Reject requests for public key auth when the user has no keys

DaneEveritt · DaneEveritt · commit e856daee195c · 2022-05-15T15:47:06.000-04:00
diff --git a/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php b/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php
@@ -43,6 +43,12 @@ public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse
             if (!password_verify($request->input('password'), $user->password)) {
                 $this->reject($request);
             }
+        } else {
+            // Start blocking requests when the user has no public keys in the first place —
+            // don't let the user spam this endpoint.
+            if ($user->sshKeys->isEmpty()) {
+                $this->reject($request);
+            }
         }
 
         $this->validateSftpAccess($user, $server);

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,12 @@ public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse`
`43`	`43`	`if (!password_verify($request->input('password'), $user->password)) {`
`44`	`44`	`$this->reject($request);`
`45`	`45`	`}`
	`46`	`+ } else {`
	`47`	`+ // Start blocking requests when the user has no public keys in the first place —`
	`48`	`+ // don't let the user spam this endpoint.`
	`49`	`+ if ($user->sshKeys->isEmpty()) {`
	`50`	`+ $this->reject($request);`
	`51`	`+ }`
`46`	`52`	`}`
`47`	`53`
`48`	`54`	`$this->validateSftpAccess($user, $server);`