Ensure a created_at value is set on recovery tokens; closes pterodactyl#3163

Author: DaneEveritt

app/Exceptions/Service/User/TwoFactorAuthenticationTokenInvalid.php

@@ -6,4 +6,11 @@
 
 class TwoFactorAuthenticationTokenInvalid extends DisplayException
 {
+    /**
+     * TwoFactorAuthenticationTokenInvalid constructor.
+     */
+    public function __construct()
+    {
+        parent::__construct('The provided two-factor authentication token was not valid.');
+    }
 }

app/Http/Controllers/Api/Client/TwoFactorController.php

@@ -72,12 +72,11 @@ public function index(Request $request)
      *
      * @return \Illuminate\Http\JsonResponse
      *
+     * @throws \Throwable
      * @throws \Illuminate\Validation\ValidationException
      * @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
      * @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
      * @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
-     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      * @throws \Pterodactyl\Exceptions\Service\User\TwoFactorAuthenticationTokenInvalid
      */
     public function store(Request $request)

app/Services/Users/ToggleTwoFactorService.php

@@ -74,7 +74,7 @@ public function handle(User $user, string $token, bool $toggleState = null): arr
         $isValidToken = $this->google2FA->verifyKey($secret, $token, config()->get('pterodactyl.auth.2fa.window'));
 
         if (!$isValidToken) {
-            throw new TwoFactorAuthenticationTokenInvalid('The token provided is not valid.');
+            throw new TwoFactorAuthenticationTokenInvalid();
         }
 
         return $this->connection->transaction(function () use ($user, $toggleState) {
@@ -94,6 +94,9 @@ public function handle(User $user, string $token, bool $toggleState = null): arr
                     $inserts[] = [
                         'user_id' => $user->id,
                         'token' => password_hash($token, PASSWORD_DEFAULT),
+                        // insert() won't actually set the time on the models, so make sure we do this
+                        // manually here.
+                        'created_at' => Carbon::now(),
                     ];
 
                     $tokens[] = $token;

tests/Integration/Api/Client/TwoFactorControllerTest.php

@@ -101,6 +101,11 @@ public function testTwoFactorCanBeEnabledOnAccount()
         $tokens = RecoveryToken::query()->where('user_id', $user->id)->get();
         $this->assertCount(10, $tokens);
         $this->assertStringStartsWith('$2y$10$', $tokens[0]->token);
+        // Ensure the recovery tokens that were created include a "created_at" timestamp
+        // value on them.
+        //
+        // @see https://github.com/pterodactyl/panel/issues/3163
+        $this->assertNotNull($tokens[0]->created_at);
 
         $tokens = $tokens->pluck('token')->toArray();