- Maniphest Tasks
- T13043: Improve authentication revocation behaviors
- rPabc030fa008b: Move account passwords to shared infrastructure
- Ran migration.
- Spot checked table for general sanity.
- Logged in with an existing password.
- Hit all error conditions on "change password", "set password", "register new account" flows.
- Verified that changing password logs out other sessions.
- Verified that revoked passwords of a different type can't be selected.
- Changed passwords a bunch.
- Verified that salt regenerates properly after password change.
- Tried to login with the wrong password, which didn't work.
There's a little bit of juggling here to make sure that the migration runs okay if the unique key on phid gets added sooner than we expect. This just gives each new password a unique value, then the followup migrations overwrite them with real PHIDs.
It turns out this comment is out of date; CSRF tokens haven't depended on any secret shared with passwords in a long time.