Cleanup login/reset functionality, address security issue with 2FA pathways

2026-04-13 03:43:45 +02:00 · 2018-04-07 16:17:51 -05:00
parent eade81f89b
commit c3e462ab2f
11 changed files with 158 additions and 39 deletions
--- a/app/Http/Controllers/Auth/LoginCheckpointController.php
+++ b/app/Http/Controllers/Auth/LoginCheckpointController.php
@@ -10,9 +10,8 @@ class LoginCheckpointController extends AbstractLoginController
 {
    /**
     * Handle a login where the user is required to provide a TOTP authentication
-     * token. In order to add additional layers of security, users are not
-     * informed of an incorrect password until this stage, forcing them to
-     * provide a token on each login attempt.
+     * token. Once a user has reached this stage it is assumed that they have already
+     * provided a valid username and password.
     *
     * @param \Pterodactyl\Http\Requests\Auth\LoginCheckpointRequest $request
     * @return \Illuminate\Http\JsonResponse
@@ -28,7 +27,7 @@ class LoginCheckpointController extends AbstractLoginController
            return $this->sendFailedLoginResponse($request);
        }

-        if (! array_get($cache, 'valid_credentials') || array_get($cache, 'request_ip') !== $request->ip()) {
+        if (array_get($cache, 'request_ip') !== $request->ip()) {
            return $this->sendFailedLoginResponse($request, $user);
        }

@@ -40,7 +39,7 @@ class LoginCheckpointController extends AbstractLoginController
            return $this->sendFailedLoginResponse($request, $user);
        }

-        $this->authManager->guard()->login($user, true);
+        $this->auth->guard()->login($user, true);

        return $this->sendLoginResponse($request);
    }