Page MenuHomePhabricator
Diviner Phabricator Tech Docs PhabricatorAuthSessionEngine

final class PhabricatorAuthSessionEngine
Phabricator Technical Documentation (Auth)

This class is not documented.

Tasks

Using Sessions

  • public function loadUserForSession($session_type, $session_token) — Load the user identity associated with a session of a given type, identified by token.

Creating Sessions

No methods for this task.

High Security

  • public function requireHighSecurityToken($viewer, $request, $cancel_uri) — Require the user respond to a high security (MFA) check.
  • public function requireHighSecuritySession($viewer, $request, $cancel_uri, $jump_into_hisec) — Require high security, or prompt the user to enter high security.
  • private function issueHighSecurityToken($session, $force) — Issue a high security token for a session, if authorized.
  • public function renderHighSecurityForm($factors, $validation_results, $viewer, $request) — Render a form for providing relevant multi-factor credentials.
  • public function exitHighSecurity($viewer, $session) — Strip the high security flag from a session.

Partial Sessions

One Time Login URIs

  • public function getOneTimeLoginURI($user, $email, $type, $force_full_session) — Retrieve a temporary, one-time URI which can log in to an account.
  • public function loadOneTimeLoginKey($user, $email, $key) — Load the temporary token associated with a given one-time login key.

User Cache

Other Methods

  • public function setWorkflowKey($workflow_key)
  • public function getWorkflowKey()
  • public function getRequest()
  • public static function getSessionKindFromToken($session_token) — Get the session kind (e.g., anonymous, user, external account) from a session token. Returns a `KIND_` constant.
  • public function establishSession($session_type, $identity_phid, $partial) — Issue a new session key for a given identity. Phabricator supports different types of sessions (like "web" and "conduit") and each session type may have multiple concurrent sessions (this allows a user to be logged in on multiple browsers at the same time, for instance).
  • public function terminateLoginSessions($user, $except_session) — Terminate all of a user's login sessions.
  • public function logoutSession($user, $session)
  • private function newHighSecurityToken($viewer, $request, $cancel_uri, $jump_into_hisec, $upgrade_session)
  • private function getOneTimeLoginKeyHash($user, $email, $key) — Hash a one-time login key for storage as a temporary token.
  • private function filterRawCacheData($user, $types_map, $cache_raw)
  • public function willServeRequestForUser($user)
  • private function extendSession($session)

Methods

public function setWorkflowKey($workflow_key)

This method is not documented.
Parameters
$workflow_key
Return
wild

public function getWorkflowKey()

This method is not documented.
Return
wild

public function getRequest()

This method is not documented.
Return
wild

public static function getSessionKindFromToken($session_token)

Get the session kind (e.g., anonymous, user, external account) from a session token. Returns a KIND_ constant.

Parameters
string$session_tokenSession token.
Return
constSession kind constant.

public function loadUserForSession($session_type, $session_token)

Load the user identity associated with a session of a given type, identified by token.

When the user presents a session token to an API, this method verifies it is of the correct type and loads the corresponding identity if the session exists and is valid.

NOTE: $session_type is the type of session that is required by the loading context. This prevents use of a Conduit sesssion as a Web session, for example.
Parameters
const$session_typeThe type of session to load.
string$session_tokenThe session token.
Return
PhabricatorUser|null

public function establishSession($session_type, $identity_phid, $partial)

Issue a new session key for a given identity. Phabricator supports different types of sessions (like "web" and "conduit") and each session type may have multiple concurrent sessions (this allows a user to be logged in on multiple browsers at the same time, for instance).

Note that this method is transport-agnostic and does not set cookies or issue other types of tokens, it ONLY generates a new session key.

You can configure the maximum number of concurrent sessions for various session types in the Phabricator configuration.

Parameters
const$session_typeSession type constant (see @{class:PhabricatorAuthSession}).
phid|null$identity_phidIdentity to establish a session for, usually a user PHID. With `null`, generates an anonymous session.
bool$partialTrue to issue a partial session.
Return
stringNewly generated session key.

public function terminateLoginSessions($user, $except_session)

Terminate all of a user's login sessions.

This is used when users change passwords, linked accounts, or add multifactor authentication.

Parameters
PhabricatorUser$userUser whose sessions should be terminated.
string|null$except_sessionOptionally, one session to keep. Normally, the current login session.
Return
void

public function logoutSession($user, $session)

This method is not documented.
Parameters
PhabricatorUser$user
PhabricatorAuthSession$session
Return
wild

public function requireHighSecurityToken($viewer, $request, $cancel_uri)

Require the user respond to a high security (MFA) check.

