Page MenuHomePhabricator

Correct a possible fatal in the non-CSRF Duo MFA workflow
ClosedPublic

Authored by epriestley on Mar 1 2019, 3:28 AM.

Details

Summary

Ref T13259. If we miss the separate CSRF step in Duo and proceed directly to prompting, we may fail to build a response which turns into a real control and fatal on null->setLabel().

Instead, let MFA providers customize their "bare prompt dialog" response, then make Duo use the same "you have an outstanding request" response for the CSRF and no-CSRF workflows.

Test Plan

Hit Duo auth on a non-CSRF workflow (e.g., edit an MFA provider with Duo enabled). Previously: setLabel() fatal. After patch: smooth sailing.

Diff Detail

Repository
rP Phabricator
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Mar 1 2019, 3:28 AM
epriestley requested review of this revision.Mar 1 2019, 3:30 AM
amckinley accepted this revision.Mar 5 2019, 6:37 PM
This revision is now accepted and ready to land.Mar 5 2019, 6:37 PM
This revision was automatically updated to reflect the committed changes.