Differential D15476 Diff 37310 src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
Show First 20 Lines • Show All 99 Lines • ▼ Show 20 Lines | if (!$target_user->canEstablishWebSessions()) { | ||||
->addCancelButton('/'); | ->addCancelButton('/'); | ||||
} | } | ||||
if ($request->isFormPost()) { | if ($request->isFormPost()) { | ||||
// If we have an email bound into this URI, verify email so that clicking | // If we have an email bound into this URI, verify email so that clicking | ||||
// the link in the "Welcome" email is good enough, without requiring users | // the link in the "Welcome" email is good enough, without requiring users | ||||
// to go through a second round of email verification. | // to go through a second round of email verification. | ||||
$editor = id(new PhabricatorUserEditor()) | |||||
->setActor($target_user); | |||||
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | ||||
// Nuke the token and all other outstanding password reset tokens. | // Nuke the token and all other outstanding password reset tokens. | ||||
// There is no particular security benefit to destroying them all, but | // There is no particular security benefit to destroying them all, but | ||||
// it should reduce HackerOne reports of nebulous harm. | // it should reduce HackerOne reports of nebulous harm. | ||||
$editor->revokePasswordResetLinks($target_user); | |||||
PhabricatorAuthTemporaryToken::revokeTokens( | |||||
$target_user, | |||||
array($target_user->getPHID()), | |||||
array( | |||||
PhabricatorAuthSessionEngine::ONETIME_TEMPORARY_TOKEN_TYPE, | |||||
PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE, | |||||
)); | |||||
if ($target_email) { | if ($target_email) { | ||||
id(new PhabricatorUserEditor()) | $editor->verifyEmail($target_user, $target_email); | ||||
->setActor($target_user) | |||||
->verifyEmail($target_user, $target_email); | |||||
} | } | ||||
unset($unguarded); | unset($unguarded); | ||||
$next = '/'; | $next = '/'; | ||||
if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) { | if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) { | ||||
$next = '/settings/panel/external/'; | $next = '/settings/panel/external/'; | ||||
} else { | } else { | ||||
// We're going to let the user reset their password without knowing | // We're going to let the user reset their password without knowing | ||||
// the old one. Generate a one-time token for that. | // the old one. Generate a one-time token for that. | ||||
$key = Filesystem::readRandomCharacters(16); | $key = Filesystem::readRandomCharacters(16); | ||||
$password_type = | |||||
PhabricatorAuthPasswordResetTemporaryTokenType::TOKENTYPE; | |||||
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | ||||
id(new PhabricatorAuthTemporaryToken()) | id(new PhabricatorAuthTemporaryToken()) | ||||
->setObjectPHID($target_user->getPHID()) | ->setObjectPHID($target_user->getPHID()) | ||||
->setTokenType( | ->setTokenType($password_type) | ||||
PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE) | |||||
->setTokenExpires(time() + phutil_units('1 hour in seconds')) | ->setTokenExpires(time() + phutil_units('1 hour in seconds')) | ||||
->setTokenCode(PhabricatorHash::digest($key)) | ->setTokenCode(PhabricatorHash::digest($key)) | ||||
->save(); | ->save(); | ||||
unset($unguarded); | unset($unguarded); | ||||
$next = (string)id(new PhutilURI('/settings/panel/password/')) | $next = (string)id(new PhutilURI('/settings/panel/password/')) | ||||
->setQueryParams( | ->setQueryParams( | ||||
array( | array( | ||||
▲ Show 20 Lines • Show All 58 Lines • Show Last 20 Lines |