This method differs from requireHighSecuritySession() in that it does not upgrade the user's session as a side effect. This method is appropriate for one-time checks.

Parameters
PhabricatorUser$viewerUser whose session needs to be in high security.
AphrontRequest$requestCurrent request.
string$cancel_uriURI to return the user to if they cancel.
Return
PhabricatorAuthHighSecurityTokenSecurity token.

public function requireHighSecuritySession($viewer, $request, $cancel_uri, $jump_into_hisec)

Require high security, or prompt the user to enter high security.

If the user's session is in high security, this method will return a token. Otherwise, it will throw an exception which will eventually be converted into a multi-factor authentication workflow.

This method upgrades the user's session to high security for a short period of time, and is appropriate if you anticipate they may need to take multiple high security actions. To perform a one-time check instead, use requireHighSecurityToken().

Parameters
PhabricatorUser$viewerUser whose session needs to be in high security.
AphrontRequest$requestCurrent request.
string$cancel_uriURI to return the user to if they cancel.
bool$jump_into_hisecTrue to jump partial sessions directly into high security instead of just upgrading them to full sessions.
Return
PhabricatorAuthHighSecurityTokenSecurity token.

private function newHighSecurityToken($viewer, $request, $cancel_uri, $jump_into_hisec, $upgrade_session)

This method is not documented.
Parameters
PhabricatorUser$viewer
AphrontRequest$request
$cancel_uri
$jump_into_hisec
$upgrade_session
Return
wild

private function issueHighSecurityToken($session, $force)

Issue a high security token for a session, if authorized.

Parameters
PhabricatorAuthSession$sessionSession to issue a token for.
bool$forceForce token issue.
Return
PhabricatorAuthHighSecurityToken|nullToken, if authorized.

public function renderHighSecurityForm($factors, $validation_results, $viewer, $request)

Render a form for providing relevant multi-factor credentials.

Parameters
PhabricatorUser$factorsViewing user.
AphrontRequest$validation_resultsCurrent request.
PhabricatorUser$viewer
AphrontRequest$request
Return
AphrontFormViewRenderable form.

public function exitHighSecurity($viewer, $session)

Strip the high security flag from a session.

Kicks a session out of high security and logs the exit.

Parameters
PhabricatorUser$viewerActing user.
PhabricatorAuthSession$sessionSession to return to normal security.
Return
void

public function upgradePartialSession($viewer)

Upgrade a partial session to a full session.

Parameters
PhabricatorAuthSession$viewerSession to upgrade.
Return
void

public function signLegalpadDocuments($viewer, $docs)

Upgrade a session to have all legalpad documents signed.

Parameters
PhabricatorUser$viewerUser whose session should upgrade.
array$docsLegalpadDocument objects
Return
void

public function getOneTimeLoginURI($user, $email, $type, $force_full_session)

Retrieve a temporary, one-time URI which can log in to an account.

These URIs are used for password recovery and to regain access to accounts which users have been locked out of.

Parameters
PhabricatorUser$userUser to generate a URI for.
PhabricatorUserEmail$emailOptionally, email to verify when link is used.
string$typeOptional context string for the URI. This is purely cosmetic and used only to customize workflow and error messages.
bool$force_full_sessionTrue to generate a URI which forces an immediate upgrade to a full session, bypassing MFA and other login checks.
Return
stringLogin URI.

public function loadOneTimeLoginKey($user, $email, $key)

Load the temporary token associated with a given one-time login key.

Parameters
PhabricatorUser$userUser to load the token for.
PhabricatorUserEmail$emailOptionally, email to verify when link is used.
string$keyKey user is presenting as a valid one-time login key.
Return
PhabricatorAuthTemporaryToken|nullToken, if one exists.

private function getOneTimeLoginKeyHash($user, $email, $key)

Hash a one-time login key for storage as a temporary token.

Parameters
PhabricatorUser$userUser this key is for.
PhabricatorUserEmail$emailOptionally, email to verify when link is used.
string$keyThe one time login key.
Return
stringHash of the key. task onetime

private function getUserCacheQueryParts($conn)

This method is not documented.
Parameters
AphrontDatabaseConnection$conn
Return
wild

private function filterRawCacheData($user, $types_map, $cache_raw)

This method is not documented.
Parameters
PhabricatorUser$user
array$types_map
array$cache_raw
Return
wild

public function willServeRequestForUser($user)

This method is not documented.
Parameters
PhabricatorUser$user
Return
wild

private function extendSession($session)

This method is not documented.
Parameters
PhabricatorAuthSession$session
Return
wild
Defined
src/applications/auth/engine/PhabricatorAuthSessionEngine.php:12
Phabricator · Built by Phacility