Support using recovery tokens during the login process to bypass 2fa; closes pterodactyl#479

Author: DaneEveritt

app/Http/Controllers/Auth/AbstractLoginController.php

@@ -68,18 +68,21 @@ public function __construct(AuthManager $auth, Repository $config)
      *
      * @param \Illuminate\Http\Request $request
      * @param \Illuminate\Contracts\Auth\Authenticatable|null $user
+     * @param string|null $message
      *
      * @throws \Pterodactyl\Exceptions\DisplayException
      */
-    protected function sendFailedLoginResponse(Request $request, Authenticatable $user = null)
+    protected function sendFailedLoginResponse(Request $request, Authenticatable $user = null, string $message = null)
     {
         $this->incrementLoginAttempts($request);
         $this->fireFailedLoginEvent($user, [
             $this->getField($request->input('user')) => $request->input('user'),
         ]);
 
         if ($request->route()->named('auth.login-checkpoint')) {
-            throw new DisplayException(trans('auth.two_factor.checkpoint_failed'));
+            throw new DisplayException(
+                $message ?? trans('auth.two_factor.checkpoint_failed')
+            );
         }
 
         throw new DisplayException(trans('auth.failed'));
@@ -116,7 +119,7 @@ protected function sendLoginResponse(User $user, Request $request): JsonResponse
      */
     protected function getField(string $input = null): string
     {
-        return str_contains($input, '@') ? 'email' : 'username';
+        return ($input && str_contains($input, '@')) ? 'email' : 'username';
     }
 
     /**

app/Http/Controllers/Auth/LoginCheckpointController.php

@@ -11,6 +11,7 @@
 use Illuminate\Contracts\Cache\Repository as CacheRepository;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+use Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository;
 
 class LoginCheckpointController extends AbstractLoginController
 {
@@ -34,6 +35,11 @@ class LoginCheckpointController extends AbstractLoginController
      */
     private $encrypter;
 
+    /**
+     * @var \Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository
+     */
+    private $recoveryTokenRepository;
+
     /**
      * LoginCheckpointController constructor.
      *
@@ -42,6 +48,7 @@ class LoginCheckpointController extends AbstractLoginController
      * @param \PragmaRX\Google2FA\Google2FA $google2FA
      * @param \Illuminate\Contracts\Config\Repository $config
      * @param \Illuminate\Contracts\Cache\Repository $cache
+     * @param \Pterodactyl\Repositories\Eloquent\RecoveryTokenRepository $recoveryTokenRepository
      * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $repository
      */
     public function __construct(
@@ -50,6 +57,7 @@ public function __construct(
         Google2FA $google2FA,
         Repository $config,
         CacheRepository $cache,
+        RecoveryTokenRepository $recoveryTokenRepository,
         UserRepositoryInterface $repository
     ) {
         parent::__construct($auth, $config);
@@ -58,6 +66,7 @@ public function __construct(
         $this->cache = $cache;
         $this->repository = $repository;
         $this->encrypter = $encrypter;
+        $this->recoveryTokenRepository = $recoveryTokenRepository;
     }
 
     /**
@@ -76,21 +85,35 @@ public function __construct(
     public function __invoke(LoginCheckpointRequest $request): JsonResponse
     {
         $token = $request->input('confirmation_token');
+        $recoveryToken = $request->input('recovery_token');
 
         try {
+            /** @var \Pterodactyl\Models\User $user */
             $user = $this->repository->find($this->cache->get($token, 0));
         } catch (RecordNotFoundException $exception) {
-            return $this->sendFailedLoginResponse($request);
+            return $this->sendFailedLoginResponse($request, null, 'The authentication token provided has expired, please refresh the page and try again.');
         }
 
-        $decrypted = $this->encrypter->decrypt($user->totp_secret);
+        // If we got a recovery token try to find one that matches for the user and then continue
+        // through the process (and delete the token).
+        if (! is_null($recoveryToken)) {
+            foreach ($user->recoveryTokens as $token) {
+                if (password_verify($recoveryToken, $token->token)) {
+                    $this->recoveryTokenRepository->delete($token->id);
+
+                    return $this->sendLoginResponse($user, $request);
+                }
+            }
+        } else {
+            $decrypted = $this->encrypter->decrypt($user->totp_secret);
 
-        if ($this->google2FA->verifyKey($decrypted, (string) $request->input('authentication_code') ?? '', config('pterodactyl.auth.2fa.window'))) {
-            $this->cache->delete($token);
+            if ($this->google2FA->verifyKey($decrypted, (string) $request->input('authentication_code') ?? '', config('pterodactyl.auth.2fa.window'))) {
+                $this->cache->delete($token);
 
-            return $this->sendLoginResponse($user, $request);
+                return $this->sendLoginResponse($user, $request);
+            }
         }
 
-        return $this->sendFailedLoginResponse($request, $user);
+        return $this->sendFailedLoginResponse($request, $user, ! empty($recoveryToken) ? 'The recovery token provided is not valid.' : null);
     }
 }

app/Http/Controllers/Auth/LoginController.php

@@ -103,7 +103,7 @@ public function login(Request $request): JsonResponse
             $token = Str::random(64);
             $this->cache->put($token, $user->id, Chronos::now()->addMinutes(5));
 
-            return JsonResponse::create([
+            return new JsonResponse([
                 'data' => [
                     'complete' => false,
                     'confirmation_token' => $token,

app/Http/Requests/Auth/LoginCheckpointRequest.php

@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Auth;
 
+use Illuminate\Validation\Rule;
 use Illuminate\Foundation\Http\FormRequest;
 
 class LoginCheckpointRequest extends FormRequest
@@ -25,7 +26,20 @@ public function rules(): array
     {
         return [
             'confirmation_token' => 'required|string',
-            'authentication_code' => 'required|numeric',
+            'authentication_code' => [
+                'nullable',
+                'numeric',
+                Rule::requiredIf(function () {
+                    return empty($this->input('recovery_token'));
+                }),
+            ],
+            'recovery_token' => [
+                'nullable',
+                'string',
+                Rule::requiredIf(function () {
+                    return empty($this->input('authentication_code'));
+                }),
+            ],
         ];
     }
 }

app/Models/User.php

@@ -39,7 +39,7 @@
  * @property \Pterodactyl\Models\ApiKey[]|\Illuminate\Database\Eloquent\Collection $apiKeys
  * @property \Pterodactyl\Models\Server[]|\Illuminate\Database\Eloquent\Collection $servers
  * @property \Pterodactyl\Models\DaemonKey[]|\Illuminate\Database\Eloquent\Collection $keys
- * @property \Pterodactyl\Models\RecoveryToken[]|\Illuminate\Database\Eloquent\Collection $recoveryCodes
+ * @property \Pterodactyl\Models\RecoveryToken[]|\Illuminate\Database\Eloquent\Collection $recoveryTokens
  */
 class User extends Model implements
     AuthenticatableContract,
@@ -256,7 +256,7 @@ public function apiKeys()
     /**
      * @return \Illuminate\Database\Eloquent\Relations\HasMany
      */
-    public function recoveryCodes()
+    public function recoveryTokens()
     {
         return $this->hasMany(RecoveryToken::class);
     }

resources/scripts/api/auth/loginCheckpoint.ts

@@ -1,13 +1,14 @@
 import http from '@/api/http';
 import { LoginResponse } from '@/api/auth/login';
 
