Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15440663
D19903.id47514.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
5 KB
Referenced Files
None
Subscribers
None
D19903.id47514.diff
View Options
diff --git a/src/applications/auth/controller/PhabricatorAuthController.php b/src/applications/auth/controller/PhabricatorAuthController.php
--- a/src/applications/auth/controller/PhabricatorAuthController.php
+++ b/src/applications/auth/controller/PhabricatorAuthController.php
@@ -45,9 +45,12 @@
* event and do something else if they prefer.
*
* @param PhabricatorUser User to log the viewer in as.
+ * @param bool True to issue a full session immediately, bypassing MFA.
* @return AphrontResponse Response which continues the login process.
*/
- protected function loginUser(PhabricatorUser $user) {
+ protected function loginUser(
+ PhabricatorUser $user,
+ $force_full_session = false) {
$response = $this->buildLoginValidateResponse($user);
$session_type = PhabricatorAuthSession::TYPE_WEB;
@@ -66,8 +69,14 @@
$should_login = $event->getValue('shouldLogin');
if ($should_login) {
+ if ($force_full_session) {
+ $partial_session = false;
+ } else {
+ $partial_session = true;
+ }
+
$session_key = id(new PhabricatorAuthSessionEngine())
- ->establishSession($session_type, $user->getPHID(), $partial = true);
+ ->establishSession($session_type, $user->getPHID(), $partial_session);
// NOTE: We allow disabled users to login and roadblock them later, so
// there's no check for users being disabled here.
diff --git a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
--- a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
+++ b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
@@ -152,7 +152,12 @@
PhabricatorCookies::setNextURICookie($request, $next, $force = true);
- return $this->loginUser($target_user);
+ $force_full_session = false;
+ if ($link_type === PhabricatorAuthSessionEngine::ONETIME_RECOVER) {
+ $force_full_session = $token->getShouldForceFullSession();
+ }
+
+ return $this->loginUser($target_user, $force_full_session);
}
// NOTE: We need to CSRF here so attackers can't generate an email link,
diff --git a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
@@ -893,24 +893,28 @@
* link is used.
* @param string Optional context string for the URI. This is purely cosmetic
* and used only to customize workflow and error messages.
+ * @param bool True to generate a URI which forces an immediate upgrade to
+ * a full session, bypassing MFA and other login checks.
* @return string Login URI.
* @task onetime
*/
public function getOneTimeLoginURI(
PhabricatorUser $user,
PhabricatorUserEmail $email = null,
- $type = self::ONETIME_RESET) {
+ $type = self::ONETIME_RESET,
+ $force_full_session = false) {
$key = Filesystem::readRandomCharacters(32);
$key_hash = $this->getOneTimeLoginKeyHash($user, $email, $key);
$onetime_type = PhabricatorAuthOneTimeLoginTemporaryTokenType::TOKENTYPE;
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
- id(new PhabricatorAuthTemporaryToken())
+ $token = id(new PhabricatorAuthTemporaryToken())
->setTokenResource($user->getPHID())
->setTokenType($onetime_type)
->setTokenExpires(time() + phutil_units('1 day in seconds'))
->setTokenCode($key_hash)
+ ->setShouldForceFullSession($force_full_session)
->save();
unset($unguarded);
diff --git a/src/applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php b/src/applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php
--- a/src/applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php
+++ b/src/applications/auth/management/PhabricatorAuthManagementRecoverWorkflow.php
@@ -13,7 +13,13 @@
'of Phabricator.'))
->setArguments(
array(
- 'username' => array(
+ array(
+ 'name' => 'force-full-session',
+ 'help' => pht(
+ 'Recover directly into a full session without requiring MFA '.
+ 'or other login checks.'),
+ ),
+ array(
'name' => 'username',
'wildcard' => true,
),
@@ -54,11 +60,14 @@
$username));
}
+ $force_full_session = $args->getArg('force-full-session');
+
$engine = new PhabricatorAuthSessionEngine();
$onetime_uri = $engine->getOneTimeLoginURI(
$user,
null,
- PhabricatorAuthSessionEngine::ONETIME_RECOVER);
+ PhabricatorAuthSessionEngine::ONETIME_RECOVER,
+ $force_full_session);
$console = PhutilConsole::getConsole();
$console->writeOut(
diff --git a/src/applications/auth/storage/PhabricatorAuthTemporaryToken.php b/src/applications/auth/storage/PhabricatorAuthTemporaryToken.php
--- a/src/applications/auth/storage/PhabricatorAuthTemporaryToken.php
+++ b/src/applications/auth/storage/PhabricatorAuthTemporaryToken.php
@@ -106,6 +106,16 @@
return $this;
}
+ public function setShouldForceFullSession($force_full) {
+ return $this->setTemporaryTokenProperty('force-full-session', $force_full);
+ }
+
+ public function getShouldForceFullSession() {
+ return $this->getTemporaryTokenProperty('force-full-session', false);
+ }
+
+
+
/* -( PhabricatorPolicyInterface )----------------------------------------- */
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Thu, Mar 27, 2:01 PM (2 w, 1 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7221260
Default Alt Text
D19903.id47514.diff (5 KB)
Attached To
Mode
D19903: Allow "bin/auth recover" to generate a link which forces a full login session
Attached
Detach File
Event Timeline
Log In to Comment