1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 09:12:41 +01:00
phorge-phorge/resources/sql/autopatches
epriestley cac61980f9 Add "temporary tokens" to auth, for SMS codes, TOTP codes, reset codes, etc
Summary:
Ref T4398. We have several auth-related systems which require (or are improved by) the ability to hand out one-time codes which expire after a short period of time.

In particular, these are:

  - SMS multi-factor: we need to be able to hand out one-time codes for this in order to prove the user has the phone.
  - Password reset emails: we use a time-based rotating token right now, but we could improve this with a one-time token, so once you reset your password the link is dead.
  - TOTP auth: we don't need to verify/invalidate keys, but can improve security by doing so.

This adds a generic one-time code storage table, and strengthens the TOTP enrollment process by using it. Specifically, you can no longer edit the enrollment form (the one with a QR code) to force your own key as the TOTP key: only keys Phabricator generated are accepted. This has no practical security impact, but generally helps raise the barrier potential attackers face.

Followup changes will use this for reset emails, then implement SMS multi-factor.

Test Plan:
  - Enrolled in TOTP multi-factor auth.
  - Submitted an error in the form, saw the same key presented.
  - Edited the form with web tools to provide a different key, saw it reject and the server generate an alternate.
  - Change the expiration to 5 seconds instead of 1 hour, submitted the form over and over again, saw it cycle the key after 5 seconds.
  - Looked at the database and saw the tokens I expected.
  - Ran the GC and saw all the 5-second expiry tokens get cleaned up.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T4398

