pelican-dev · Boy132 · Apr 20, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
diff --git a/app/Events/User/Deleting.php b/app/Events/User/Deleting.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace App\Events\User;
+
+use App\Events\Event;
+use App\Models\User;
+use Illuminate\Queue\SerializesModels;
+
+class Deleting extends Event
+{
+    use SerializesModels;
+
+    /**
+     * Create a new event instance.
+     */
+    public function __construct(public User $user) {}
+}
diff --git a/app/Events/User/PasswordChanged.php b/app/Events/User/PasswordChanged.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\Events\User;
+
+use App\Models\User;
+use Illuminate\Foundation\Events\Dispatchable;
+
+final class PasswordChanged
+{
+    use Dispatchable;
+
+    public function __construct(public readonly User $user) {}
+}
diff --git a/app/Http/Controllers/Api/Client/AccountController.php b/app/Http/Controllers/Api/Client/AccountController.php
@@ -13,10 +13,17 @@
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
+use Illuminate\Support\Facades\RateLimiter;
+use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
 use Throwable;
 
 class AccountController extends ClientApiController
 {
+    /**
+     * The number of seconds that must elapse before the email change throttle resets.
+     */
+    private const EMAIL_UPDATE_THROTTLE = 60 * 60 * 24;
+
     /**
      * AccountController constructor.
      */
@@ -63,10 +70,22 @@ public function updateUsername(UpdateUsernameRequest $request): JsonResponse
      */
     public function updateEmail(UpdateEmailRequest $request): JsonResponse
     {
-        $original = $request->user()->email;
-        $this->updateService->handle($request->user(), $request->validated());
+        $user = $request->user();
+
+        // Only allow a user to change their email three times in the span
+        // of 24 hours. This prevents malicious users from trying to find
+        // existing accounts in the system by constantly changing their email.
+        if (RateLimiter::tooManyAttempts($key = "user:update-email:{$user->uuid}", 3)) {
+            throw new TooManyRequestsHttpException(message: 'Your email address has been changed too many times today. Please try again later.');
+        }
+
+        $original = $user->email;
+
+        if (mb_strtolower($original) !== mb_strtolower($request->validated('email'))) {
+            RateLimiter::hit($key, self::EMAIL_UPDATE_THROTTLE);
+
+            $this->updateService->handle($user, $request->validated());
 
-        if ($original !== $request->input('email')) {
             Activity::event('user:account.email-changed')
                 ->property(['old' => $original, 'new' => $request->input('email')])
                 ->log();
@@ -85,7 +104,9 @@ public function updateEmail(UpdateEmailRequest $request): JsonResponse
      */
     public function updatePassword(UpdatePasswordRequest $request): JsonResponse
     {
-        $user = $this->updateService->handle($request->user(), $request->validated());
+        $user = Activity::event('user:account.password-changed')->transaction(function () use ($request) {
+            return $this->updateService->handle($request->user(), $request->validated());
+        });
 
         $guard = $this->manager->guard();
         // If you do not update the user in the session you'll end up working with a
@@ -98,8 +119,6 @@ public function updatePassword(UpdatePasswordRequest $request): JsonResponse
             $guard->logoutOtherDevices($request->input('password'));
         }
 
-        Activity::event('user:account.password-changed')->log();
-
         return new JsonResponse([], Response::HTTP_NO_CONTENT);
     }
 }
diff --git a/app/Http/Controllers/Api/Client/Servers/BackupController.php b/app/Http/Controllers/Api/Client/Servers/BackupController.php
@@ -87,7 +87,7 @@ public function store(StoreBackupRequest $request, Server $server): array
         }
 
         $backup = Activity::event('server:backup.start')->transaction(function ($log) use ($action, $server, $request) {
-            $server->backups()->lockForUpdate();
+            $server->backups()->lockForUpdate()->count();
 
             $backup = $action->handle($server, $request->input('name'));
 

diff --git a/app/Http/Controllers/Api/Client/Servers/DatabaseController.php b/app/Http/Controllers/Api/Client/Servers/DatabaseController.php
@@ -60,7 +60,7 @@ public function index(GetDatabasesRequest $request, Server $server): array
     public function store(StoreDatabaseRequest $request, Server $server): array
     {
         $database = Activity::event('server:database.create')->transaction(function ($log) use ($request, $server) {
-            $server->databases()->lockForUpdate();
+            $server->databases()->lockForUpdate()->count();
 
             $database = $this->deployDatabaseService->handle($server, $request->validated());
 
@@ -87,15 +87,12 @@ public function store(StoreDatabaseRequest $request, Server $server): array
      */
     public function rotatePassword(RotatePasswordRequest $request, Server $server, Database $database): array
     {
-        $this->managementService->rotatePassword($database);
-        $database->refresh();
-
         Activity::event('server:database.rotate-password')
             ->subject($database)
             ->property('name', $database->database)
-            ->log();
+            ->transaction(fn () => $this->managementService->rotatePassword($database));
 
-        return $this->fractal->item($database)
+        return $this->fractal->item($database->refresh())
             ->parseIncludes(['password'])
             ->transformWith($this->getTransformer(DatabaseTransformer::class))
             ->toArray();

diff --git a/app/Http/Controllers/Api/Client/Servers/StartupController.php b/app/Http/Controllers/Api/Client/Servers/StartupController.php
@@ -87,13 +87,13 @@ public function update(UpdateStartupVariableRequest $request, Server $server): a
 
         $startup = $this->startupCommandService->handle($server);
 
-        if ($variable->env_variable !== $request->input('value')) {
+        if ($original !== $request->input('value')) {
             Activity::event('server:startup.edit')
                 ->subject($variable)
                 ->property([
                     'variable' => $variable->env_variable,
                     'old' => $original,
-                    'new' => $request->input('value'),
+                    'new' => $request->input('value') ?? '',
                 ])
                 ->log();
         }

diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
@@ -56,7 +56,7 @@ public function __invoke(Request $request, string $backup): JsonResponse
         /** @var Server $server */
         $server = $model->server;
         if ($server->node_id !== $node->id) {
-            throw new HttpForbiddenException('You do not have permission to access that backup.');
+            throw new HttpForbiddenException('Requesting node does not have permission to access this server.');
         }
 
         // Prevent backups that have already been completed from trying to

diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
@@ -47,7 +47,7 @@ public function index(ReportBackupCompleteRequest $request, string $backup): Jso
         /** @var Server $server */
         $server = $model->server;
         if ($server->node_id !== $node->id) {
-            throw new HttpForbiddenException('You do not have permission to access that backup.');
+            throw new HttpForbiddenException('Requesting node does not have permission to access this server.');
         }
 
         if ($model->is_successful) {
@@ -97,6 +97,11 @@ public function restore(Request $request, string $backup): JsonResponse
         /** @var Backup $model */
         $model = Backup::query()->where('uuid', $backup)->firstOrFail();
 
+        $node = $request->attributes->get('node');
+        if (!$model->server->node->is($node)) {
+            throw new HttpForbiddenException('Requesting node does not have permission to access this server.');
+        }
+
         $model->server->update(['status' => null]);
 
         Activity::event($request->boolean('successful') ? 'server:backup.restore-complete' : 'server.backup.restore-failed')

