Page MenuHomePhabricator
Differential D20018

Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they typed some text earlier
ClosedPublic
Actions

Authored by epriestley on Jan 23 2019, 3:12 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jan 1, 1:36 PM
Unknown Object (File)
Mon, Dec 30, 5:58 AM
Unknown Object (File)
Fri, Dec 27, 5:48 PM
Unknown Object (File)
Sat, Dec 7, 11:29 PM
Unknown Object (File)
Nov 27 2024, 2:09 PM
Unknown Object (File)
Nov 25 2024, 7:52 AM
Unknown Object (File)
Nov 23 2024, 12:37 AM
Unknown Object (File)
Nov 19 2024, 10:54 AM
View All Files
Subscribers
None

Details

Reviewers
amckinley
Maniphest Tasks
T13222: 2018 Week 48-51 Bonus Content
Commits
rPe91bc26da685: Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they…
Summary

Depends on D20017. Ref T13222. Currently, if you:

  • type some text at a TOTP gate;
  • wait ~60 seconds for the challenge to expire;
  • submit the form into a "Wait patiently" message; and
  • mash that wait button over and over again very patiently

...you still rack up rate limiting points, because the hidden text from your original request is preserved and triggers the "is the user responding to a challenge" test. Only perform this test if we haven't already decided that we're going to make them wait.

Test Plan
  • Did the above; before patch: rate limited; after patch: not rate limited.
  • Intentionally typed a bunch of bad answers which were actually evaluated: rate limited properly.

Diff Detail

Repository
rP Phabricator
Branch
mfa13
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 21643
Build 29513: Run Core Tests
Build 29512: arc lint + arc unit

Event Timeline

epriestley updated this revision to Diff 47790.Jan 23 2019, 3:12 PM
epriestley created this revision.
  • Wordsmithing.
Harbormaster completed remote builds in B21642: Diff 47789.Jan 23 2019, 3:14 PM
Harbormaster completed remote builds in B21643: Diff 47790.
epriestley requested review of this revision.Jan 23 2019, 3:15 PM
epriestley added inline comments.Jan 23 2019, 3:17 PM
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
579–583

We're doing the same check here, this change primarily makes the two tests consistent.

(These loops could possibly be combined; I'll take a look if I end up refactoring here for SMS.)

epriestley added a child revision: D20019: Add a rate limit for enroll attempts when adding new MFA configurations.Jan 23 2019, 3:29 PM
amckinley accepted this revision.Jan 23 2019, 6:53 PM
This revision is now accepted and ready to land.Jan 23 2019, 6:53 PM
Closed by commit rPe91bc26da685: Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they… (authored by epriestley). · Explain WhyJan 23 2019, 10:11 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
engine/
9 lines

Diff 47790

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
Phabricator · Built by Phacility