Improve UI messaging around "one-shot" vs "session upgrade" MFA

Summary:
Depends on D19899. Ref T13222. When we prompt you for one-shot MFA, we currently give you a lot of misleading text about your session staying in "high security mode".

Differentiate between one-shot and session upgrade MFA, and give the user appropriate cues and explanatory text.

Test Plan:
  - Hit one-shot MFA on an "mfa" task in Maniphest.
  - Hit session upgrade MFA in Settings > Multi-Factor.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D19900

src/aphront/handler/PhabricatorHighSecurityRequestExceptionHandler.php

@@ -45,18 +45,36 @@ final class PhabricatorHighSecurityRequestExceptionHandler
       }
     }
 
+    $is_upgrade = $throwable->getIsSessionUpgrade();
+
+    if ($is_upgrade) {
+      $title = pht('Enter High Security');
+    } else {
+      $title = pht('Provide MFA Credentials');
+    }
+
     if ($is_wait) {
       $submit = pht('Wait Patiently');
-    } else {
+    } else if ($is_upgrade) {
       $submit = pht('Enter High Security');
+    } else {
+      $submit = pht('Continue');
     }
 
     $dialog = id(new AphrontDialogView())
       ->setUser($viewer)
-      ->setTitle(pht('Entering High Security'))
+      ->setTitle($title)
       ->setShortTitle(pht('Security Checkpoint'))
       ->setWidth(AphrontDialogView::WIDTH_FORM)
       ->addHiddenInput(AphrontRequest::TYPE_HISEC, true)
+      ->setSubmitURI($request->getPath())
+      ->addCancelButton($throwable->getCancelURI())
+      ->addSubmitButton($submit);
+
+    $form_layout = $form->buildLayoutView();
+
+    if ($is_upgrade) {
+      $dialog
         ->setErrors(
           array(
             pht(
@@ -69,15 +87,22 @@ final class PhabricatorHighSecurityRequestExceptionHandler
             'threats, like session theft or someone messing with your stuff '.
             'while you\'re grabbing a coffee. To enter high security mode, '.
             'confirm your credentials.'))
-      ->appendChild($form->buildLayoutView())
+        ->appendChild($form_layout)
         ->appendParagraph(
           pht(
             'Your account will remain in high security mode for a short '.
             'period of time. When you are finished taking sensitive '.
-          'actions, you should leave high security.'))
+            'actions, you should leave high security.'));
-      ->setSubmitURI($request->getPath())
+    } else {
-      ->addCancelButton($throwable->getCancelURI())
+      $dialog
-      ->addSubmitButton($submit);
+        ->setErrors(
+          array(
+            pht(
+              'You are taking an action which requires you to provide '.
+              'multi-factor credentials.'),
+          ))
+        ->appendChild($form_layout);
+    }
 
     $request_parameters = $request->getPassthroughRequestParameters(
       $respect_quicksand = true);

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

@@ -684,6 +684,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
 
     throw id(new PhabricatorAuthHighSecurityRequiredException())
       ->setCancelURI($cancel_uri)
+      ->setIsSessionUpgrade($upgrade_session)
       ->setFactors($factors)
       ->setFactorValidationResults($validation_results);
   }

src/applications/auth/exception/PhabricatorAuthHighSecurityRequiredException.php

@@ -5,6 +5,7 @@ final class PhabricatorAuthHighSecurityRequiredException extends Exception {
   private $cancelURI;
   private $factors;
   private $factorValidationResults;
+  private $isSessionUpgrade;
 
   public function setFactorValidationResults(array $results) {
     assert_instances_of($results, 'PhabricatorAuthFactorResult');
@@ -35,4 +36,13 @@ final class PhabricatorAuthHighSecurityRequiredException extends Exception {
     return $this->cancelURI;
   }
 
+  public function setIsSessionUpgrade($is_upgrade) {
+    $this->isSessionUpgrade = $is_upgrade;
+    return $this;
+  }
+
+  public function getIsSessionUpgrade() {
+    return $this->isSessionUpgrade;
+  }
+
 }