1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-05 20:31:03 +01:00
phorge-phorge/src/applications
epriestley 657f3c3806 When accepting a TOTP response, require it respond explicitly to a specific challenge
Summary:
Depends on D19890. Ref T13222. See PHI873. Currently, we only validate TOTP responses against the current (realtime) timestep. Instead, also validate them against a specific challenge.

This mostly just moves us toward more specifically preventing responses from being reused, and supporting flows which must look more like this (SMS/push).

One rough edge here is that during the T+3 and T+4 windows (you request a prompt, then wait 60-120 seconds to respond) only past responses actually work (the current code on your device won't). For example:

  - At T+0, you request MFA. We issue a T+0 challenge that accepts codes T-2, T-1, T+0, T+1, and T+2. The challenge locks out T+3 and T+4 to prevent the window from overlapping with the next challenge we may issue (see D19890).
  - If you wait 60 seconds until T+3 to actually submit a code, the realtime valid responses are T+1, T+2, T+3, T+4, T+5. The challenge valid responses are T-2, T-1, T+0, T+1, and T+2. Only T+1 and T+2 are in the intersection. Your device is showing T+3 if the clock is right, so if you type in what's shown on your device it won't be accepted.
  - This //may// get refined in future changes, but, in the worst case, it's probably fine if it doesn't. Beyond 120s you'll get a new challenge and a full [-2, ..., +2] window to respond, so this lockout is temporary even if you manage to hit it.
  - If this //doesn't// get refined, I'll change the UI to say "This factor recently issued a challenge which has expired, wait N seconds." to smooth this over a bit.

Test Plan:
  - Went through MFA.
  - Added a new TOTP factor.
  - Hit some error cases on purpose.
  - Tried to use an old code a moment after it expired, got rejected.
  - Waited 60+ seconds, tried to use the current displayed factor, got rejected (this isn't great, but currently expected).

