Page MenuHomePhabricator
Files F14397292

D20019.diff
No OneTemporary
Actions

D20019.diff
View Options

diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -2296,6 +2296,7 @@
'PhabricatorAuthNeedsApprovalController' => 'applications/auth/controller/PhabricatorAuthNeedsApprovalController.php',
'PhabricatorAuthNeedsMultiFactorController' => 'applications/auth/controller/PhabricatorAuthNeedsMultiFactorController.php',
'PhabricatorAuthNewController' => 'applications/auth/controller/config/PhabricatorAuthNewController.php',
+ 'PhabricatorAuthNewFactorAction' => 'applications/auth/action/PhabricatorAuthNewFactorAction.php',
'PhabricatorAuthOldOAuthRedirectController' => 'applications/auth/controller/PhabricatorAuthOldOAuthRedirectController.php',
'PhabricatorAuthOneTimeLoginController' => 'applications/auth/controller/PhabricatorAuthOneTimeLoginController.php',
'PhabricatorAuthOneTimeLoginTemporaryTokenType' => 'applications/auth/tokentype/PhabricatorAuthOneTimeLoginTemporaryTokenType.php',
@@ -8021,6 +8022,7 @@
'PhabricatorAuthNeedsApprovalController' => 'PhabricatorAuthController',
'PhabricatorAuthNeedsMultiFactorController' => 'PhabricatorAuthController',
'PhabricatorAuthNewController' => 'PhabricatorAuthProviderConfigController',
+ 'PhabricatorAuthNewFactorAction' => 'PhabricatorSystemAction',
'PhabricatorAuthOldOAuthRedirectController' => 'PhabricatorAuthController',
'PhabricatorAuthOneTimeLoginController' => 'PhabricatorAuthController',
'PhabricatorAuthOneTimeLoginTemporaryTokenType' => 'PhabricatorAuthTemporaryTokenType',
diff --git a/src/applications/auth/action/PhabricatorAuthNewFactorAction.php b/src/applications/auth/action/PhabricatorAuthNewFactorAction.php
new file mode 100644
--- /dev/null
+++ b/src/applications/auth/action/PhabricatorAuthNewFactorAction.php
@@ -0,0 +1,21 @@
+<?php
+
+final class PhabricatorAuthNewFactorAction extends PhabricatorSystemAction {
+
+ const TYPECONST = 'auth.factor.new';
+
+ public function getActionConstant() {
+ return self::TYPECONST;
+ }
+
+ public function getScoreThreshold() {
+ return 60 / phutil_units('1 hour in seconds');
+ }
+
+ public function getLimitExplanation() {
+ return pht(
+ 'You have failed too many attempts to synchronize new multi-factor '.
+ 'authentication methods in a short period of time.');
+ }
+
+}
diff --git a/src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php b/src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php
--- a/src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php
+++ b/src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php
@@ -234,12 +234,36 @@
$form = id(new AphrontFormView())
->setViewer($viewer);
+ if ($request->isFormPost()) {
+ // Subject users to rate limiting so that it's difficult to add factors
+ // by pure brute force. This is normally not much of an attack, but push
+ // factor types may have side effects.
+ PhabricatorSystemActionEngine::willTakeAction(
+ array($viewer->getPHID()),
+ new PhabricatorAuthNewFactorAction(),
+ 1);
+ } else {
+ // Test the limit before showing the user a form, so we don't give them
+ // a form which can never possibly work because it will always hit rate
+ // limiting.
+ PhabricatorSystemActionEngine::willTakeAction(
+ array($viewer->getPHID()),
+ new PhabricatorAuthNewFactorAction(),
+ 0);
+ }
+
$config = $selected_provider->processAddFactorForm(
$form,
$request,
$user);
if ($config) {
+ // If the user added a factor, give them a rate limiting point back.
+ PhabricatorSystemActionEngine::willTakeAction(
+ array($viewer->getPHID()),
+ new PhabricatorAuthNewFactorAction(),
+ -1);
+
$config->save();
$log = PhabricatorUserLog::initializeNewLog(

File Metadata

Mime Type
text/plain
Expires
Mon, Dec 23, 10:07 AM (17 h, 34 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6921080
Default Alt Text
D20019.diff (3 KB)

Event Timeline

Phabricator · Built by Phacility