btn btn-blue btn-sm text-right" type="submit">Save</button>
+                    <button class="btn btn-blue btn-sm text-right" type="submit">{{ $t('strings.save') }}</button>
                 </div>
             </div>
         </form>
@@ -68,7 +68,7 @@
                         this.$data.newPassword = '';
                         this.$data.confirmNew = '';
 
-                        this.success('Your password has been updated.');
+                        this.success(this.$t('dashboard.account.password.updated'));
                     })
                     .catch(err => {
                         if (!err.response) {