HomePhabricator

Add a pre-enroll step for MFA, primarily as a CSRF gate

Description

Add a pre-enroll step for MFA, primarily as a CSRF gate

Summary:
Depends on D20020. Ref T13222. This puts another step in the MFA enrollment flow: pick a provider; read text and click "Continue"; actually enroll.

This is primarily to stop CSRF attacks, since otherwise an attacker can put <img src="phabricator.com/auth/settings/enroll/?providerPHID=xyz" /> on cute-cat-pix.com and get you to send yourself some SMS enrollment text messages, which would be mildly annoying.

We could skip this step if we already have a valid CSRF token (and we often will), but I think there's some value in doing it anyway. In particular:

  • For SMS/Duo, it seems nice to have an explicit "we're about to hit your phone" button.
  • We could let installs customize this text and give users a smoother onboard.
  • It allows the relatively wordy enroll form to be a little less wordy.
  • For tokens which can expire (SMS, Duo) it might save you from answering too slowly if you have to go dig your phone out of your bag downstairs or something.

Test Plan: Added factors, read text. Tried to CSRF the endpoint, got a dialog instead of a live challenge generation.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D20021