Block API access when 2FA is required on account; closes pterodactyl#2791

DaneEveritt · DaneEveritt · commit d22456d9ca08 · 2020-12-06T13:56:14.000-08:00
diff --git a/app/Exceptions/Http/TwoFactorAuthRequiredException.php b/app/Exceptions/Http/TwoFactorAuthRequiredException.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace Pterodactyl\Exceptions\Http;
+
+use Throwable;
+use Illuminate\Http\Response;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface;
+
+class TwoFactorAuthRequiredException extends HttpException implements HttpExceptionInterface
+{
+    /**
+     * TwoFactorAuthRequiredException constructor.
+     *
+     * @param \Throwable|null $previous
+     */
+    public function __construct(Throwable $previous = null)
+    {
+        parent::__construct(Response::HTTP_BAD_REQUEST, "Two-factor authentication is required on this account in order to access this endpoint.", $previous);
+    }
+}
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -84,6 +84,12 @@ class Kernel extends HttpKernel
             SubstituteClientApiBindings::class,
             'api..key:' . ApiKey::TYPE_ACCOUNT,
             AuthenticateIPAccess::class,
+            // This is perhaps a little backwards with the Client API, but logically you'd be unable
+            // to create/get an API key without first enabling 2FA on the account, so I suppose in the
+            // end it makes sense.
+            //
+            // You just wouldn't be authenticating with the API by providing a 2FA token.
+            RequireTwoFactorAuthentication::class,
         ],
         'daemon' => [
             SubstituteBindings::class,
diff --git a/app/Http/Middleware/RequireTwoFactorAuthentication.php b/app/Http/Middleware/RequireTwoFactorAuthentication.php
@@ -1,18 +1,12 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Http\Middleware;
 
 use Closure;
 use Illuminate\Support\Str;
 use Illuminate\Http\Request;
 use Prologue\Alerts\AlertsMessageBag;
+use Pterodactyl\Exceptions\Http\TwoFactorAuthRequiredException;
 
 class RequireTwoFactorAuthentication
 {
@@ -30,7 +24,7 @@ class RequireTwoFactorAuthentication
      *
      * @var string
      */
-    protected $redirectRoute = 'account';
+    protected $redirectRoute = '/account';
 
     /**
      * RequireTwoFactorAuthentication constructor.
@@ -43,41 +37,46 @@ public function __construct(AlertsMessageBag $alert)
     }
 
     /**
-     * Handle an incoming request.
+     * Check the user state on the incoming request to determine if they should be allowed to
+     * proceed or not. This checks if the Panel is configured to require 2FA on an account in
+     * order to perform actions. If so, we check the level at which it is required (all users
+     * or just admins) and then check if the user has enabled it for their account.
      *
      * @param \Illuminate\Http\Request $request
      * @param \Closure $next
      * @return mixed
+     *
+     * @throws \Pterodactyl\Exceptions\Http\TwoFactorAuthRequiredException
      */
     public function handle(Request $request, Closure $next)
     {
-        if (! $request->user()) {
+        /** @var \Pterodactyl\Models\User $user */
+        $user = $request->user();
+        $uri = rtrim($request->getRequestUri(), '/') . '/';
+        $current = $request->route()->getName();
+
+        if (! $user || Str::startsWith($uri, ['/auth/']) || Str::startsWith($current, ['auth.', 'account.'])) {
             return $next($request);
         }
 
-        $current = $request->route()->getName();
-        if (in_array($current, ['auth', 'account']) || Str::startsWith($current, ['auth.', 'account.'])) {
+        $level = (int)config('pterodactyl.auth.2fa_required');
+        // If this setting is not configured, or the user is already using 2FA then we can just
+        // send them right through, nothing else needs to be checked.
+        //
+        // If the level is set as admin and the user is not an admin, pass them through as well.
+        if ($level === self::LEVEL_NONE || $user->use_totp) {
+            return $next($request);
+        } else if ($level === self::LEVEL_ADMIN && ! $user->root_admin) {
             return $next($request);
         }
 
-        switch ((int) config('pterodactyl.auth.2fa_required')) {
-            case self::LEVEL_ADMIN:
-                if (! $request->user()->root_admin || $request->user()->use_totp) {
-                    return $next($request);
-                }
-                break;
-            case self::LEVEL_ALL:
-                if ($request->user()->use_totp) {
-                    return $next($request);
-                }
-                break;
-            case self::LEVEL_NONE:
-            default:
-                return $next($request);
+        // For API calls return an exception which gets rendered nicely in the API response.
+        if ($request->isJson() || Str::startsWith($uri, '/api/')) {
+            throw new TwoFactorAuthRequiredException;
         }
 
         $this->alert->danger(trans('auth.2fa_must_be_enabled'))->flash();
 
-        return redirect()->route($this->redirectRoute);
+        return redirect()->to($this->redirectRoute);
     }
 }
diff --git a/resources/scripts/api/interceptors.ts b/resources/scripts/api/interceptors.ts
@@ -0,0 +1,16 @@
+import http from '@/api/http';
+import { AxiosError } from 'axios';
+import { History } from 'history';
+
+export const setupInterceptors = (history: History) => {
+    http.interceptors.response.use(resp => resp, (error: AxiosError) => {
+        if (error.response?.status === 400) {
+            if (error.response?.data.errors?.[0].code === 'TwoFactorAuthRequiredException') {
+                if (!window.location.pathname.startsWith('/account')) {
+                    history.replace('/account', { twoFactorRedirect: true });
+                }
+            }
+        }
+        throw error;
+    });
+};
diff --git a/resources/scripts/components/App.tsx b/resources/scripts/components/App.tsx
@@ -1,7 +1,7 @@
 import React, { useEffect } from 'react';
 import ReactGA from 'react-ga';
 import { hot } from 'react-hot-loader/root';
-import { BrowserRouter, Route, Switch, useLocation } from 'react-router-dom';
+import { Route, Router, Switch, useLocation } from 'react-router-dom';
 import { StoreProvider } from 'easy-peasy';
 import { store } from '@/state';
 import DashboardRouter from '@/routers/DashboardRouter';
@@ -13,6 +13,8 @@ import ProgressBar from '@/components/elements/ProgressBar';
 import NotFound from '@/components/screens/NotFound';
 import tw from 'twin.macro';
 import GlobalStylesheet from '@/assets/css/GlobalStylesheet';
+import { createBrowserHistory } from 'history';
+import { setupInterceptors } from '@/api/interceptors';
 
