Differential D19906

Fix a double-prompt for MFA when recovering a password account
ClosedPublic
Actions

Authored by epriestley on Dec 18 2018, 8:04 PM.

Details

Reviewers

amckinley

Maniphest Tasks

T13222: 2018 Week 48-51 Bonus Content

Commits

rP918f4ebcd82c: Fix a double-prompt for MFA when recovering a password account

Summary

Depends on D19905. Ref T13222. In D19843, I refactored this stuff but $jump_into_hisec was dropped.

This is a hint to keep the upgraded session in hisec mode, which we need to do a password reset when using a recovery link. Without it, we double prompt you for MFA: first to upgrade to a full session, then to change your password.

Pass this into the engine properly to avoid the double-prompt.

Test Plan

Used bin/auth recover to get a partial session with MFA enabled and a password provider.
Before: double MFA prompt.
After: session stays upgraded when it becomes full, no second prompt.

Diff Detail

Repository

rP Phabricator

Lint

Automatic diff as part of commit; lint not applicable.

Unit

Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Dec 18 2018, 8:04 PM

Harbormaster completed remote builds in B21371: Diff 47517.Dec 18 2018, 8:05 PM

epriestley requested review of this revision.Dec 18 2018, 8:05 PM

epriestley added a child revision: D19908: Improve UI for "wait" and "answered" MFA challenges.Dec 18 2018, 10:19 PM

amckinley accepted this revision.Dec 18 2018, 11:16 PM

This revision is now accepted and ready to land.Dec 18 2018, 11:16 PM

Closed by commit rP918f4ebcd82c: Fix a double-prompt for MFA when recovering a password account (authored by epriestley). · Explain WhyFri, Dec 28, 8:17 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

			Path	Packages
M			src/applications/auth/engine/PhabricatorAuthSessionEngine.php (2 lines)

Diff	ID	Base	Description	Created	Lint	Unit
Base			Base
Diff 1	47517	58f2b94		Dec 18 2018, 8:04 PM	★	★
Diff 2	47594	ca39be6	rP918f4ebcd82ce83046abac10146452f3c735bc51	Fri, Dec 28, 8:17 AM	★	★

Status	Author	Revision
Closed	epriestley	D19909 Remove the "willApplyTransactions()" hook from ApplicationTransactionEditor
Closed	epriestley	D19908 Improve UI for "wait" and "answered" MFA challenges
Closed	epriestley	D19906 Fix a double-prompt for MFA when recovering a password account
Closed	epriestley	D19905 Make partial sessions expire after 30 minutes, and do not extend them
Closed	epriestley	D19904 Remove support for the "TYPE_AUTH_WILLLOGIN" event
Closed	epriestley	D19903 Allow "bin/auth recover" to generate a link which forces a full login session
Closed	epriestley	D19902 Allow tokens to be awarded to MFA-required objects
Closed	epriestley	D19901 Allow "MFA Required" objects to be edited without MFA if the edit is only creating inverse edges
Closed	epriestley	D19900 Improve UI messaging around "one-shot" vs "session upgrade" MFA
Closed	epriestley	D19899 Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest
Closed	epriestley	D19898 Tighten some MFA/TOTP parameters to improve resistance to brute force attacks
Closed	epriestley	D19897 Allow any transaction group to be signed with a one-shot "Sign With MFA" action
Closed	epriestley	D19896 In Legalpad, prompt for MFA at the end of the workflow instead of the beginning
Closed	epriestley	D19895 Carry MFA responses which have been "answered" but not "completed" through the MFA workflow
Closed	epriestley	D19894 Explicitly mark MFA challenges as "answered" and "completed"
Closed	epriestley	D19893 When accepting a TOTP response, require it respond explicitly to a specific challenge
Closed	epriestley	D19890 Simplify and correct some challenge TTL lockout code
Closed	epriestley	D19889 Bind MFA challenges to particular workflows, like signing a specific Legalpad document
Closed	epriestley	D19888 Add a garbage collector for MFA challenges
Closed	epriestley	D19886 Track MFA "challenges" so we can bind challenges to sessions and support SMS and other push MFA

Diff 47594

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Fix a double-prompt for MFA when recovering a password accountClosedPublicActions