HomePhabricator
Diffusion Phabricator e91bc26da685

Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they…
e91bc26da685
Actions

Description

Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they typed some text earlier

Summary:
Depends on D20017. Ref T13222. Currently, if you:

  • type some text at a TOTP gate;
  • wait ~60 seconds for the challenge to expire;
  • submit the form into a "Wait patiently" message; and
  • mash that wait button over and over again very patiently

...you still rack up rate limiting points, because the hidden text from your original request is preserved and triggers the "is the user responding to a challenge" test. Only perform this test if we haven't already decided that we're going to make them wait.

Test Plan:

  • Did the above; before patch: rate limited; after patch: not rate limited.
  • Intentionally typed a bunch of bad answers which were actually evaluated: rate limited properly.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D20018

Details

Provenance
epriestleyAuthored on Jan 23 2019, 3:09 PM
epriestleyPushed on Jan 23 2019, 10:11 PM
Reviewer
amckinley
Differential Revision
D20018: Don't rate limit users clicking "Wait Patiently" at an MFA gate even if they typed some text earlier
Parents
rPbb20c136513c: Allow MFA factors to provide more guidance text on create workflows
Branches
Unknown
Tags
Unknown
Tasks
T13222: 2018 Week 48-51 Bonus Content
Build Status
Buildable 21668
Build 29550: Run Core Tests

Changes (1)

PathSize
src/
applications/
auth/
engine/

rPe91bc26da685

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
Phabricator · Built by Phacility