Page MenuHomePhabricator

Correct a possible fatal in the non-CSRF Duo MFA workflow
ClosedPublic

Authored by epriestley on Mar 1 2019, 3:28 AM.
Tags
None
Referenced Files
F15450316: D20234.id48294.diff
Fri, Mar 28, 2:59 PM
F15449233: D20234.id48324.diff
Fri, Mar 28, 9:01 AM
F15445879: D20234.id48294.diff
Thu, Mar 27, 4:21 PM
F15439650: D20234.id.diff
Wed, Mar 26, 8:34 AM
F15436427: D20234.diff
Tue, Mar 25, 2:04 PM
F15401985: D20234.id.diff
Mon, Mar 17, 8:01 PM
F15389697: D20234.diff
Mar 15 2025, 5:34 AM
F15336558: D20234.diff
Mar 8 2025, 7:35 PM
Subscribers
None

Details

Summary

Ref T13259. If we miss the separate CSRF step in Duo and proceed directly to prompting, we may fail to build a response which turns into a real control and fatal on null->setLabel().

Instead, let MFA providers customize their "bare prompt dialog" response, then make Duo use the same "you have an outstanding request" response for the CSRF and no-CSRF workflows.

Test Plan

Hit Duo auth on a non-CSRF workflow (e.g., edit an MFA provider with Duo enabled). Previously: setLabel() fatal. After patch: smooth sailing.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable