Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
| Show First 20 Lines • Show All 551 Lines • ▼ Show 20 Lines | private function newHighSecurityToken( | ||||
| if ($request->isHTTPPost()) { | if ($request->isHTTPPost()) { | ||||
| $request->validateCSRF(); | $request->validateCSRF(); | ||||
| if ($request->getExists(AphrontRequest::TYPE_HISEC)) { | if ($request->getExists(AphrontRequest::TYPE_HISEC)) { | ||||
| // Limit factor verification rates to prevent brute force attacks. | // Limit factor verification rates to prevent brute force attacks. | ||||
| $any_attempt = false; | $any_attempt = false; | ||||
| foreach ($factors as $factor) { | foreach ($factors as $factor) { | ||||
| $factor_phid = $factor->getPHID(); | |||||
| $provider = $factor->getFactorProvider(); | $provider = $factor->getFactorProvider(); | ||||
| $impl = $provider->getFactor(); | $impl = $provider->getFactor(); | ||||
| // If we already have a result (normally "wait..."), we won't try | |||||
| // to validate whatever the user submitted, so this doesn't count as | |||||
| // an attempt for rate limiting purposes. | |||||
| if (isset($validation_results[$factor_phid])) { | |||||
| continue; | |||||
| } | |||||
| if ($impl->getRequestHasChallengeResponse($factor, $request)) { | if ($impl->getRequestHasChallengeResponse($factor, $request)) { | ||||
| $any_attempt = true; | $any_attempt = true; | ||||
| break; | break; | ||||
| } | } | ||||
| } | } | ||||
| if ($any_attempt) { | if ($any_attempt) { | ||||
| PhabricatorSystemActionEngine::willTakeAction( | PhabricatorSystemActionEngine::willTakeAction( | ||||
| array($viewer->getPHID()), | array($viewer->getPHID()), | ||||
| new PhabricatorAuthTryFactorAction(), | new PhabricatorAuthTryFactorAction(), | ||||
| 1); | 1); | ||||
| } | } | ||||
| foreach ($factors as $factor) { | foreach ($factors as $factor) { | ||||
| $factor_phid = $factor->getPHID(); | $factor_phid = $factor->getPHID(); | ||||
| // If we already have a validation result from previously issued | // If we already have a validation result from previously issued | ||||
| // challenges, skip validating this factor. | // challenges, skip validating this factor. | ||||
| if (isset($validation_results[$factor_phid])) { | if (isset($validation_results[$factor_phid])) { | ||||
| continue; | continue; | ||||
| } | } | ||||
epriestley: We're doing the same check here, this change primarily makes the two tests consistent.
(These… | |||||
| $issued_challenges = idx($challenge_map, $factor_phid, array()); | $issued_challenges = idx($challenge_map, $factor_phid, array()); | ||||
| $provider = $factor->getFactorProvider(); | $provider = $factor->getFactorProvider(); | ||||
| $impl = $provider->getFactor(); | $impl = $provider->getFactor(); | ||||
| $validation_result = $impl->getResultFromChallengeResponse( | $validation_result = $impl->getResultFromChallengeResponse( | ||||
| $factor, | $factor, | ||||
| ▲ Show 20 Lines • Show All 528 Lines • Show Last 20 Lines | |||||
We're doing the same check here, this change primarily makes the two tests consistent.
(These loops could possibly be combined; I'll take a look if I end up refactoring here for SMS.)