revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-29 10:12:41 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/auth/controller/PhabricatorAuthRevokeTokenController.php

79 lines
2 KiB
PHP
Raw Normal View History

Add an explicit temporary token management page to Settings Summary: Ref T5506. This makes it easier to understand and manage temporary tokens. Eventually this could be more user-friendly, since it's relatively difficult to understand what this screen means. My short-term goal is just to make the next change easier to implement and test. The next diff will close a small security weakness: if you change your email address, password reset links which were sent to the old address are still valid. Although an attacker would need substantial access to exploit this (essentially, it would just make it easier for them to re-compromise an already compromised account), it's a bit surprising. In the next diff, email address changes will invalidate outstanding password reset links. Test Plan: - Viewed outstanding tokens. - Added tokens to the list by making "Forgot your password?" requests. - Revoked tokens individually. - Revoked all tokens. - Tried to use a revoked token. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5506 Differential Revision: https://secure.phabricator.com/D10133
2014-08-04 21:04:13 +02:00
<?php
final class PhabricatorAuthRevokeTokenController
extends PhabricatorAuthController {
private $id;
public function willProcessRequest(array $data) {
$this->id = $data['id'];
}
public function processRequest() {
$request = $this->getRequest();
$viewer = $request->getUser();
$is_all = ($this->id === 'all');
$query = id(new PhabricatorAuthTemporaryTokenQuery())
->setViewer($viewer)
->withObjectPHIDs(array($viewer->getPHID()));
if (!$is_all) {
$query->withIDs(array($this->id));
}
$tokens = $query->execute();
foreach ($tokens as $key => $token) {
if (!$token->isRevocable()) {
// Don't revoke unrevocable tokens.
unset($tokens[$key]);
}
}
$panel_uri = '/settings/panel/tokens/';
if (!$tokens) {
return $this->newDialog()
->setTitle(pht('No Matching Tokens'))
->appendParagraph(
pht('There are no matching tokens to revoke.'))
->appendParagraph(
pht(
'(Some types of token can not be revoked, and you can not revoke '.
'tokens which have already expired.)'))
->addCancelButton($panel_uri);
}
if ($request->isDialogFormPost()) {
foreach ($tokens as $token) {
Invalidate outstanding password reset links when users adjust email addresses Summary: Fixes T5506. Depends on D10133. When users remove an email address or change their primary email address, invalidate any outstanding password reset links. This is a very small security risk, but the current behavior is somewhat surprising, and an attacker could sit on a reset link for up to 24 hours and then use it to re-compromise an account. Test Plan: - Changed primary address and removed addreses. - Verified these actions invalidated outstanding one-time login temporary tokens. - Tried to use revoked reset links. - Revoked normally from new UI panel. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5506 Differential Revision: https://secure.phabricator.com/D10134
2014-08-04 21:04:23 +02:00
$token->revokeToken();
Add an explicit temporary token management page to Settings Summary: Ref T5506. This makes it easier to understand and manage temporary tokens. Eventually this could be more user-friendly, since it's relatively difficult to understand what this screen means. My short-term goal is just to make the next change easier to implement and test. The next diff will close a small security weakness: if you change your email address, password reset links which were sent to the old address are still valid. Although an attacker would need substantial access to exploit this (essentially, it would just make it easier for them to re-compromise an already compromised account), it's a bit surprising. In the next diff, email address changes will invalidate outstanding password reset links. Test Plan: - Viewed outstanding tokens. - Added tokens to the list by making "Forgot your password?" requests. - Revoked tokens individually. - Revoked all tokens. - Tried to use a revoked token. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5506 Differential Revision: https://secure.phabricator.com/D10133
2014-08-04 21:04:13 +02:00
}
return id(new AphrontRedirectResponse())->setURI($panel_uri);
}
if ($is_all) {
$title = pht('Revoke Tokens?');
$short = pht('Revoke Tokens');
$body = pht(
'Really revoke all tokens? Among other temporary authorizations, '.
'this will disable any outstanding password reset or account '.
'recovery links.');
} else {
$title = pht('Revoke Token?');
$short = pht('Revoke Token');
$body = pht(
'Really revoke this token? Any temporary authorization it enables '.
'will be disabled.');
}
return $this->newDialog()
->setTitle($title)
->setShortTitle($short)
->appendParagraph($body)
->addSubmitButton(pht('Revoke'))
->addCancelButton($panel_uri);
}
}
Copy permalink