phorge-phorge/src/applications/auth/controller/PhabricatorAuthDowngradeSessionController.php

<?php

final class PhabricatorAuthDowngradeSessionController
  extends PhabricatorAuthController {

  public function processRequest() {
    $request = $this->getRequest();
    $viewer = $request->getUser();

    $panel_uri = '/settings/panel/sessions/';

    $session = $viewer->getSession();
    if ($session->getHighSecurityUntil() < time()) {
      return $this->newDialog()
        ->setTitle(pht('Normal Security Restored'))
        ->appendParagraph(
          pht('Your session is no longer in high security.'))
        ->addCancelButton($panel_uri, pht('Continue'));
    }

    if ($request->isFormPost()) {

      id(new PhabricatorAuthSessionEngine())
        ->exitHighSecurity($viewer, $session);

      return id(new AphrontRedirectResponse())
        ->setURI($this->getApplicationURI('session/downgrade/'));
    }

    return $this->newDialog()
      ->setTitle(pht('Leaving High Security'))
      ->appendParagraph(
        pht(
          'Leave high security and return your session to normal '.
          'security levels?'))
      ->appendParagraph(
        pht(
          'If you leave high security, you will need to authenticate '.
          'again the next time you try to take a high security action.'))
      ->appendParagraph(
        pht(
          'On the plus side, that purple notification bubble will '.
          'disappear.'))
      ->addSubmitButton(pht('Leave High Security'))
      ->addCancelButton($panel_uri, pht('Stay in High Security'));
  }


}
Add "High Security" mode to support multi-factor auth Summary: Ref T4398. This is roughly a "sudo" mode, like GitHub has for accessing SSH keys, or Facebook has for managing credit cards. GitHub actually calls theirs "sudo" mode, but I think that's too technical for big parts of our audience. I've gone with "high security mode". This doesn't actually get exposed in the UI yet (and we don't have any meaningful auth factors to prompt the user for) but the workflow works overall. I'll go through it in a comment, since I need to arrange some screenshots. Test Plan: See guided walkthrough. Reviewers: chad, btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8851 2014-04-28 02:31:11 +02:00			`<?php`

			`final class PhabricatorAuthDowngradeSessionController`
			`extends PhabricatorAuthController {`

			`public function processRequest() {`
			`$request = $this->getRequest();`
			`$viewer = $request->getUser();`

			`$panel_uri = '/settings/panel/sessions/';`

			`$session = $viewer->getSession();`
			`if ($session->getHighSecurityUntil() < time()) {`
			`return $this->newDialog()`
			`->setTitle(pht('Normal Security Restored'))`
			`->appendParagraph(`
			`pht('Your session is no longer in high security.'))`
			`->addCancelButton($panel_uri, pht('Continue'));`
			`}`

			`if ($request->isFormPost()) {`

Let users review their own account activity logs Summary: Ref T4398. This adds a settings panel for account activity so users can review activity on their own account. Some goals are: - Make it easier for us to develop and support auth and credential information, see T4398. This is the primary driver. - Make it easier for users to understand and review auth and credential information (see T4842 for an example -- this isn't there yet, but builds toward it). - Improve user confidence in security by making logging more apparent and accessible. Minor corresponding changes: - Entering and exiting hisec mode is now logged. - This, sessions, and OAuth authorizations have moved to a new "Sessions and Logs" area, since "Authentication" was getting huge. Test Plan: - Viewed new panel. - Viewed old UI. - Entered/exited hisec and got prompted. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8871 2014-04-28 02:32:09 +02:00			`id(new PhabricatorAuthSessionEngine())`
			`->exitHighSecurity($viewer, $session);`
Add "High Security" mode to support multi-factor auth Summary: Ref T4398. This is roughly a "sudo" mode, like GitHub has for accessing SSH keys, or Facebook has for managing credit cards. GitHub actually calls theirs "sudo" mode, but I think that's too technical for big parts of our audience. I've gone with "high security mode". This doesn't actually get exposed in the UI yet (and we don't have any meaningful auth factors to prompt the user for) but the workflow works overall. I'll go through it in a comment, since I need to arrange some screenshots. Test Plan: See guided walkthrough. Reviewers: chad, btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8851 2014-04-28 02:31:11 +02:00
			`return id(new AphrontRedirectResponse())`
			`->setURI($this->getApplicationURI('session/downgrade/'));`
			`}`

			`return $this->newDialog()`
			`->setTitle(pht('Leaving High Security'))`
			`->appendParagraph(`
			`pht(`
			`'Leave high security and return your session to normal '.`
			`'security levels?'))`
			`->appendParagraph(`
			`pht(`
			`'If you leave high security, you will need to authenticate '.`
			`'again the next time you try to take a high security action.'))`
			`->appendParagraph(`
			`pht(`
			`'On the plus side, that purple notification bubble will '.`
			`'disappear.'))`
			`->addSubmitButton(pht('Leave High Security'))`
			`->addCancelButton($panel_uri, pht('Stay in High Security'));`
			`}`


			`}`