Differential D15476 Diff 37310 src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
| Show First 20 Lines • Show All 99 Lines • ▼ Show 20 Lines | if (!$target_user->canEstablishWebSessions()) { | ||||
| ->addCancelButton('/'); | ->addCancelButton('/'); | ||||
| } | } | ||||
| if ($request->isFormPost()) { | if ($request->isFormPost()) { | ||||
| // If we have an email bound into this URI, verify email so that clicking | // If we have an email bound into this URI, verify email so that clicking | ||||
| // the link in the "Welcome" email is good enough, without requiring users | // the link in the "Welcome" email is good enough, without requiring users | ||||
| // to go through a second round of email verification. | // to go through a second round of email verification. | ||||
| $editor = id(new PhabricatorUserEditor()) | |||||
| ->setActor($target_user); | |||||
| $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | ||||
| // Nuke the token and all other outstanding password reset tokens. | // Nuke the token and all other outstanding password reset tokens. | ||||
| // There is no particular security benefit to destroying them all, but | // There is no particular security benefit to destroying them all, but | ||||
| // it should reduce HackerOne reports of nebulous harm. | // it should reduce HackerOne reports of nebulous harm. | ||||
| $editor->revokePasswordResetLinks($target_user); | |||||
| PhabricatorAuthTemporaryToken::revokeTokens( | |||||
| $target_user, | |||||
| array($target_user->getPHID()), | |||||
| array( | |||||
| PhabricatorAuthSessionEngine::ONETIME_TEMPORARY_TOKEN_TYPE, | |||||
| PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE, | |||||
| )); | |||||
| if ($target_email) { | if ($target_email) { | ||||
| id(new PhabricatorUserEditor()) | $editor->verifyEmail($target_user, $target_email); | ||||
| ->setActor($target_user) | |||||
| ->verifyEmail($target_user, $target_email); | |||||
| } | } | ||||
| unset($unguarded); | unset($unguarded); | ||||
| $next = '/'; | $next = '/'; | ||||
| if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) { | if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) { | ||||
| $next = '/settings/panel/external/'; | $next = '/settings/panel/external/'; | ||||
| } else { | } else { | ||||
| // We're going to let the user reset their password without knowing | // We're going to let the user reset their password without knowing | ||||
| // the old one. Generate a one-time token for that. | // the old one. Generate a one-time token for that. | ||||
| $key = Filesystem::readRandomCharacters(16); | $key = Filesystem::readRandomCharacters(16); | ||||
| $password_type = | |||||
| PhabricatorAuthPasswordResetTemporaryTokenType::TOKENTYPE; | |||||
| $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); | ||||
| id(new PhabricatorAuthTemporaryToken()) | id(new PhabricatorAuthTemporaryToken()) | ||||
| ->setObjectPHID($target_user->getPHID()) | ->setObjectPHID($target_user->getPHID()) | ||||
| ->setTokenType( | ->setTokenType($password_type) | ||||
| PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE) | |||||
| ->setTokenExpires(time() + phutil_units('1 hour in seconds')) | ->setTokenExpires(time() + phutil_units('1 hour in seconds')) | ||||
| ->setTokenCode(PhabricatorHash::digest($key)) | ->setTokenCode(PhabricatorHash::digest($key)) | ||||
| ->save(); | ->save(); | ||||
| unset($unguarded); | unset($unguarded); | ||||
| $next = (string)id(new PhutilURI('/settings/panel/password/')) | $next = (string)id(new PhutilURI('/settings/panel/password/')) | ||||
| ->setQueryParams( | ->setQueryParams( | ||||
| array( | array( | ||||
| ▲ Show 20 Lines • Show All 58 Lines • Show Last 20 Lines | |||||