Changeset View
Changeset View
Standalone View
Standalone View
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
Show First 20 Lines • Show All 551 Lines • ▼ Show 20 Lines | private function newHighSecurityToken( | ||||
if ($request->isHTTPPost()) { | if ($request->isHTTPPost()) { | ||||
$request->validateCSRF(); | $request->validateCSRF(); | ||||
if ($request->getExists(AphrontRequest::TYPE_HISEC)) { | if ($request->getExists(AphrontRequest::TYPE_HISEC)) { | ||||
// Limit factor verification rates to prevent brute force attacks. | // Limit factor verification rates to prevent brute force attacks. | ||||
$any_attempt = false; | $any_attempt = false; | ||||
foreach ($factors as $factor) { | foreach ($factors as $factor) { | ||||
$factor_phid = $factor->getPHID(); | |||||
$provider = $factor->getFactorProvider(); | $provider = $factor->getFactorProvider(); | ||||
$impl = $provider->getFactor(); | $impl = $provider->getFactor(); | ||||
// If we already have a result (normally "wait..."), we won't try | |||||
// to validate whatever the user submitted, so this doesn't count as | |||||
// an attempt for rate limiting purposes. | |||||
if (isset($validation_results[$factor_phid])) { | |||||
continue; | |||||
} | |||||
if ($impl->getRequestHasChallengeResponse($factor, $request)) { | if ($impl->getRequestHasChallengeResponse($factor, $request)) { | ||||
$any_attempt = true; | $any_attempt = true; | ||||
break; | break; | ||||
} | } | ||||
} | } | ||||
if ($any_attempt) { | if ($any_attempt) { | ||||
PhabricatorSystemActionEngine::willTakeAction( | PhabricatorSystemActionEngine::willTakeAction( | ||||
array($viewer->getPHID()), | array($viewer->getPHID()), | ||||
new PhabricatorAuthTryFactorAction(), | new PhabricatorAuthTryFactorAction(), | ||||
1); | 1); | ||||
} | } | ||||
foreach ($factors as $factor) { | foreach ($factors as $factor) { | ||||
$factor_phid = $factor->getPHID(); | $factor_phid = $factor->getPHID(); | ||||
// If we already have a validation result from previously issued | // If we already have a validation result from previously issued | ||||
// challenges, skip validating this factor. | // challenges, skip validating this factor. | ||||
if (isset($validation_results[$factor_phid])) { | if (isset($validation_results[$factor_phid])) { | ||||
continue; | continue; | ||||
} | } | ||||
epriestley: We're doing the same check here, this change primarily makes the two tests consistent.
(These… | |||||
$issued_challenges = idx($challenge_map, $factor_phid, array()); | $issued_challenges = idx($challenge_map, $factor_phid, array()); | ||||
$provider = $factor->getFactorProvider(); | $provider = $factor->getFactorProvider(); | ||||
$impl = $provider->getFactor(); | $impl = $provider->getFactor(); | ||||
$validation_result = $impl->getResultFromChallengeResponse( | $validation_result = $impl->getResultFromChallengeResponse( | ||||
$factor, | $factor, | ||||
▲ Show 20 Lines • Show All 528 Lines • Show Last 20 Lines |
We're doing the same check here, this change primarily makes the two tests consistent.
(These loops could possibly be combined; I'll take a look if I end up refactoring here for SMS.)