Page MenuHomePhabricator

Make external link/refresh use provider IDs, switch external account MFA to one-shot
ClosedPublic

Authored by epriestley on Feb 7 2019, 1:43 AM.
Tags
None
Referenced Files
F17924530: D20117.diff
Wed, Jul 30, 10:06 AM
F17769886: D20117.id48032.diff
Wed, Jul 23, 9:04 AM
F17749027: D20117.diff
Tue, Jul 22, 12:52 AM
F17748633: D20117.diff
Tue, Jul 22, 12:15 AM
Unknown Object (File)
Thu, Jul 3, 10:08 AM
Unknown Object (File)
Tue, Jul 1, 9:10 PM
Unknown Object (File)
Tue, Jul 1, 7:10 PM
Unknown Object (File)
Jun 2 2025, 10:14 AM
Subscribers
None

Details

Summary

Depends on D20113. Ref T6703. Continue moving toward a future where multiple copies of a given type of provider may exist.

Switch MFA from session-MFA at the start to one-shot MFA at the actual link action.

Add one-shot MFA to the unlink action. This theoretically prevents an attacker from unlinking an account while you're getting coffee, registering alIce which they control, adding a copy of your profile picture, and then trying to trick you into writing a private note with your personal secrets or something.

Test Plan

Linked and unlinked accounts. Refreshed account. Unlinked, then registered a new account. Unlinked, then relinked to my old account.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable