diff --git a/src/applications/auth/data/PhabricatorAuthHighSecurityToken.php b/src/applications/auth/data/PhabricatorAuthHighSecurityToken.php index 8ea1ed97f8..9d44411795 100644 --- a/src/applications/auth/data/PhabricatorAuthHighSecurityToken.php +++ b/src/applications/auth/data/PhabricatorAuthHighSecurityToken.php @@ -1,3 +1,17 @@ isUnchallengedToken = $is_unchallenged_token; + return $this; + } + + public function getIsUnchallengedToken() { + return $this->isUnchallengedToken; + } + +} diff --git a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php index 7358a61a40..251c8284ef 100644 --- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php +++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php @@ -493,7 +493,8 @@ final class PhabricatorAuthSessionEngine extends Phobject { // adds an auth factor, existing sessions won't get a free pass into hisec, // since they never actually got marked as hisec. if (!$factors) { - return $this->issueHighSecurityToken($session, true); + return $this->issueHighSecurityToken($session, true) + ->setIsUnchallengedToken(true); } $this->request = $request; diff --git a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php index c17ac1ec72..422605f761 100644 --- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php +++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php @@ -5152,12 +5152,14 @@ abstract class PhabricatorApplicationTransactionEditor 'an MFA check.')); } - id(new PhabricatorAuthSessionEngine()) + $token = id(new PhabricatorAuthSessionEngine()) ->setWorkflowKey($workflow_key) ->requireHighSecurityToken($actor, $request, $cancel_uri); - foreach ($xactions as $xaction) { - $xaction->setIsMFATransaction(true); + if (!$token->getIsUnchallengedToken()) { + foreach ($xactions as $xaction) { + $xaction->setIsMFATransaction(true); + } } }