 interface ExtendedWindow extends Window {
     SiteConfiguration?: SiteSettings;
@@ -30,6 +32,10 @@ interface ExtendedWindow extends Window {
     };
 }
 
+const history = createBrowserHistory({ basename: '/' });
+
+setupInterceptors(history);
+
 const Pageview = () => {
     const { pathname } = useLocation();
 
@@ -72,15 +78,15 @@ const App = () => {
                 <Provider store={store}>
                     <ProgressBar/>
                     <div css={tw`mx-auto w-auto`}>
-                        <BrowserRouter basename={'/'} key={'root-router'}>
+                        <Router history={history}>
                             {SiteConfiguration?.analytics && <Pageview/>}
                             <Switch>
                                 <Route path="/server/:id" component={ServerRouter}/>
                                 <Route path="/auth" component={AuthenticationRouter}/>
                                 <Route path="/" component={DashboardRouter}/>
                                 <Route path={'*'} component={NotFound}/>
                             </Switch>
-                        </BrowserRouter>
+                        </Router>
                     </div>
                 </Provider>
             </StoreProvider>
diff --git a/resources/scripts/components/dashboard/AccountOverviewContainer.tsx b/resources/scripts/components/dashboard/AccountOverviewContainer.tsx
@@ -7,9 +7,11 @@ import PageContentBlock from '@/components/elements/PageContentBlock';
 import tw from 'twin.macro';
 import { breakpoint } from '@/theme';
 import styled from 'styled-components/macro';
+import { RouteComponentProps } from 'react-router';
+import MessageBox from '@/components/MessageBox';
 
 const Container = styled.div`
-    ${tw`flex flex-wrap my-10`};
+    ${tw`flex flex-wrap`};
 
     & > div {
         ${tw`w-full`};
@@ -24,10 +26,15 @@ const Container = styled.div`
     }
 `;
 
-export default () => {
+export default ({ location: { state } }: RouteComponentProps) => {
     return (
         <PageContentBlock title={'Account Overview'}>
-            <Container>
+            {state?.twoFactorRedirect &&
+            <MessageBox title={'2-Factor Required'} type={'error'}>
+                Your account must have two-factor authentication enabled in order to continue.
+            </MessageBox>
+            }
+            <Container css={[ tw`mb-10`, state?.twoFactorRedirect ? tw`mt-4` : tw`mt-10` ]}>
                 <ContentBox title={'Update Password'} showFlashes={'account:password'}>
                     <UpdatePasswordForm/>
                 </ContentBox>
diff --git a/routes/api-client.php b/routes/api-client.php
@@ -1,6 +1,7 @@
 <?php
 
 use Illuminate\Support\Facades\Route;
+use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
 use Pterodactyl\Http\Middleware\Api\Client\Server\SubuserBelongsToServer;
 use Pterodactyl\Http\Middleware\Api\Client\Server\AuthenticateServerAccess;
 use Pterodactyl\Http\Middleware\Api\Client\Server\AllocationBelongsToServer;
@@ -17,10 +18,10 @@
 Route::get('/permissions', 'ClientController@permissions');
 
 Route::group(['prefix' => '/account'], function () {
-    Route::get('/', 'AccountController@index')->name('api:client.account');
-    Route::get('/two-factor', 'TwoFactorController@index');
-    Route::post('/two-factor', 'TwoFactorController@store');
-    Route::delete('/two-factor', 'TwoFactorController@delete');
+    Route::get('/', 'AccountController@index')->name('api:client.account')->withoutMiddleware(RequireTwoFactorAuthentication::class);
+    Route::get('/two-factor', 'TwoFactorController@index')->withoutMiddleware(RequireTwoFactorAuthentication::class);
+    Route::post('/two-factor', 'TwoFactorController@store')->withoutMiddleware(RequireTwoFactorAuthentication::class);
+    Route::delete('/two-factor', 'TwoFactorController@delete')->withoutMiddleware(RequireTwoFactorAuthentication::class);
 
     Route::put('/email', 'AccountController@updateEmail')->name('api:client.account.update-email');
     Route::put('/password', 'AccountController@updatePassword')->name('api:client.account.update-password');
diff --git a/routes/base.php b/routes/base.php
@@ -1,9 +1,14 @@
 <?php
 
+use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
+
 Route::get('/', 'IndexController@index')->name('index')->fallback();
-Route::get('/account', 'IndexController@index')->name('account');
+Route::get('/account', 'IndexController@index')
+    ->withoutMiddleware(RequireTwoFactorAuthentication::class)
+    ->name('account');
 
 Route::get('/locales/{locale}/{namespace}.json', 'LocaleController')
+    ->withoutMiddleware(RequireTwoFactorAuthentication::class)
     ->where('namespace', '.*');
 
 Route::get('/{react}', 'IndexController@index')
