Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15429472
D19843.id.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
4 KB
Referenced Files
None
Subscribers
None
D19843.id.diff
View Options
diff --git a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
@@ -345,6 +345,33 @@
/* -( High Security )------------------------------------------------------ */
+ /**
+ * Require the user respond to a high security (MFA) check.
+ *
+ * This method differs from @{method:requireHighSecuritySession} in that it
+ * does not upgrade the user's session as a side effect. This method is
+ * appropriate for one-time checks.
+ *
+ * @param PhabricatorUser User whose session needs to be in high security.
+ * @param AphrontReqeust Current request.
+ * @param string URI to return the user to if they cancel.
+ * @return PhabricatorAuthHighSecurityToken Security token.
+ * @task hisec
+ */
+ public function requireHighSecurityToken(
+ PhabricatorUser $viewer,
+ AphrontRequest $request,
+ $cancel_uri) {
+
+ return $this->newHighSecurityToken(
+ $viewer,
+ $request,
+ $cancel_uri,
+ false,
+ false);
+ }
+
+
/**
* Require high security, or prompt the user to enter high security.
*
@@ -352,6 +379,11 @@
* token. Otherwise, it will throw an exception which will eventually
* be converted into a multi-factor authentication workflow.
*
+ * This method upgrades the user's session to high security for a short
+ * period of time, and is appropriate if you anticipate they may need to
+ * take multiple high security actions. To perform a one-time check instead,
+ * use @{method:requireHighSecurityToken}.
+ *
* @param PhabricatorUser User whose session needs to be in high security.
* @param AphrontReqeust Current request.
* @param string URI to return the user to if they cancel.
@@ -367,11 +399,30 @@
$cancel_uri,
$jump_into_hisec = false) {
+ return $this->newHighSecurityToken(
+ $viewer,
+ $request,
+ $cancel_uri,
+ false,
+ true);
+ }
+
+ private function newHighSecurityToken(
+ PhabricatorUser $viewer,
+ AphrontRequest $request,
+ $cancel_uri,
+ $jump_into_hisec,
+ $upgrade_session) {
+
if (!$viewer->hasSession()) {
throw new Exception(
pht('Requiring a high-security session from a user with no session!'));
}
+ // TODO: If a user answers a "requireHighSecurityToken()" prompt and hits
+ // a "requireHighSecuritySession()" prompt a short time later, the one-shot
+ // token should be good enough to upgrade the session.
+
$session = $viewer->getSession();
// Check if the session is already in high security mode.
@@ -441,6 +492,11 @@
return $this->issueHighSecurityToken($session, true);
}
+ // If we aren't upgrading the session itself, just issue a token.
+ if (!$upgrade_session) {
+ return $this->issueHighSecurityToken($session, true);
+ }
+
$until = time() + phutil_units('15 minutes in seconds');
$session->setHighSecurityUntil($until);
diff --git a/src/applications/legalpad/controller/LegalpadDocumentSignController.php b/src/applications/legalpad/controller/LegalpadDocumentSignController.php
--- a/src/applications/legalpad/controller/LegalpadDocumentSignController.php
+++ b/src/applications/legalpad/controller/LegalpadDocumentSignController.php
@@ -149,15 +149,16 @@
}
$errors = array();
+ $hisec_token = null;
if ($request->isFormOrHisecPost() && !$has_signed) {
// Require two-factor auth to sign legal documents.
if ($viewer->isLoggedIn()) {
- $engine = new PhabricatorAuthSessionEngine();
- $engine->requireHighSecuritySession(
- $viewer,
- $request,
- '/'.$document->getMonogram());
+ $hisec_token = id(new PhabricatorAuthSessionEngine())
+ ->requireHighSecurityToken(
+ $viewer,
+ $request,
+ $document->getURI());
}
list($form_data, $errors, $field_errors) = $this->readSignatureForm(
diff --git a/src/applications/legalpad/storage/LegalpadDocument.php b/src/applications/legalpad/storage/LegalpadDocument.php
--- a/src/applications/legalpad/storage/LegalpadDocument.php
+++ b/src/applications/legalpad/storage/LegalpadDocument.php
@@ -120,7 +120,7 @@
return 'L'.$this->getID();
}
- public function getViewURI() {
+ public function getURI() {
return '/'.$this->getMonogram();
}
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Tue, Mar 25, 2:34 AM (5 d, 7 h ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7721174
Default Alt Text
D19843.id.diff (4 KB)
Attached To
Mode
D19843: Allow applications to require a High Security token without doing a session upgrade
Attached
Detach File
Event Timeline
Log In to Comment