diff --git a/app/Http/Middleware/SetSecurityHeaders.php b/app/Http/Middleware/SetSecurityHeaders.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+
+class SetSecurityHeaders
+{
+    /**
+     * Ideally we move away from X-Frame-Options/X-XSS-Protection and implement a
+     * proper standard CSP, but I can guarantee that will break for a lot of folks
+     * using custom plugins and who knows what image embeds.
+     *
+     * We'll circle back to that at a later date when it can be more fully controlled
+     * by the admin to support those cases without too much trouble.
+     *
+     * @var array<string, string>
+     */
+    protected static array $headers = [
+        'X-Frame-Options' => 'DENY',
+        'X-Content-Type-Options' => 'nosniff',
+        'X-XSS-Protection' => '1; mode=block',
+        'Referrer-Policy' => 'no-referrer-when-downgrade',
+    ];
+
+    /**
+     * Enforces some basic security headers on all responses returned by the software.
+     * If a header has already been set in another location within the code it will be
+     * skipped over here.
+     *
+     * @param  (\Closure(mixed): Response)  $next
+     */
+    public function handle(Request $request, \Closure $next): mixed
+    {
+        $response = $next($request);
+
+        foreach (static::$headers as $key => $value) {
+            if (!$response->headers->has($key)) {
+                $response->headers->set($key, $value);
+            }
+        }
+
+        return $response;
+    }
+}
diff --git a/app/Jobs/Job.php b/app/Jobs/Job.php
diff --git a/app/Jobs/RevokeSftpAccessJob.php b/app/Jobs/RevokeSftpAccessJob.php
@@ -0,0 +1,55 @@
+<?php
+
+namespace App\Jobs;
+
+use App\Models\Node;
+use App\Models\Server;
+use App\Repositories\Daemon\DaemonServerRepository;
+use Illuminate\Contracts\Queue\ShouldBeUnique;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Queue\Queueable;
+use Illuminate\Http\Client\ConnectionException;
+use Illuminate\Queue\Attributes\DeleteWhenMissingModels;
+use Illuminate\Queue\Attributes\WithoutRelations;
+
+/**
+ * Revokes all SFTP access for a user on a given node or for a specific server.
+ */
+#[DeleteWhenMissingModels]
+class RevokeSftpAccessJob implements ShouldBeUnique, ShouldQueue
+{
+    use Queueable;
+
+    public int $tries = 3;
+
+    public int $maxExceptions = 1;
+
+    public function __construct(
+        public readonly string $user,
+        #[WithoutRelations]
+        public readonly Server|Node $target,
+    ) {}
+
+    public function uniqueId(): string
+    {
+        $target = $this->target instanceof Node ? "node:{$this->target->uuid}" : "server:{$this->target->uuid}";
+
+        return "revoke-sftp:{$this->user}:{$target}";
+    }
+
+    public function handle(DaemonServerRepository $repository): void
+    {
+        try {
+            if ($this->target instanceof Server) {
+                $repository->setServer($this->target)->deauthorize($this->user);
+            } else {
+                $repository->setNode($this->target)->deauthorize($this->user);
+            }
+        } catch (ConnectionException) {
+            // Keep retrying this job with a longer and longer backoff until we hit three
+            // attempts at which point we stop and will assume the node is fully offline
+            // and we are just wasting time.
+            $this->release($this->attempts() * 10);
+        }
+    }
+}
diff --git a/app/Jobs/Schedule/RunTaskJob.php b/app/Jobs/Schedule/RunTaskJob.php
@@ -7,16 +7,18 @@
 use App\Models\Task;
 use Carbon\CarbonImmutable;
 use Exception;
+use Illuminate\Bus\Queueable;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Http\Client\ConnectionException;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;
 use InvalidArgumentException;
 use Throwable;
 
-class RunTaskJob extends Job implements ShouldQueue
+class RunTaskJob implements ShouldQueue
 {
     use InteractsWithQueue;
+    use Queueable;
     use SerializesModels;
 
     /**

diff --git a/app/Listeners/Auth/PasswordResetListener.php b/app/Listeners/Auth/PasswordResetListener.php
diff --git a/...Listeners/Auth/AuthenticationListener.php → app/Listeners/AuthenticationListener.php b/...Listeners/Auth/AuthenticationListener.php → app/Listeners/AuthenticationListener.php
@@ -1,10 +1,11 @@
 <?php
 
-namespace App\Listeners\Auth;
+namespace App\Listeners;
 
 use App\Facades\Activity;
 use Illuminate\Auth\Events\Failed;
 use Illuminate\Auth\Events\Login;
+use Illuminate\Auth\Events\PasswordReset;
 
 class AuthenticationListener
 {
@@ -16,7 +17,7 @@ class AuthenticationListener
      * Handles an authentication event by logging the user and information about
      * the request.
      */
-    public function handle(Failed|Login $event): void
+    public function login(Failed|Login $event): void
     {
         $activity = Activity::withRequestMetadata();
 
@@ -34,4 +35,12 @@ public function handle(Failed|Login $event): void
 
         $activity->event($event instanceof Failed ? 'auth:fail' : 'auth:success')->log();
     }
+
+    public function reset(PasswordReset $event): void
+    {
+        Activity::event('event:password-reset')
+            ->withRequestMetadata()
+            ->subject($event->user)
+            ->log();
+    }
 }