phorge-phorge/src/applications/auth/query/PhabricatorAuthTemporaryTokenQuery.php

<?php

final class PhabricatorAuthTemporaryTokenQuery
  extends PhabricatorCursorPagedPolicyAwareQuery {

  private $ids;
  private $objectPHIDs;
  private $tokenTypes;
  private $expired;
  private $tokenCodes;

  public function withIDs(array $ids) {
    $this->ids = $ids;
    return $this;
  }

  public function withObjectPHIDs(array $object_phids) {
    $this->objectPHIDs = $object_phids;
    return $this;
  }

  public function withTokenTypes(array $types) {
    $this->tokenTypes = $types;
    return $this;
  }

  public function withExpired($expired) {
    $this->expired = $expired;
    return $this;
  }

  public function withTokenCodes(array $codes) {
    $this->tokenCodes = $codes;
    return $this;
  }

  protected function loadPage() {
    $table = new PhabricatorAuthTemporaryToken();
    $conn_r = $table->establishConnection('r');

    $data = queryfx_all(
      $conn_r,
      'SELECT * FROM %T %Q %Q %Q',
      $table->getTableName(),
      $this->buildWhereClause($conn_r),
      $this->buildOrderClause($conn_r),
      $this->buildLimitClause($conn_r));

    return $table->loadAllFromArray($data);
  }

  protected function buildWhereClause(AphrontDatabaseConnection $conn_r) {
    $where = array();

    if ($this->ids !== null) {
      $where[] = qsprintf(
        $conn_r,
        'id IN (%Ld)',
        $this->ids);
    }

    if ($this->objectPHIDs !== null) {
      $where[] = qsprintf(
        $conn_r,
        'objectPHID IN (%Ls)',
        $this->objectPHIDs);
    }

    if ($this->tokenTypes !== null) {
      $where[] = qsprintf(
        $conn_r,
        'tokenType IN (%Ls)',
        $this->tokenTypes);
    }

    if ($this->expired !== null) {
      if ($this->expired) {
        $where[] = qsprintf(
          $conn_r,
          'tokenExpires <= %d',
          time());
      } else {
        $where[] = qsprintf(
          $conn_r,
          'tokenExpires > %d',
          time());
      }
    }

    if ($this->tokenCodes !== null) {
      $where[] = qsprintf(
        $conn_r,
        'tokenCode IN (%Ls)',
        $this->tokenCodes);
    }

    $where[] = $this->buildPagingClause($conn_r);

    return $this->formatWhereClause($where);
  }

  public function getQueryApplicationClass() {
    return 'PhabricatorAuthApplication';
  }

}
Add "temporary tokens" to auth, for SMS codes, TOTP codes, reset codes, etc Summary: Ref T4398. We have several auth-related systems which require (or are improved by) the ability to hand out one-time codes which expire after a short period of time. In particular, these are: - SMS multi-factor: we need to be able to hand out one-time codes for this in order to prove the user has the phone. - Password reset emails: we use a time-based rotating token right now, but we could improve this with a one-time token, so once you reset your password the link is dead. - TOTP auth: we don't need to verify/invalidate keys, but can improve security by doing so. This adds a generic one-time code storage table, and strengthens the TOTP enrollment process by using it. Specifically, you can no longer edit the enrollment form (the one with a QR code) to force your own key as the TOTP key: only keys Phabricator generated are accepted. This has no practical security impact, but generally helps raise the barrier potential attackers face. Followup changes will use this for reset emails, then implement SMS multi-factor. Test Plan: - Enrolled in TOTP multi-factor auth. - Submitted an error in the form, saw the same key presented. - Edited the form with web tools to provide a different key, saw it reject and the server generate an alternate. - Change the expiration to 5 seconds instead of 1 hour, submitted the form over and over again, saw it cycle the key after 5 seconds. - Looked at the database and saw the tokens I expected. - Ran the GC and saw all the 5-second expiry tokens get cleaned up. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D9217 2014-05-20 20:43:45 +02:00			`<?php`

			`final class PhabricatorAuthTemporaryTokenQuery`
			`extends PhabricatorCursorPagedPolicyAwareQuery {`

			`private $ids;`
			`private $objectPHIDs;`
			`private $tokenTypes;`
			`private $expired;`
			`private $tokenCodes;`

			`public function withIDs(array $ids) {`
			`$this->ids = $ids;`
			`return $this;`
			`}`

			`public function withObjectPHIDs(array $object_phids) {`
			`$this->objectPHIDs = $object_phids;`
			`return $this;`
			`}`

