Page MenuHomePhabricator

Add a pre-enroll step for MFA, primarily as a CSRF gate
ClosedPublic

Authored by epriestley on Wed, Jan 23, 5:50 PM.

Details

Summary

Depends on D20020. Ref T13222. This puts another step in the MFA enrollment flow: pick a provider; read text and click "Continue"; actually enroll.

This is primarily to stop CSRF attacks, since otherwise an attacker can put <img src="phabricator.com/auth/settings/enroll/?providerPHID=xyz" /> on cute-cat-pix.com and get you to send yourself some SMS enrollment text messages, which would be mildly annoying.

We could skip this step if we already have a valid CSRF token (and we often will), but I think there's some value in doing it anyway. In particular:

  • For SMS/Duo, it seems nice to have an explicit "we're about to hit your phone" button.
  • We could let installs customize this text and give users a smoother onboard.
  • It allows the relatively wordy enroll form to be a little less wordy.
  • For tokens which can expire (SMS, Duo) it might save you from answering too slowly if you have to go dig your phone out of your bag downstairs or something.
Test Plan

Added factors, read text. Tried to CSRF the endpoint, got a dialog instead of a live challenge generation.

Diff Detail

Repository
rP Phabricator
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Wed, Jan 23, 5:50 PM
epriestley requested review of this revision.Wed, Jan 23, 5:52 PM
amckinley accepted this revision.Wed, Jan 23, 7:36 PM
This revision is now accepted and ready to land.Wed, Jan 23, 7:36 PM
This revision was automatically updated to reflect the committed changes.