sonot
/
PteroTheme
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'feature/vuejs' into feature/vuejs-account

This commit is contained in:
Dane Everitt 2018-07-04 18:12:57 -07:00
parent b342d4dc6b 6419b1cf81
commit 5010c0c756
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
3 changed files with 78 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -3,6 +3,10 @@ This file is a running track of new features and fixes to each version of the pa
This project follows [Semantic Versioning](http://semver.org) guidelines. This project follows [Semantic Versioning](http://semver.org) guidelines.
## v0.7.9 (Derelict Dermodactylus)
### Fixed
* Fixes a two-factor authentication bypass present in the password reset process for an account.
## v0.7.8 (Derelict Dermodactylus) ## v0.7.8 (Derelict Dermodactylus)
### Added ### Added
* Nodes can now be put into maintenance mode to deny access to servers temporarily. * Nodes can now be put into maintenance mode to deny access to servers temporarily.

69
app/Http/Controllers/Auth/ResetPasswordController.php
View File

@ -2,12 +2,17 @@
namespace Pterodactyl\Http\Controllers\Auth; namespace Pterodactyl\Http\Controllers\Auth;
use Illuminate\Support\Str;
use Illuminate\Http\JsonResponse; use Illuminate\Http\JsonResponse;
use Illuminate\Contracts\Hashing\Hasher;
use Illuminate\Support\Facades\Password; use Illuminate\Support\Facades\Password;
use Illuminate\Auth\Events\PasswordReset;
use Illuminate\Contracts\Events\Dispatcher;
use Pterodactyl\Exceptions\DisplayException; use Pterodactyl\Exceptions\DisplayException;
use Pterodactyl\Http\Controllers\Controller; use Pterodactyl\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\ResetsPasswords; use Illuminate\Foundation\Auth\ResetsPasswords;
use Pterodactyl\Http\Requests\Auth\ResetPasswordRequest; use Pterodactyl\Http\Requests\Auth\ResetPasswordRequest;
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
class ResetPasswordController extends Controller class ResetPasswordController extends Controller
{ {
@ -20,6 +25,40 @@ class ResetPasswordController extends Controller
*/ */
public $redirectTo = '/'; public $redirectTo = '/';
/**
* @var bool
*/
protected $hasTwoFactor = false;
/**
* @var \Illuminate\Contracts\Events\Dispatcher
*/
private $dispatcher;
/**
* @var \Illuminate\Contracts\Hashing\Hasher
*/
private $hasher;
/**
* @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
*/
private $userRepository;
/**
* ResetPasswordController constructor.
*
* @param \Illuminate\Contracts\Events\Dispatcher $dispatcher
* @param \Illuminate\Contracts\Hashing\Hasher $hasher
* @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $userRepository
*/
public function __construct(Dispatcher $dispatcher, Hasher $hasher, UserRepositoryInterface $userRepository)
{
$this->dispatcher = $dispatcher;
$this->hasher = $hasher;
$this->userRepository = $userRepository;
}
/** /**
* Reset the given user's password. * Reset the given user's password.
* *
@ -49,6 +88,35 @@ class ResetPasswordController extends Controller
throw new DisplayException(trans($response)); throw new DisplayException(trans($response));
} }
/**
* Reset the given user's password. If the user has two-factor authentication enabled on their
* account do not automatically log them in. In those cases, send the user back to the login
* form with a note telling them their password was changed and to log back in.
*
* @param \Illuminate\Contracts\Auth\CanResetPassword|\Pterodactyl\Models\User $user
* @param string $password
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
protected function resetPassword($user, $password)
{
$user = $this->userRepository->update($user->id, [
'password' => $this->hasher->make($password),
$user->getRememberTokenName() => Str::random(60),
]);
$this->dispatcher->dispatch(new PasswordReset($user));
// If the user is not using 2FA log them in, otherwise skip this step and force a
// fresh login where they'll be prompted to enter a token.
if (! $user->use_totp) {
$this->guard()->login($user);
}
$this->hasTwoFactor = $user->use_totp;
}
/** /**
* Send a successful password reset response back to the callee. * Send a successful password reset response back to the callee.
* *
@ -59,6 +127,7 @@ class ResetPasswordController extends Controller
return response()->json([ return response()->json([
'success' => true, 'success' => true,
'redirect_to' => $this->redirectTo, 'redirect_to' => $this->redirectTo,
'send_to_login' => $this->hasTwoFactor,
]); ]);
} }
} }

5
resources/assets/scripts/components/auth/ResetPassword.vue
View File

@ -97,6 +97,11 @@
throw new Error('An error was encountered while processing this login.'); throw new Error('An error was encountered while processing this login.');
} }
if (response.data.send_to_login) {
self.success('Your password has been reset, please login to continue.');
return self.$router.push({ name: 'login' });
}
return window.location = response.data.redirect_to; return window.location = response.data.redirect_to;
}) })
.catch(function (err) { .catch(function (err) {