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D19893
2018-12-20 14:44:35 -08:00
..
almanac Cleanup some clustering rough edges 2018-12-20 11:19:19 -08:00
aphlict Add a CLI workflow for testing that notifications are being delivered 2018-12-10 16:05:53 -08:00
arcanist/conduit Remove remaining arcanist project code 2015-07-08 19:37:28 +10:00
audit Share more inline "Done" code between Differential and Diffusion 2018-12-10 15:36:52 -08:00
auth When accepting a TOTP response, require it respond explicitly to a specific challenge 2018-12-20 14:44:35 -08:00
badges Allow "Change Subtype" to be selected from the comment action stack 2018-11-28 13:40:40 -08:00
base Allow "Can Configure Application" permissions to be configured 2018-11-19 07:25:41 -08:00
cache Update PhabricatorLiskDAO::chunkSQL() for new %Q semantics 2018-11-13 08:59:18 -08:00
calendar Allow "Change Subtype" to be selected from the comment action stack 2018-11-28 13:40:40 -08:00
celerity Emit a "Content-Security-Policy" HTTP header 2018-02-27 10:17:30 -08:00
chatlog Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
conduit Use phutil_microseconds_since(...) to simplify some timing arithmetic 2018-11-08 16:46:32 -08:00
config Remove defunct "metamta.herald.show-hints" Config option 2018-11-26 10:14:25 -08:00
conpherence Allow "Change Subtype" to be selected from the comment action stack 2018-11-28 13:40:40 -08:00
console Fix some minor errors (DarkConsole warning, unstable Ferret sort) 2018-03-18 15:12:25 -07:00
countdown Use object PHIDs for "Thread-Topic" headers in mail 2018-02-08 06:21:00 -08:00
daemon Continue cleaning up queries in the wake of changes to "%Q" 2018-11-16 12:49:44 -08:00
dashboard Make the dashboard panel datasource work properly with hundreds of panels 2018-06-28 08:54:29 -07:00
differential Share more inline "Done" code between Differential and Diffusion 2018-12-10 15:36:52 -08:00
diffusion Fix some straggling qsprintf() warnings in repository import 2018-12-12 09:21:12 -08:00
diviner Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
doorkeeper Allow Doorkeeper references to have multiple display variations (full, short, etc.) 2018-03-13 11:29:52 -07:00
draft/storage When purging drafts after a transaction edit, purge all drafts 2018-02-11 06:01:09 -08:00
drydock Replace the "Choose Subtype" radio buttons dialog with a simpler "big stuff you click" sort of UI 2018-12-10 14:59:18 -08:00
fact Remove all application callers to "putInSet()" 2018-12-12 16:41:12 -08:00
favorites Add some missing aural button labels for accessibility 2018-08-17 11:00:29 -07:00
feed Separate "feed" and "notifications" better, allow stories to appear in notifications only 2018-12-10 16:02:43 -08:00
files Fix all query warnings in "arc unit --everything" 2018-11-15 03:51:25 -08:00
flag Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
fund Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
guides Rename "PHUIDocumentViewPro" to "PHUIDocumentView" 2018-08-28 14:53:07 -07:00
harbormaster Add support for "harbormaster.target.search" 2018-11-28 13:49:27 -08:00
help Redesign header menus and search 2017-01-17 12:13:06 -08:00
herald Fix a stray qsprintf() in the Herald rules engine when recording rule application to objects 2018-12-12 11:31:36 -08:00
home Update menu item names for Applications -> Favorites 2017-09-05 19:05:03 -07:00
legalpad Bind MFA challenges to particular workflows, like signing a specific Legalpad document 2018-12-18 12:06:16 -08:00
lipsum Add "--force" and "--quickly" flags to bin/lipsum 2017-02-27 09:09:41 -08:00
macro When {meme ...} embed has no text, just use the raw file data unmodified 2018-11-06 09:40:22 -08:00
maniphest Fix another qsprintf() straggler in "Has Open Subtasks" 2018-12-13 05:17:02 -08:00
meta Modularize Repository transactions 2018-11-28 14:29:18 -08:00
metamta Remove defunct "metamta.herald.show-hints" Config option 2018-11-26 10:14:25 -08:00
multimeter Continue cleaning up queries in the wake of changes to "%Q" 2018-11-16 12:49:44 -08:00
notification Remove obsolete "NotifyTest" feed story 2018-12-10 16:03:42 -08:00
nuance Explicitly add rel="noreferrer" to all external links 2018-02-17 17:46:11 -08:00
oauthserver Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
owners Allow "Change Subtype" to be selected from the comment action stack 2018-11-28 13:40:40 -08:00
packages Continue cleaning up queries in the wake of changes to "%Q" 2018-11-16 12:49:44 -08:00
passphrase Fix spelling 2017-10-09 10:48:04 -07:00
paste Allow "Change Subtype" to be selected from the comment action stack 2018-11-28 13:40:40 -08:00
people Update accountadmin to use new admin empowerment code 2018-12-19 12:00:53 -08:00
phame Allow "Change Subtype" to be selected from the comment action stack 2018-11-28 13:40:40 -08:00
phid Truncate package names in diff table of contents views 2018-06-07 13:17:01 -07:00
phlux Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
pholio Give Pholio Images an authorPHID and use ExtendedPolicies to implement policy behavior 2018-12-19 10:50:52 -08:00
phortune Fix some "%Q" behavior in PhortuneMerchantQuery 2018-11-20 07:59:57 -08:00
phpast Update phpast for new UI 2016-04-05 13:52:59 -07:00
phragment Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
phrequent Continue cleaning up queries in the wake of changes to "%Q" 2018-11-16 12:49:44 -08:00
phriction Make it less confusing to create root-level Phriction doc 2018-12-10 14:10:18 -08:00
phurl Explicitly add rel="noreferrer" to all external links 2018-02-17 17:46:11 -08:00
policy Extend PhabricatorPolicyCodex interface to handle "interesting" policy defaults 2018-04-27 16:56:11 -07:00
ponder Make Facts more modern, DRY, and dimensional 2018-02-19 12:05:19 -08:00
project Update continue/break for php 7.3 2018-12-20 14:12:35 -08:00
releeph Remove application callsites to "LiskDAO->loadOneRelative()" 2018-12-12 16:39:44 -08:00
remarkup/conduit
repository Fix some straggling qsprintf() warnings in repository import 2018-12-12 09:21:12 -08:00
search When waiting for long-running Harbormaster futures to resolve, close idle database connections 2018-11-21 07:53:40 -08:00
settings Upgrade sessions digests to HMAC256, retaining compatibility with old digests 2018-12-13 16:15:38 -08:00
slowvote Prevent users from voting for invalid Slowvote options 2018-11-06 09:21:18 -08:00
spaces Add more mail stamps: tasks, subscribers, projects, spaces 2018-02-06 04:05:46 -08:00
subscriptions Remove requireCapabilities() from ApplicationTransactionEditor and require CAN_EDIT by default 2018-08-24 17:45:56 -07:00
support/application
system Update PhabricatorLiskDAO::chunkSQL() for new %Q semantics 2018-11-13 08:59:18 -08:00
tokens Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
transactions Separate "feed" and "notifications" better, allow stories to appear in notifications only 2018-12-10 16:02:43 -08:00
typeahead Rename "PHUIDocumentViewPro" to "PHUIDocumentView" 2018-08-28 14:53:07 -07:00
uiexample Reduce the cost of generating default user profile images 2018-03-01 16:53:17 -08:00
xhprof Allow XHProf profiles to be drag-and-dropped to upload them 2017-02-23 11:16:19 -08:00