1
<?php
2

3
namespace Pterodactyl\Http\Controllers\Api\Client;
4

5
use Illuminate\Http\Request;
6
use Illuminate\Http\Response;
7
use Illuminate\Auth\AuthManager;
8
use Illuminate\Http\JsonResponse;
9
use Pterodactyl\Facades\Activity;
10
use Illuminate\Support\Facades\RateLimiter;
11
use Pterodactyl\Services\Users\UserUpdateService;
12
use Pterodactyl\Transformers\Api\Client\AccountTransformer;
13
use Pterodactyl\Http\Requests\Api\Client\Account\UpdateEmailRequest;
14
use Pterodactyl\Http\Requests\Api\Client\Account\UpdatePasswordRequest;
15
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
16

17
class AccountController extends ClientApiController
18
{
19
    /**
20
     * The number of seconds that must elapse before the email change throttle resets.
21
     */
22
    private const EMAIL_UPDATE_THROTTLE = 60 * 60 * 24;
23

24
    /**
25
     * AccountController constructor.
26
     */
27
    public function __construct(private AuthManager $manager, private UserUpdateService $updateService)
28
    {
29
        parent::__construct();
30
    }
31

32
    public function index(Request $request): array
33
    {
34
        return $this->fractal->item($request->user())
35
            ->transformWith($this->getTransformer(AccountTransformer::class))
36
            ->toArray();
37
    }
38

39
    /**
40
     * Update the authenticated user's email address.
41
     */
42
    public function updateEmail(UpdateEmailRequest $request): JsonResponse
43
    {
44
        $user = $request->user();
45
        // Only allow a user to change their email three times in the span
46
        // of 24 hours. This prevents malicious users from trying to find
47
        // existing accounts in the system by constantly changing their email.
48
        if (RateLimiter::tooManyAttempts($key = "user:update-email:{$user->uuid}", 3)) {
49
            throw new TooManyRequestsHttpException(message: 'Your email address has been changed too many times today. Please try again later.');
50
        }
51

52
        $original = $user->email;
53
        if (mb_strtolower($original) !== mb_strtolower($request->validated('email'))) {
54
            RateLimiter::hit($key, self::EMAIL_UPDATE_THROTTLE);
55

56
            $this->updateService->handle($user, $request->validated());
57

58
            Activity::event('user:account.email-changed')
59
                ->property(['old' => $original, 'new' => $request->validated('email')])
60
                ->log();
61
        }
62

63
        return new JsonResponse([], Response::HTTP_NO_CONTENT);
64
    }
65

66
    /**
67
     * Update the authenticated user's password. All existing sessions will be logged
68
     * out immediately.
69
     *
70
     * @throws \Throwable
71
     */
72
    public function updatePassword(UpdatePasswordRequest $request): JsonResponse
73
    {
74
        $user = Activity::event('user:account.password-changed')->transaction(function () use ($request) {
75
            return $this->updateService->handle($request->user(), $request->validated());
76
        });
77

78
        $guard = $this->manager->guard();
79
        // If you do not update the user in the session you'll end up working with a
80
        // cached copy of the user that does not include the updated password. Do this
81
        // to correctly store the new user details in the guard and allow the logout
82
        // other devices functionality to work.
83
        $guard->setUser($user);
84

85
        // This method doesn't exist in the stateless Sanctum world.
86
        if (method_exists($guard, 'logoutOtherDevices')) { // @phpstan-ignore function.alreadyNarrowedType
87
            $guard->logoutOtherDevices($request->input('password'));
88
        }
89

90
        return new JsonResponse([], Response::HTTP_NO_CONTENT);
91
    }
92
}
93

94