Page MenuHomePhabricator

Allow "bin/auth recover" to generate a link which forces a full login session
ClosedPublic

Authored by epriestley on Dec 18 2018, 7:17 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Mar 27, 5:29 PM
Unknown Object (File)
Sat, Mar 23, 5:43 PM
Unknown Object (File)
Fri, Mar 22, 9:48 PM
Unknown Object (File)
Fri, Mar 22, 9:48 PM
Unknown Object (File)
Thu, Mar 21, 11:56 AM
Unknown Object (File)
Feb 21 2024, 5:41 AM
Unknown Object (File)
Feb 3 2024, 8:24 PM
Unknown Object (File)
Dec 27 2023, 12:59 PM
Subscribers
None

Details

Summary

Depends on D19902. Ref T13222. This is mostly a "while I'm in here..." change since MFA is getting touched so much anyway.

Doing cluster support, I sometimes need to log into user accounts on instances that have MFA. I currently accomplish this by doing bin/auth recover, getting a parital session, and then forcing it into a full session in the database. This is inconvenient and somewhat dangerous.

Instead, allow bin/auth recover to generate a link that skips the "partial session" stage: adding required MFA, providing MFA, and signing legalpad documents.

Anyone who can run bin/auth recover can do this anyway, this just reduces the chance I accidentally bypass MFA on the wrong session when doing support stuff.

Test Plan
  • Logged in with bin/auth recover, was prompted for MFA.
  • Logged in with bin/auth recover --force-full-session, was not prompted for MFA.
  • Did a password reset, followed reset link, was prompted for MFA.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable