1
<?php
2

3
namespace Pterodactyl\Http\Controllers\Auth;
4

5
use Illuminate\Support\Str;
6
use Illuminate\Http\JsonResponse;
7
use Illuminate\Contracts\Hashing\Hasher;
8
use Illuminate\Support\Facades\Password;
9
use Illuminate\Auth\Events\PasswordReset;
10
use Illuminate\Contracts\Events\Dispatcher;
11
use Pterodactyl\Exceptions\DisplayException;
12
use Pterodactyl\Http\Controllers\Controller;
13
use Illuminate\Foundation\Auth\ResetsPasswords;
14
use Pterodactyl\Http\Requests\Auth\ResetPasswordRequest;
15
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
16

17
class ResetPasswordController extends Controller
18
{
19
    use ResetsPasswords;
20

21
    /**
22
     * The URL to redirect users to after password reset.
23
     */
24
    public string $redirectTo = '/';
25

26
    protected bool $hasTwoFactor = false;
27

28
    /**
29
     * ResetPasswordController constructor.
30
     */
31
    public function __construct(
32
        private Dispatcher $dispatcher,
33
        private Hasher $hasher,
34
        private UserRepositoryInterface $userRepository,
35
    ) {
36
    }
37

38
    /**
39
     * Reset the given user's password.
40
     *
41
     * @throws DisplayException
42
     */
43
    public function __invoke(ResetPasswordRequest $request): JsonResponse
44
    {
45
        // Here we will attempt to reset the user's password. If it is successful we
46
        // will update the password on an actual user model and persist it to the
47
        // database. Otherwise, we will parse the error and return the response.
48
        $response = $this->broker()->reset(
49
            $this->credentials($request),
50
            function ($user, $password) {
51
                $this->resetPassword($user, $password);
52
            }
53
        );
54

55
        // If the password was successfully reset, we will redirect the user back to
56
        // the application's home authenticated view. If there is an error we can
57
        // redirect them back to where they came from with their error message.
58
        if ($response === Password::PASSWORD_RESET) {
59
            return $this->sendResetResponse();
60
        }
61

62
        throw new DisplayException(trans($response));
63
    }
64

65
    /**
66
     * Reset the given user's password. If the user has two-factor authentication enabled on their
67
     * account do not automatically log them in. In those cases, send the user back to the login
68
     * form with a note telling them their password was changed and to log back in.
69
     *
70
     * @param \Illuminate\Contracts\Auth\CanResetPassword&\Pterodactyl\Models\User $user
71
     * @param string $password
72
     *
73
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
74
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
75
     */
76
    protected function resetPassword($user, $password)
77
    {
78
        $user = $this->userRepository->update($user->id, [
79
            'password' => $this->hasher->make($password),
80
            $user->getRememberTokenName() => Str::random(60),
81
        ]);
82

83
        $this->dispatcher->dispatch(new PasswordReset($user));
84

85
        // If the user is not using 2FA log them in, otherwise skip this step and force a
86
        // fresh login where they'll be prompted to enter a token.
87
        if (!$user->use_totp) {
88
            $this->guard()->login($user);
89
        }
90

91
        $this->hasTwoFactor = $user->use_totp;
92
    }
93

94
    /**
95
     * Send a successful password reset response back to the callee.
96
     */
97
    protected function sendResetResponse(): JsonResponse
98
    {
99
        return response()->json([
100
            'success' => true,
101
            'redirect_to' => $this->redirectTo,
102
            'send_to_login' => $this->hasTwoFactor,
103
        ]);
104
    }
105
}
106

107