revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-22 23:02:42 +01:00
Code Issues Releases Wiki Activity

Improve UI messaging around "one-shot" vs "session upgrade" MFA

Browse source 
Summary:
Depends on D19899. Ref T13222. When we prompt you for one-shot MFA, we currently give you a lot of misleading text about your session staying in "high security mode".

Differentiate between one-shot and session upgrade MFA, and give the user appropriate cues and explanatory text.

Test Plan:
  - Hit one-shot MFA on an "mfa" task in Maniphest.
  - Hit session upgrade MFA in Settings > Multi-Factor.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D19900
This commit is contained in:
epriestley 2018-12-18 08:02:40 -08:00
parent d3c325c4fc
commit 1c89b3175f
3 changed files with 56 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
src/aphront/handler/PhabricatorHighSecurityRequestExceptionHandler.php
View file

@ -45,18 +45,36 @@ final class PhabricatorHighSecurityRequestExceptionHandler
}
}
$is_upgrade = $throwable->getIsSessionUpgrade();
if ($is_upgrade) {
$title = pht('Enter High Security');
} else {
$title = pht('Provide MFA Credentials');
}
if ($is_wait) {
$submit = pht('Wait Patiently');
} else {
} else if ($is_upgrade) {
$submit = pht('Enter High Security');
} else {
$submit = pht('Continue');
}
$dialog = id(new AphrontDialogView())
->setUser($viewer)
->setTitle(pht('Entering High Security'))
->setTitle($title)
->setShortTitle(pht('Security Checkpoint'))
->setWidth(AphrontDialogView::WIDTH_FORM)
->addHiddenInput(AphrontRequest::TYPE_HISEC, true)
->setSubmitURI($request->getPath())
->addCancelButton($throwable->getCancelURI())
->addSubmitButton($submit);
$form_layout = $form->buildLayoutView();
if ($is_upgrade) {
$dialog
->setErrors(
array(
pht(
@ -69,15 +87,22 @@ final class PhabricatorHighSecurityRequestExceptionHandler
'threats, like session theft or someone messing with your stuff '.
'while you\'re grabbing a coffee. To enter high security mode, '.
'confirm your credentials.'))
->appendChild($form->buildLayoutView())
->appendChild($form_layout)
->appendParagraph(
pht(
'Your account will remain in high security mode for a short '.
'period of time. When you are finished taking sensitive '.
'actions, you should leave high security.'))
->setSubmitURI($request->getPath())
->addCancelButton($throwable->getCancelURI())
->addSubmitButton($submit);
'actions, you should leave high security.'));
} else {
$dialog
->setErrors(
array(
pht(
'You are taking an action which requires you to provide '.
'multi-factor credentials.'),
))
->appendChild($form_layout);
}
$request_parameters = $request->getPassthroughRequestParameters(
$respect_quicksand = true);

1
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
View file

@ -684,6 +684,7 @@ final class PhabricatorAuthSessionEngine extends Phobject {
throw id(new PhabricatorAuthHighSecurityRequiredException())
->setCancelURI($cancel_uri)
->setIsSessionUpgrade($upgrade_session)
->setFactors($factors)
->setFactorValidationResults($validation_results);
}

10
src/applications/auth/exception/PhabricatorAuthHighSecurityRequiredException.php
View file

@ -5,6 +5,7 @@ final class PhabricatorAuthHighSecurityRequiredException extends Exception {
private $cancelURI;
private $factors;
private $factorValidationResults;
private $isSessionUpgrade;
public function setFactorValidationResults(array $results) {
assert_instances_of($results, 'PhabricatorAuthFactorResult');
@ -35,4 +36,13 @@ final class PhabricatorAuthHighSecurityRequiredException extends Exception {
return $this->cancelURI;
}
public function setIsSessionUpgrade($is_upgrade) {
$this->isSessionUpgrade = $is_upgrade;
return $this;
}
public function getIsSessionUpgrade() {
return $this->isSessionUpgrade;
}
}