Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
| Show First 20 Lines • Show All 561 Lines • ▼ Show 20 Lines | foreach ($factors as $factor) { | ||||
| $validation_results[$factor_phid] = $result; | $validation_results[$factor_phid] = $result; | ||||
| } | } | ||||
| if ($request->isHTTPPost()) { | if ($request->isHTTPPost()) { | ||||
| $request->validateCSRF(); | $request->validateCSRF(); | ||||
| if ($request->getExists(AphrontRequest::TYPE_HISEC)) { | if ($request->getExists(AphrontRequest::TYPE_HISEC)) { | ||||
| // Limit factor verification rates to prevent brute force attacks. | // Limit factor verification rates to prevent brute force attacks. | ||||
| $any_attempt = false; | |||||
| foreach ($factors as $factor) { | |||||
| $impl = $factor->requireImplementation(); | |||||
| if ($impl->getRequestHasChallengeResponse($factor, $request)) { | |||||
| $any_attempt = true; | |||||
| break; | |||||
| } | |||||
| } | |||||
| if ($any_attempt) { | |||||
| PhabricatorSystemActionEngine::willTakeAction( | PhabricatorSystemActionEngine::willTakeAction( | ||||
| array($viewer->getPHID()), | array($viewer->getPHID()), | ||||
| new PhabricatorAuthTryFactorAction(), | new PhabricatorAuthTryFactorAction(), | ||||
| 1); | 1); | ||||
| } | |||||
| foreach ($factors as $factor) { | foreach ($factors as $factor) { | ||||
| $factor_phid = $factor->getPHID(); | $factor_phid = $factor->getPHID(); | ||||
| // If we already have a validation result from previously issued | // If we already have a validation result from previously issued | ||||
| // challenges, skip validating this factor. | // challenges, skip validating this factor. | ||||
| if (isset($validation_results[$factor_phid])) { | if (isset($validation_results[$factor_phid])) { | ||||
| continue; | continue; | ||||
| Show All 23 Lines | if ($request->isHTTPPost()) { | ||||
| // same response to take two different actions, even if those actions | // same response to take two different actions, even if those actions | ||||
| // are of the same type. | // are of the same type. | ||||
| foreach ($validation_results as $validation_result) { | foreach ($validation_results as $validation_result) { | ||||
| $challenge = $validation_result->getAnsweredChallenge() | $challenge = $validation_result->getAnsweredChallenge() | ||||
| ->markChallengeAsCompleted(); | ->markChallengeAsCompleted(); | ||||
| } | } | ||||
| // Give the user a credit back for a successful factor verification. | // Give the user a credit back for a successful factor verification. | ||||
| if ($any_attempt) { | |||||
| PhabricatorSystemActionEngine::willTakeAction( | PhabricatorSystemActionEngine::willTakeAction( | ||||
| array($viewer->getPHID()), | array($viewer->getPHID()), | ||||
| new PhabricatorAuthTryFactorAction(), | new PhabricatorAuthTryFactorAction(), | ||||
| -1); | -1); | ||||
| } | |||||
| if ($session->getIsPartial() && !$jump_into_hisec) { | if ($session->getIsPartial() && !$jump_into_hisec) { | ||||
| // If we have a partial session and are not jumping directly into | // If we have a partial session and are not jumping directly into | ||||
| // hisec, just issue a token without putting it in high security | // hisec, just issue a token without putting it in high security | ||||
| // mode. | // mode. | ||||
| return $this->issueHighSecurityToken($session, true); | return $this->issueHighSecurityToken($session, true); | ||||
| } | } | ||||
| ▲ Show 20 Lines • Show All 447 Lines • Show Last 20 Lines | |||||