Page MenuHomePhabricator

When issuing a "no-op" MFA token because no MFA is configured, don't give the timeline story a badge

Authored by epriestley on Jan 30 2020, 3:33 PM.



Fixes T13475. Sometimes, we issue a "no op" / "default permit" / "unchallenged" MFA token, when a user with no MFA configured does something which is configured to attempt (but not strictly require) MFA.

An example of this kind of action is changing a username: usernames may be changed even if MFA is not set up.

(Some other operations, notably "Sign With MFA", strictly require that MFA actually be set up.)

When a user with no MFA configured takes a "try MFA" action, we see that they have no factors configured and issue a token so they can continue. This is correct. However, this token causes the assocaited timeline story to get an MFA badge.

This badge is incorrect or at least wildly misleading, since the technical assertion it currently makes ("the user answered any configured MFA challenge to do this, if one exists") isn't explained properly and isn't useful anyway.

Instead, only badge the story if the user actually has MFA and actually responded to some kind of MFA challege. The badge now asserts "this user responded to an MFA challenge", which is expected/desired.

Test Plan
  • As a user with no MFA, renamed a user. Before patch: badged story. After patch: no badge.
  • As a user with MFA, renamed a user. Got badged stories in both cases.

Diff Detail

rP Phabricator
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Jan 30 2020, 3:33 PM
This revision was not accepted when it landed; it landed in state Needs Review.Jan 30 2020, 3:34 PM
epriestley requested review of this revision.
This revision was automatically updated to reflect the committed changes.