dvkei/Pterodactyl-Panel
1
0
Fork 0
forked from Alex/Pterodactyl-Panel
Code Issues Pull Requests Projects Releases Wiki Activity

Don't expose existence of account when an incorrect password is provided and the user has 2FA enabled

Browse Source
This commit is contained in:
Dane Everitt 2019-06-21 21:39:24 -07:00
parent 06ff76e2e9
commit 2db7928b76
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
1 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
app/Http/Controllers/Auth/LoginController.php
View File

@ -126,21 +126,20 @@ class LoginController extends Controller
return $this->sendFailedLoginResponse($request);
}
$validCredentials = password_verify($request->input('password'), $user->password);
if (! password_verify($request->input('password'), $user->password)) {
return $this->sendFailedLoginResponse($request, $user);
}
if ($user->use_totp) {
$token = str_random(64);
$this->cache->put($token, ['user_id' => $user->id, 'valid_credentials' => $validCredentials], 5);
$this->cache->put($token, ['user_id' => $user->id, 'valid_credentials' => true], 5);
return redirect()->route('auth.totp')->with('authentication_token', $token);
}
if ($validCredentials) {
$this->auth->guard()->login($user, true);
$this->auth->guard()->login($user, true);
return $this->sendLoginResponse($request);
}
return $this->sendFailedLoginResponse($request, $user);
return $this->sendLoginResponse($request);
}
/**
@ -161,12 +160,13 @@ class LoginController extends Controller
/**
* Handle a login where the user is required to provide a TOTP authentication
* token. In order to add additional layers of security, users are not
* informed of an incorrect password until this stage, forcing them to
* provide a token on each login attempt.
* token.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response
* @throws \PragmaRX\Google2FA\Exceptions\IncompatibleWithGoogleAuthenticatorException
* @throws \PragmaRX\Google2FA\Exceptions\InvalidCharactersException
* @throws \PragmaRX\Google2FA\Exceptions\SecretKeyTooShortException
*/
public function loginUsingTotp(Request $request)
{
@ -181,7 +181,7 @@ class LoginController extends Controller
return $this->sendFailedLoginResponse($request);
}
if (is_null($request->input('2fa_token')) || ! array_get($cache, 'valid_credentials')) {
if (is_null($request->input('2fa_token'))) {
return $this->sendFailedLoginResponse($request, $user);
}