sonot
/
PteroTheme
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
3,812 Commits 61 Branches 128 Tags 29 MiB
Commit Graph

67 Commits

Author SHA1 Message Date
Dane Everitt c370e08f65
[security] add login throttling to the 2FA verification endpoint 2020-10-17 14:46:10 -07:00
Dane Everitt 7b75e7a648
Support using recovery tokens during the login process to bypass 2fa; closes #479 2020-07-02 23:01:02 -07:00
Dane Everitt 9eb31a16d9
Fix 2FA handling; closes #1962 2020-04-25 13:01:16 -07:00
Dane Everitt 7543ef085d
Format files 2019-09-05 21:32:57 -07:00
Dane Everitt bd8b708c32
[L6] Update cache methods to use defined times and not ints 2019-09-04 20:24:46 -07:00
Dane Everitt 212773d63c
Finish authentication flow for 2FA 2019-06-22 13:33:11 -07:00
Dane Everitt 56640253b9
Merge branch 'release/v0.7.14' into feature/react 2019-06-22 12:28:44 -07:00
Dane Everitt 2db7928b76
Don't expose existence of account when an incorrect password is provided and the user has 2FA enabled 2019-06-21 21:39:24 -07:00
Dane Everitt 19ef901768
Show success message to the user 2019-06-11 23:19:43 -07:00
Dane Everitt 136e4b5b7b
Fix some issues 2018-12-30 12:45:57 -08:00
Dane Everitt 21ffa08d66
Merge branch 'develop' into feature/vuejs 2018-12-16 14:20:35 -08:00
Oreo Oreoniv adcf0c9fee
Fixed Failed event 
Thank you very much Laravel for not pointing out the changes to be made when upgrading from 5.6 to 5.7
 2018-11-28 23:24:43 +03:00
zKoz210 2d7e889bcc Fixed StyleCI 2018-11-26 03:28:14 +03:00
zKoz210 0b4b1a3443 Initial update 2018-11-26 03:25:18 +03:00
Dane Everitt 550c622d3b
Obliterate JWT from codebase 2018-07-14 22:48:09 -07:00
Dane Everitt 6336e5191f
Strip out JWT usage and use cookies to track the currently logged in user 2018-07-14 22:42:58 -07:00
Dane Everitt 5010c0c756
Merge branch 'feature/vuejs' into feature/vuejs-account 2018-07-04 18:12:57 -07:00
Dane Everitt af9af78938
Merge branch 'develop' into feature/vuejs 2018-07-04 18:09:07 -07:00
Dane Everitt 8f5bd214a4
[Security] Address 2FA bypass in password reset functionality 
Thanks to Trixter#0001 on Discord for this security report.

There was a two-factor authentication bypass present in all previous versions of Pterodactyl that would allow a user to login without providing a token by going through the password reset process. A person would still have to have access to the targeted account's email, but if they did manage to get a password reset link they would be able to reset the account password and then proceede to login without a token being required.

This logic has since been changed to check if 2FA is enabled on an account, and if so they will NOT be logged in when their password is changed. This will force them to continue through the normal login pathway where a token will be needed.

Overall the impact of this issue is minor, but I am still addressing it and disclosing the mechanism behind it.
 2018-07-04 11:41:56 -07:00
Dane Everitt e7faf979a1
Change login handling to automatically redirect a user if their session will need renewal. 2018-06-16 14:05:39 -07:00
Dane Everitt 03c83c084a
Revert use of cookies, go back to using a JWT 2018-06-06 22:49:44 -07:00
Dane Everitt e948d81d8a
Base attempt at using vuex to handle logins 2018-06-05 23:00:01 -07:00
Dane Everitt a1444b047e
Fix JWT handling for API access when logging in 2018-05-28 14:59:48 -07:00
Dane Everitt ad69193ac0
Add JWT to login forms 2018-05-28 12:48:42 -07:00
Dane Everitt 4fad244073
Show correct auth error. 2018-04-08 16:16:04 -05:00
Dane Everitt b6e94d9a1e
Code cleanup 2018-04-08 16:00:52 -05:00
Dane Everitt 6d970a4cc3
Finalize login page! 2018-04-08 15:46:32 -05:00
Dane Everitt d63624f607
Working login form with password reset functionality. 2018-04-08 15:18:13 -05:00
Dane Everitt c3e462ab2f
Cleanup login/reset functionality, address security issue with 2FA pathways 2018-04-07 16:17:51 -05:00
Dane Everitt 4f3c668420
Refactor auth controllers to be cleaner and easier to maintain 2018-04-07 12:35:15 -05:00
Dane Everitt 324b989a29
Get a working rough copy of the login page 2018-04-01 17:46:16 -05:00
Dane Everitt b9d67459b2
Update to Laravel 5.5 (#814) 2017-12-17 13:07:38 -06:00
Dane Everitt 6f52f4a614
Push updates to login page, mostly UI enhancements. 2017-11-18 15:09:58 -06:00
Dane Everitt c7c2c1a45e
Implement changes to 2FA system (#761) 2017-11-18 13:35:33 -05:00
Dane Everitt e56f4cdd33
Update license headers on files. 2017-09-25 21:43:01 -05:00
Dane Everitt 3ee5803416
Massive PHPCS linting 2017-08-21 22:10:48 -05:00
Dane Everitt 72c0330486
Fixes 2FA not honoring 'Remember Me' checkbox, closes #439 2017-05-22 19:09:42 -05:00
Dane Everitt aa6060846d
Actually show errors on password reset page. 2017-04-27 23:44:26 -04:00
Dane Everitt 77b1a258d9 Weekly fix of my StyleCI violations... 2017-04-24 16:56:38 -04:00
Dane Everitt f1024ad1a8
Improved login controller func. for 2FA, throws Failed event correctly now 2017-04-14 14:33:15 -04:00
Dane Everitt 451dd7ebc8 Apply fixes from StyleCI (#364) 2017-03-31 20:48:35 -04:00
Jakob Schrettenbrunner e613e44749 fix #363 2017-04-01 01:58:05 +02:00
Dane Everitt 1f0e95790a
🔒 Don't disclose if account exists when resetting passwords, closes #358 2017-03-30 17:44:20 -04:00
Dane Everitt 0312c974f5
Update doc blocks for all app/ 2017-03-19 19:36:50 -04:00
Jakob Schrettenbrunner 4fc832838b use ‚required|string‘ to validate usernames 2017-02-16 20:45:36 +01:00
Jakob Schrettenbrunner 0b2c5279a8 allow to use the username for login as well 
add translation strings
 2017-02-16 20:40:21 +01:00
Dane Everitt 2290118a0d Apply fixes from StyleCI (#293) 2017-02-12 15:17:14 -05:00
Dane Everitt a93adce303
Only allow up to 30 seconds of overlap on comparing the 2FA tokens. 2017-02-01 23:02:54 -05:00
Dane Everitt 4abdee0efb
Better 2FA implementation on logins 2017-02-01 22:58:48 -05:00
Dane Everitt bf7b58470a
Update copyright headers 2017-01-24 17:57:08 -05:00