Add a garbage collector for MFA challenges

Summary: Depends on D19886. Ref T13222. Clean up MFA challenges after they expire. (There's maybe some argument to keeping these around for a little while for debugging/forensics, but I suspect it would never actually be valuable and figure we can cross that bridge if we come to it.) Test Plan: - Ran `bin/garbage collect --collector ...` and saw old MFA challenges collected. - Triggered a new challenge, GC'd again, saw it survive GC while still active. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19888
2024-11-10 00:42:41 +01:00 · 2018-12-14 05:26:51 -08:00 · 2018-12-14 05:26:51 -08:00 · 5e94343c7d
commit 5e94343c7d
parent b8cbfda07c
3 changed files with 33 additions and 0 deletions
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@ -2188,6 +2188,7 @@ phutil_register_library_map(array(
    'PhabricatorAuthAuthFactorPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthFactorPHIDType.php',
    'PhabricatorAuthAuthProviderPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthProviderPHIDType.php',
    'PhabricatorAuthChallenge' => 'applications/auth/storage/PhabricatorAuthChallenge.php',
+    'PhabricatorAuthChallengeGarbageCollector' => 'applications/auth/garbagecollector/PhabricatorAuthChallengeGarbageCollector.php',
    'PhabricatorAuthChallengePHIDType' => 'applications/auth/phid/PhabricatorAuthChallengePHIDType.php',
    'PhabricatorAuthChallengeQuery' => 'applications/auth/query/PhabricatorAuthChallengeQuery.php',
    'PhabricatorAuthChangePasswordAction' => 'applications/auth/action/PhabricatorAuthChangePasswordAction.php',
@ -7830,6 +7831,7 @@ phutil_register_library_map(array(
      'PhabricatorAuthDAO',
      'PhabricatorPolicyInterface',
    ),
+    'PhabricatorAuthChallengeGarbageCollector' => 'PhabricatorGarbageCollector',
    'PhabricatorAuthChallengePHIDType' => 'PhabricatorPHIDType',
    'PhabricatorAuthChallengeQuery' => 'PhabricatorCursorPagedPolicyAwareQuery',
    'PhabricatorAuthChangePasswordAction' => 'PhabricatorSystemAction',
--- a/src/applications/auth/garbagecollector/PhabricatorAuthChallengeGarbageCollector.php
+++ b/src/applications/auth/garbagecollector/PhabricatorAuthChallengeGarbageCollector.php
@ -0,0 +1,28 @@
+<?php
+
+final class PhabricatorAuthChallengeGarbageCollector
+  extends PhabricatorGarbageCollector {
+
+  const COLLECTORCONST = 'auth.challenges';
+
+  public function getCollectorName() {
+    return pht('Authentication Challenges');
+  }
+
+  public function hasAutomaticPolicy() {
+    return true;
+  }
+
+  protected function collectGarbage() {
+    $challenge_table = new PhabricatorAuthChallenge();
+    $conn = $challenge_table->establishConnection('w');
+
+    queryfx(
+      $conn,
+      'DELETE FROM %R WHERE challengeTTL < UNIX_TIMESTAMP() LIMIT 100',
+      $challenge_table);
+
+    return ($conn->getAffectedRows() == 100);
+  }
+
+}
--- a/src/applications/auth/storage/PhabricatorAuthChallenge.php
+++ b/src/applications/auth/storage/PhabricatorAuthChallenge.php
@ -25,6 +25,9 @@ final class PhabricatorAuthChallenge
        'key_issued' => array(
          'columns' => array('userPHID', 'challengeTTL'),
        ),
+        'key_collection' => array(
+          'columns' => array('challengeTTL'),
+        ),
      ),
    ) + parent::getConfiguration();
  }