1
<?php
2

3
namespace Pterodactyl\Http\Controllers\Auth;
4

5
use Illuminate\Support\Str;
6
use Illuminate\Http\JsonResponse;
7
use Illuminate\Contracts\Hashing\Hasher;
8
use Illuminate\Support\Facades\Password;
9
use Illuminate\Auth\Events\PasswordReset;
10
use Illuminate\Contracts\Events\Dispatcher;
11
use Pterodactyl\Events\User\PasswordChanged;
12
use Pterodactyl\Exceptions\DisplayException;
13
use Pterodactyl\Http\Controllers\Controller;
14
use Illuminate\Foundation\Auth\ResetsPasswords;
15
use Pterodactyl\Http\Requests\Auth\ResetPasswordRequest;
16
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
17

18
class ResetPasswordController extends Controller
19
{
20
    use ResetsPasswords;
21

22
    /**
23
     * The URL to redirect users to after password reset.
24
     */
25
    public string $redirectTo = '/';
26

27
    protected bool $hasTwoFactor = false;
28

29
    /**
30
     * ResetPasswordController constructor.
31
     */
32
    public function __construct(
33
        private Dispatcher $dispatcher,
34
        private Hasher $hasher,
35
        private UserRepositoryInterface $userRepository,
36
    ) {
37
    }
38

39
    /**
40
     * Reset the given user's password.
41
     *
42
     * @throws DisplayException
43
     */
44
    public function __invoke(ResetPasswordRequest $request): JsonResponse
45
    {
46
        // Here we will attempt to reset the user's password. If it is successful we
47
        // will update the password on an actual user model and persist it to the
48
        // database. Otherwise, we will parse the error and return the response.
49
        $response = $this->broker()->reset(
50
            $this->credentials($request),
51
            function ($user, $password) {
52
                $this->resetPassword($user, $password);
53
            }
54
        );
55

56
        // If the password was successfully reset, we will redirect the user back to
57
        // the application's home authenticated view. If there is an error we can
58
        // redirect them back to where they came from with their error message.
59
        if ($response === Password::PASSWORD_RESET) {
60
            return $this->sendResetResponse();
61
        }
62

63
        throw new DisplayException(trans($response));
64
    }
65

66
    /**
67
     * Reset the given user's password. If the user has two-factor authentication enabled on their
68
     * account do not automatically log them in. In those cases, send the user back to the login
69
     * form with a note telling them their password was changed and to log back in.
70
     *
71
     * @param \Illuminate\Contracts\Auth\CanResetPassword&\Pterodactyl\Models\User $user
72
     * @param string $password
73
     *
74
     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
75
     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
76
     */
77
    protected function resetPassword($user, $password)
78
    {
79
        $user = $this->userRepository->update($user->id, [
80
            'password' => $this->hasher->make($password),
81
            $user->getRememberTokenName() => Str::random(60),
82
        ]);
83

84
        $this->dispatcher->dispatch(new PasswordReset($user));
85
        PasswordChanged::dispatch($user);
86

87
        // If the user is not using 2FA log them in, otherwise skip this step and force a
88
        // fresh login where they'll be prompted to enter a token.
89
        if (!$user->use_totp) {
90
            $this->guard()->login($user);
91
        }
92

93
        $this->hasTwoFactor = $user->use_totp;
94
    }
95

96
    /**
97
     * Send a successful password reset response back to the callee.
98
     */
99
    protected function sendResetResponse(): JsonResponse
100
    {
101
        return response()->json([
102
            'success' => true,
103
            'redirect_to' => $this->redirectTo,
104
            'send_to_login' => $this->hasTwoFactor,
105
        ]);
106
    }
107
}
108

109