-export default (token: string, code: string): Promise<LoginResponse> => {
+export default (token: string, code: string, recoveryToken?: string): Promise<LoginResponse> => {
     return new Promise((resolve, reject) => {
         http.post('/auth/login/checkpoint', {
-            // eslint-disable-next-line @typescript-eslint/camelcase
+            /* eslint-disable @typescript-eslint/camelcase */
             confirmation_token: token,
-            // eslint-disable-next-line @typescript-eslint/camelcase
             authentication_code: code,
+            recovery_token: (recoveryToken && recoveryToken.length > 0) ? recoveryToken : undefined,
+            /* eslint-enable @typescript-eslint/camelcase */
         })
             .then(response => resolve({
                 complete: response.data.data.complete,

resources/scripts/components/auth/LoginCheckpointContainer.tsx

@@ -1,4 +1,4 @@
-import React from 'react';
+import React, { useState } from 'react';
 import { Link, RouteComponentProps } from 'react-router-dom';
 import loginCheckpoint from '@/api/auth/loginCheckpoint';
 import { httpErrorToHuman } from '@/api/http';
@@ -14,6 +14,7 @@ import Field from '@/components/elements/Field';
 
 interface Values {
     code: string;
+    recoveryCode: '',
 }
 
 type OwnProps = RouteComponentProps<{}, StaticContext, { token?: string }>
@@ -24,7 +25,8 @@ type Props = OwnProps & {
 }
 
 const LoginCheckpointContainer = () => {
-    const { isSubmitting } = useFormikContext<Values>();
+    const { isSubmitting, setFieldValue } = useFormikContext<Values>();
+    const [ isMissingDevice, setIsMissingDevice ] = useState(false);
 
     return (
         <LoginFormContainer
@@ -34,10 +36,14 @@ const LoginCheckpointContainer = () => {
             <div className={'mt-6'}>
                 <Field
                     light={true}
-                    name={'code'}
-                    title={'Authentication Code'}
-                    description={'Enter the two-factor token generated by your device.'}
-                    type={'number'}
+                    name={isMissingDevice ? 'recoveryCode' : 'code'}
+                    title={isMissingDevice ? 'Recovery Code' : 'Authentication Code'}
+                    description={
+                        isMissingDevice
+                            ? 'Enter one of the recovery codes generated when you setup 2-Factor authentication on this account in order to continue.'
+                            : 'Enter the two-factor token generated by your device.'
+                    }
+                    type={isMissingDevice ? 'text' : 'number'}
                     autoFocus={true}
                 />
             </div>
@@ -54,6 +60,18 @@ const LoginCheckpointContainer = () => {
                     }
                 </button>
             </div>
+            <div className={'mt-6 text-center'}>
+                <span
+                    onClick={() => {
+                        setFieldValue('code', '');
+                        setFieldValue('recoveryCode', '');
+                        setIsMissingDevice(s => !s);
+                    }}
+                    className={'cursor-pointer text-xs text-neutral-500 tracking-wide uppercase no-underline hover:text-neutral-700'}
+                >
+                    {!isMissingDevice ? 'I\'ve Lost My Device' : 'I Have My Device'}
+                </span>
+            </div>
             <div className={'mt-6 text-center'}>
                 <Link
                     to={'/auth/login'}
@@ -67,10 +85,9 @@ const LoginCheckpointContainer = () => {
 };
 
 const EnhancedForm = withFormik<Props, Values>({
-    handleSubmit: ({ code }, { setSubmitting, props: { addError, clearFlashes, location } }) => {
+    handleSubmit: ({ code, recoveryCode }, { setSubmitting, props: { addError, clearFlashes, location } }) => {
         clearFlashes();
-        console.log(location.state.token, code);
-        loginCheckpoint(location.state?.token || '', code)
+        loginCheckpoint(location.state?.token || '', code, recoveryCode)
             .then(response => {
                 if (response.complete) {
                     // @ts-ignore
@@ -89,11 +106,7 @@ const EnhancedForm = withFormik<Props, Values>({
 
     mapPropsToValues: () => ({
         code: '',
-    }),
-
-    validationSchema: object().shape({
-        code: string().required('An authentication code must be provided.')
-            .length(6, 'Authentication code must be 6 digits in length.'),
+        recoveryCode: '',
     }),
 })(LoginCheckpointContainer);