Page MenuHomePhabricator

Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they typed some text earlier
ClosedPublic

Authored by epriestley on Jan 23 2019, 3:12 PM.

Details

Summary

Depends on D20017. Ref T13222. Currently, if you:

  • type some text at a TOTP gate;
  • wait ~60 seconds for the challenge to expire;
  • submit the form into a "Wait patiently" message; and
  • mash that wait button over and over again very patiently

...you still rack up rate limiting points, because the hidden text from your original request is preserved and triggers the "is the user responding to a challenge" test. Only perform this test if we haven't already decided that we're going to make them wait.

Test Plan
  • Did the above; before patch: rate limited; after patch: not rate limited.
  • Intentionally typed a bunch of bad answers which were actually evaluated: rate limited properly.

Diff Detail

Repository
rP Phabricator
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley updated this revision to Diff 47790.Jan 23 2019, 3:12 PM
epriestley created this revision.
  • Wordsmithing.
Harbormaster completed remote builds in B21643: Diff 47790.
epriestley requested review of this revision.Jan 23 2019, 3:15 PM
epriestley added inline comments.Jan 23 2019, 3:17 PM
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
579–583

We're doing the same check here, this change primarily makes the two tests consistent.

(These loops could possibly be combined; I'll take a look if I end up refactoring here for SMS.)

amckinley accepted this revision.Jan 23 2019, 6:53 PM
This revision is now accepted and ready to land.Jan 23 2019, 6:53 PM
This revision was automatically updated to reflect the committed changes.