5866 Commits

Author SHA1 Message Date
Dane Everitt
659c33f0e8
Fixes a bug that allows a user to bypass 2FA authentication requirements
This bug was reported to us by a user (@Ferry#1704) on Discord on
Monday, November 7th, 2016.

It was disclosed that it was possible to bypass the 2FA checkpoint by
clicking outside of the modal which would prompt the modal to close,
but not submit the form. The user could then press the login button
which would trigger an error. Due to this error being triggered the
authentication attempt was not cancelled. On the next page load the
application recognized the user as logged in and continued on to the
panel.

At no time was it possible to login without using the correct email
address and password.

As a result of this bug we have re-factored the Authentication code for
logins to address the persistent session. Previously accounts were
manually logged back out on 2FA failure. However, as this bug
demonstrated, causing a fatal error in the code would prevent the
logout code from firing, thus preserving their session state.

This commit modifies the code to use a non-persistent login to handle
2FA checking. In order for the session to be saved the application must
complete all portions of the login without any errors, at which point
the user is persistently authenticated using Auth::login().

This resolves the ability to cause an exception and bypass 2FA
verification.
2016-11-07 15:55:57 -05:00
Dane Everitt
b5a778549e Merge pull request #163 from Pterodactyl/develop
Merge develop into master
2016-11-05 00:05:41 -04:00
Dane Everitt
e77b984596
remove beta notice. 🎉🎉🎉 2016-11-04 22:01:30 -04:00
Dane Everitt
702c1d6ba6
Official bump to v0.5.0 🎉 2016-11-04 22:00:32 -04:00
Dane Everitt
01a60549cf
Update changelog 2016-11-04 21:59:28 -04:00
Dane Everitt
48994c1354
Fix the other user bug... 2016-11-04 21:50:47 -04:00
Dane Everitt
4359252545
Fix a @schrej bug 2016-11-04 21:46:16 -04:00
Dane Everitt
9ea88b5053
Fix checkboxes not displaying checkmarks, closes #162 2016-11-04 21:41:56 -04:00
Dane Everitt
e30fb43c24
Prepare changelog for v0.5.0 release 2016-11-04 21:02:27 -04:00
Dane Everitt
cd3f5ed6fe
Correct password setting for MySQL user 2016-11-04 20:47:40 -04:00
Dane Everitt
61e65294af
Fix bug preventing rendering of database hosts when not linked to a node. 2016-11-04 20:44:56 -04:00
Dane Everitt
e0696900bb
Fix issue that would prevent Ark servers from being added to servers.
Renamed migration file to force it to re-run on previously migrated
systems.
2016-11-04 20:37:40 -04:00
Dane Everitt
b586feab2d Merge pull request #161 from schrej/patch-1
only push stuff from the terminal outputQueue if there is something i…
2016-11-02 00:15:11 -04:00
Jakob
6c6a49e709 only push stuff from the terminal outputQueue if there is something inside
this allows to scroll on the console again
2016-11-01 23:22:07 +01:00
Dane Everitt
ee851c9f34
😒
I think the first name makes more sense, but I guess its just me…
2016-10-31 17:46:35 -04:00
Dane Everitt
9e68937b45
this kills the crab... 🦀 2016-10-31 17:25:00 -04:00
Dane Everitt
873ddd204d
Hotfix for broken rc.1 installs and upgrades 2016-10-31 17:15:30 -04:00
Dane Everitt
a55220da39
Fix missing environment variables relating to queues 2016-10-30 18:34:50 -04:00
Dane Everitt
1c9f916dcb Update CHANGELOG.md 2016-10-30 16:27:17 -04:00
Jakob
e65dc5708d Validate password on reset according to rules (#158)
* move password rules to Models\User::PASSWORD_RULES

* validate new password according to rules on password reset

* add password requirements info to auth.passwords.reset view
2016-10-30 16:02:39 -04:00
Dane Everitt
9d69f47ade
Here ya go @ET-Bent support for Ark 2016-10-30 00:25:13 -04:00
Dane Everitt
0741ab6833
Revamped resource graphing, uses chart.js 2016-10-30 00:06:55 -04:00
Dane Everitt
013c36fe81
💣 destroy player listing 2016-10-29 21:46:53 -04:00
Dane Everitt
d3220fa553
Fixes double error display on login forms 2016-10-29 20:29:26 -04:00
Dane Everitt
51c07bf1f2
🎉 Add support for uploading files from file listing! 🎉
closes #22
2016-10-28 18:21:12 -04:00
Dane Everitt
63d7062f3c
Make dates a little more user friendly 2016-10-28 16:34:23 -04:00
Dane Everitt
449324fa1c
Show spinner when decompressing files. 2016-10-28 15:54:57 -04:00
Dane Everitt
ac82194ed4
Faster file uploads and less console spam 2016-10-28 15:39:58 -04:00
Dane Everitt
2e288f4146 Update changelog 2016-10-27 20:39:13 -04:00
Dane Everitt
bcaaefbc64 Merge pull request #155 from Pterodactyl/feature/database-improvements
Foreign Keys & Deletion Improvements
2016-10-27 20:29:52 -04:00
Dane Everitt
dabd94344d
fix .env 2016-10-27 20:27:19 -04:00
Dane Everitt
ff93d6ce16
Rebase 2016-10-27 20:14:24 -04:00
Dane Everitt
6fd7c78f0c
Add server deletion to a queue.
This action allows servers to be deleted, but only be soft-deleted for
10 minutes. After that time period the server will be completely
removed from the database and daemon. This allows some safety if a
server is accidentally deleted.

Force deleting a server will still work. If the daemon is in-accessible
the server will fail to be deleted. When server is soft-deleted admins
can still view its information page in the admin CP, however the server
will be suspended and inaccessible on the front-end or though the
daemon.

Admins can manually delete the server ahead of the delete timer, or if
it failed to delete previously they can do an immediate retry.
2016-10-27 20:05:29 -04:00
Dane Everitt
dbec99498d
run task manager tasks at lowest priority 2016-10-27 18:50:10 -04:00
Dane Everitt
f80e481263
Add support for SQS and Redis in queue system 2016-10-27 17:16:47 -04:00
Dane Everitt
bb96039bf1
use low priority queue for tasks 2016-10-27 16:35:50 -04:00
Dane Everitt
59c29dc3a6
Use hard-coded versions, add sqs and redis deps for availability out of the box. 2016-10-27 16:35:39 -04:00
Dane Everitt
045864aa96
Prevent accidental DoS of users if server sends a rapid feed of data to the console.
Configurable speed in environment file.
2016-10-23 21:31:29 -04:00
Dane Everitt
13ce251593
Add foreign keys to all necessary tables 👏
I thoroughly hate myself for doing MEDIUMINT(8) on so many tables.
2016-10-23 20:48:34 -04:00
Dane Everitt
55c9f0f2f2
Delete databases when we delete a server. 2016-10-23 19:21:57 -04:00
Dane Everitt
08b236ac1d
better port checking, don't send rebuild unless things are changed. 2016-10-23 19:07:29 -04:00
Dane Everitt
0b044b3cc6
fixes bug that would allow deleting the default allocation for a server. 2016-10-23 18:59:13 -04:00
Dane Everitt
0a481b325c
Clean up server display a bit 2016-10-23 18:55:41 -04:00
Dane Everitt
dda5d9aa01
Fix no error display if adding a server with an invalid email 2016-10-23 18:48:14 -04:00
Michael Parker
8c1fe3056f Correcting BungeeCord issue (#152)
* Correcting BungeeCord issue
2016-10-23 18:34:59 -04:00
Dane Everitt
6b011fcd36
Add file manager refresh without reload; ❤️ @parkervcp 2016-10-21 18:09:35 -04:00
Dane Everitt
6b89dbd451
Fix errors on node graphs
These graphs will be removed in a future release, so I’m not going to
make them look pretty right now.
2016-10-21 17:37:47 -04:00
Dane Everitt
ad906e0680
FQDN support for allocations, and JS bug fix. 2016-10-21 17:33:26 -04:00
Dane Everitt
176d92176e
Run tasks every minute as needed
Clear logs every month (configurable) for old tasks logs.
2016-10-21 16:36:40 -04:00
Dane Everitt
6731f7ffbc
Modernize user pages a bit 2016-10-21 15:50:10 -04:00