			`public function withTokenTypes(array $types) {`
			`$this->tokenTypes = $types;`
			`return $this;`
			`}`

			`public function withExpired($expired) {`
			`$this->expired = $expired;`
			`return $this;`
			`}`

			`public function withTokenCodes(array $codes) {`
			`$this->tokenCodes = $codes;`
			`return $this;`
			`}`

			`protected function loadPage() {`
			`$table = new PhabricatorAuthTemporaryToken();`
			`$conn_r = $table->establishConnection('r');`

			`$data = queryfx_all(`
			`$conn_r,`
			`'SELECT * FROM %T %Q %Q %Q',`
			`$table->getTableName(),`
			`$this->buildWhereClause($conn_r),`
			`$this->buildOrderClause($conn_r),`
			`$this->buildLimitClause($conn_r));`

			`return $table->loadAllFromArray($data);`
			`}`

			`protected function buildWhereClause(AphrontDatabaseConnection $conn_r) {`
			`$where = array();`

			`if ($this->ids !== null) {`
			`$where[] = qsprintf(`
			`$conn_r,`
			`'id IN (%Ld)',`
			`$this->ids);`
			`}`

			`if ($this->objectPHIDs !== null) {`
			`$where[] = qsprintf(`
			`$conn_r,`
			`'objectPHID IN (%Ls)',`
			`$this->objectPHIDs);`
			`}`

			`if ($this->tokenTypes !== null) {`
			`$where[] = qsprintf(`
			`$conn_r,`
			`'tokenType IN (%Ls)',`
			`$this->tokenTypes);`
			`}`

			`if ($this->expired !== null) {`
			`if ($this->expired) {`
			`$where[] = qsprintf(`
			`$conn_r,`
			`'tokenExpires <= %d',`
			`time());`
			`} else {`
			`$where[] = qsprintf(`
			`$conn_r,`
			`'tokenExpires > %d',`
			`time());`
			`}`
			`}`

			`if ($this->tokenCodes !== null) {`
			`$where[] = qsprintf(`
			`$conn_r,`
			`'tokenCode IN (%Ls)',`
			`$this->tokenCodes);`
			`}`

			`$where[] = $this->buildPagingClause($conn_r);`

			`return $this->formatWhereClause($where);`
			`}`

			`public function getQueryApplicationClass() {`
Rename `PhabricatorApplication` subclasses Summary: Ref T5655. Some discussion in D9839. Generally speaking, `Phabricator{$name}Application` is clearer than `PhabricatorApplication{$name}`. Test Plan: # Pinned and uninstalled some applications. # Applied patch and performed migrations. # Verified that the pinned applications were still pinned and that the uninstalled applications were still uninstalled. # Performed a sanity check on the database contents. Reviewers: btrahan, epriestley, #blessed_reviewers Reviewed By: epriestley, #blessed_reviewers Subscribers: hach-que, epriestley, Korvin Maniphest Tasks: T5655 Differential Revision: https://secure.phabricator.com/D9982 2014-07-23 02:03:09 +02:00			`return 'PhabricatorAuthApplication';`
Add "temporary tokens" to auth, for SMS codes, TOTP codes, reset codes, etc Summary: Ref T4398. We have several auth-related systems which require (or are improved by) the ability to hand out one-time codes which expire after a short period of time. In particular, these are: - SMS multi-factor: we need to be able to hand out one-time codes for this in order to prove the user has the phone. - Password reset emails: we use a time-based rotating token right now, but we could improve this with a one-time token, so once you reset your password the link is dead. - TOTP auth: we don't need to verify/invalidate keys, but can improve security by doing so. This adds a generic one-time code storage table, and strengthens the TOTP enrollment process by using it. Specifically, you can no longer edit the enrollment form (the one with a QR code) to force your own key as the TOTP key: only keys Phabricator generated are accepted. This has no practical security impact, but generally helps raise the barrier potential attackers face. Followup changes will use this for reset emails, then implement SMS multi-factor. Test Plan: - Enrolled in TOTP multi-factor auth. - Submitted an error in the form, saw the same key presented. - Edited the form with web tools to provide a different key, saw it reject and the server generate an alternate. - Change the expiration to 5 seconds instead of 1 hour, submitted the form over and over again, saw it cycle the key after 5 seconds. - Looked at the database and saw the tokens I expected. - Ran the GC and saw all the 5-second expiry tokens get cleaned up. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D9217 2014-05-20 20:43:45 +02:00			`}`

			`}`