2019 Week 4 (Late January)

Updated 1,907 Days AgoPublic

Actions

Summary of changes from January 18th, 2019 to January 25th, 2019.

• These changes were promoted to stable.

General

Google Auth: Google is deprecating some Google+ APIs used by the Google OAuth adapter. The adapter has been updated to use stable APIs. Older versions of Phabricator are expected to begin seeing intermittent failures from Google on January 28th, and the APIs are expected to stop working entirely on March 7th.

Multi-factor Authentication

Multi-factor authentication is now configurable in Auth → Multi-Factor.

Existing installs where at least one user has a TOTP factor will automatically have a new TOTP provider created during upgrade migrations. New installs and existing installs where no users had a TOTP factor will have a clean slate.

To enable MFA on a new install, you must now explicitly configure a TOTP provider (or some other provider).

Phabricator now supports SMS as an MFA factor. Note that it is a particularly weak factor which has repeatedly been compromised in the wild, and its use is strongly discouraged.

[] Phabricator now supports Duo (Duo Security) as an MFA factor.

Phabricator now supports adding contact numbers to your account, and SMS delivery via Twilio and Amazon SNS. This is not currently integrated into any applications other than MFA.

Security

• Note changes to MFA, described above.
• [] When a user tries to access an object they can not see because they can't see the Space it is in, they now receive a detailed policy error, similar to the error they'd receive if they could not see the object for a more mundane policy reason. Previously, these objects behaved as though they did not exist.

Migrations

"Duration" is the duration for this install, and may not be representative.

Upgrading / Compatibility

The changes to MFA should not directly affect existing installs (they will automatically upgrade to state equivalent to the pre-upgrade state) but administrators should be aware of the MFA changes described above.

Minor

• [] When an intracluster repository request arrives on a node which can not satisfy it, we now raise a richer error message.
• Fixed a bug where mail about task attachments would occasionally render a story like "alice attached a revision: Unknown Object (Differential Revision)".
• [] Some types of Almanac record edits (particularly, edits to Devices) did not properly dirty the cluster layout cache. They now dirty it.
• Transaction summaries in HTML mail, which were briefly HTML in the last release, are now plain text again, because the HTML wasn't very good.
• Fixed a bug where MFA rate limiting could incorrectly apply if you typed some text in to an MFA prompt, the prompt expired, and you didn't wait very patiently.
• Translations where "Account" is not alphabetically the first settings panel no longer show the wrong controls when visiting the main settings screen.
• Added a rate limit for guessing MFA challenges during enrollment.
• Added a CSRF gate to MFA workflows for MFA types with side effects (like SMS).
• [] Fixed a bug with "Must Encrypt" mail where it didn't work at all.
• Clarified a setup error about PHP 7.0 support.
• Some MFA workflows have changed from "Session MFA" (the sudo-like mode) to "One-Shot MFA" (a single prompt which does not leave your account in "sudo" mode).

The [] icon indicates a change backed by support mana.