Differential Revision: https://secure.phabricator.com/D9217
2014-05-20 11:43:45 -07:00
..
20140104.harbormastercmd.sql Replace "Cancel Build" with "Stop", "Resume" and "Restart" 2014-01-06 12:32:20 -08:00
20140106.macromailkey.1.sql Add mailKey to macros 2014-01-06 12:17:23 -08:00
20140106.macromailkey.2.php Add mailKey to macros 2014-01-06 12:17:23 -08:00
20140108.ddbpname.1.sql Add names to Drydock blueprints 2014-01-09 10:56:34 -08:00
20140108.ddbpname.2.php Add names to Drydock blueprints 2014-01-09 10:56:34 -08:00
20140109.ddxactions.sql Add transactions to Drydock blueprint editing 2014-01-09 12:19:54 -08:00
20140109.projectcolumnsdates.sql Adding the create flow for Project Board (Workphlow) columns. 2014-01-09 16:12:11 -08:00
20140113.legalpadsig.1.sql Legalpad - make it work for not logged in users 2014-01-14 17:17:18 -08:00
20140113.legalpadsig.2.php Legalpad - make it work for not logged in users 2014-01-14 17:17:18 -08:00
20140115.auth.1.id.sql Give the session table a normal id column as a primary key 2014-01-15 13:55:18 -08:00
20140115.auth.2.expires.sql Expire and garbage collect unused sessions 2014-01-15 13:56:16 -08:00
20140115.auth.3.unlimit.php Remove session limits and sequencing 2014-01-15 17:27:59 -08:00
20140115.legalpadsigkey.sql Legalpad - add policy rule for legalpad document signatures 2014-01-15 16:48:44 -08:00
20140116.reporefcursor.sql Introduce ref cursors for repository parsing 2014-01-17 11:48:53 -08:00
20140126.diff.1.parentrevisionid.sql Update DifferentialDiff: add repositoryPHID, drop parentRevisionID 2014-01-26 15:29:22 -08:00
20140126.diff.2.repositoryphid.sql Update DifferentialDiff: add repositoryPHID, drop parentRevisionID 2014-01-26 15:29:22 -08:00
20140130.dash.1.board.sql Add initial skeleton for Dashboard application 2014-01-30 11:43:24 -08:00
20140130.dash.2.panel.sql Add initial skeleton for Dashboard application 2014-01-30 11:43:24 -08:00
20140130.dash.3.boardxaction.sql Add edit/view plumbing for dashboards and panels 2014-02-03 10:52:15 -08:00
20140130.dash.4.panelxaction.sql Add edit/view plumbing for dashboards and panels 2014-02-03 10:52:15 -08:00
20140130.mail.1.retry.sql Remove retry/failure mechanisms from MetaMTA 2014-02-01 14:35:42 -08:00
20140130.mail.2.next.sql Remove retry/failure mechanisms from MetaMTA 2014-02-01 14:35:42 -08:00
20140201.gc.1.mailsent.sql Add a GC for sent and received mail 2014-02-03 10:51:31 -08:00
20140201.gc.2.mailreceived.sql Add a GC for sent and received mail 2014-02-03 10:51:31 -08:00
20140205.cal.1.rename.sql Rename PhabricatorUserStatus to PhabricatorCalendarEvent 2014-02-06 10:07:29 -08:00
20140205.cal.2.phid-col.sql Assign PHIDs to calendar events 2014-02-06 10:10:43 -08:00
20140205.cal.3.phid-mig.php Assign PHIDs to calendar events 2014-02-06 10:10:43 -08:00
20140205.cal.4.phid-key.sql Assign PHIDs to calendar events 2014-02-06 10:10:43 -08:00
20140210.herald.rule-condition-mig.php Herald - make herald condition of herald rule display better 2014-02-10 14:40:09 -08:00
20140210.projcfield.1.blurb.php Migrate project blurb/description to standard custom field storage 2014-02-10 14:31:57 -08:00
20140210.projcfield.2.piccol.sql Migrate project profiles onto projects, and remove ProjectProfile object 2014-02-10 14:32:14 -08:00
20140210.projcfield.3.picmig.sql Migrate project profiles onto projects, and remove ProjectProfile object 2014-02-10 14:32:14 -08:00
20140210.projcfield.4.memmig.sql Allow unsubscription from projects 2014-02-11 07:45:56 -08:00
20140210.projcfield.5.dropprofile.sql [Later] Drop the project profile table 2014-04-24 08:15:24 -07:00
20140211.dx.1.nullablechangesetid.sql Migrate all Differential comment text into new storage 2014-02-11 11:34:15 -08:00
20140211.dx.2.migcommenttext.php Migrate all Differential comment text into new storage 2014-02-11 11:34:15 -08:00
20140211.dx.3.migsubscriptions.sql Move Differential to proper subscriptions 2014-02-12 08:53:40 -08:00
20140212.dx.1.armageddon.php Remove DifferentialComment 2014-03-11 13:02:33 -07:00
20140218.differentialdraft.sql Differential - add DifferentialDraft to track whether revisions have draft feedback or not 2014-02-18 16:25:16 -08:00
20140218.passwords.1.extend.sql Provide more storage space for password hashes and migrate existing hashes to "md5:" 2014-02-18 14:09:36 -08:00
20140218.passwords.2.prefix.sql Provide more storage space for password hashes and migrate existing hashes to "md5:" 2014-02-18 14:09:36 -08:00
20140218.passwords.3.vcsextend.sql Modernize VCS password storage to use shared hash infrastructure 2014-02-18 14:09:36 -08:00
20140218.passwords.4.vcs.php Modernize VCS password storage to use shared hash infrastructure 2014-02-18 14:09:36 -08:00
20140223.bigutf8scratch.sql Add test coverage that our definition of BMP agrees with MySQL 2014-02-23 16:20:38 -08:00
20140224.dxclean.1.datecommitted.sql Remove "dateCommitted" field from DifferentialRevision 2014-02-25 12:36:14 -08:00
20140226.dxcustom.1.fielddata.php Migrate old AuxiliaryField storage to modern CustomField storage 2014-02-26 16:52:30 -08:00
20140228.dxcomment.1.sql Make "EditPro" controller work with diff updates 2014-02-28 16:49:22 -08:00
20140305.diviner.1.slugcol.sql Fix Diviner links to articles by title 2014-03-05 12:07:26 -08:00
20140305.diviner.2.slugkey.sql Fix Diviner links to articles by title 2014-03-05 12:07:26 -08:00
20140311.mdroplegacy.sql Drop Maniphest legacy transaction table 2014-03-12 06:04:45 -07:00
20140314.projectcolumn.1.statuscol.sql Workboards - let users delete columns 2014-03-18 10:40:31 -07:00
20140314.projectcolumn.2.statuskey.sql Workboards - let users delete columns 2014-03-18 10:40:31 -07:00
20140317.mupdatedkey.sql Add "Date Updated" query fields for Maniphest 2014-03-17 15:53:07 -07:00
20140321.harbor.1.bxaction.sql Use ApplicationTransactions and CustomField to implement build steps 2014-03-25 16:08:40 -07:00
20140321.mstatus.1.col.sql Use string constants, not integer constants, to represent task status internally 2014-03-25 13:58:14 -07:00
20140321.mstatus.2.mig.php Use string constants, not integer constants, to represent task status internally 2014-03-25 13:58:14 -07:00
20140323.harbor.1.renames.php Rename concrete Harbormaster step implementations 2014-03-25 16:09:51 -07:00
20140323.harbor.2.message.sql Allow external systems to send messages to build targets 2014-03-25 16:11:28 -07:00
20140325.push.1.event.sql Provide a real object ("PhabricatorRepositoryPushEvent") to represent an entire push transaction 2014-03-26 13:51:06 -07:00
20140325.push.2.eventphid.sql Provide a real object ("PhabricatorRepositoryPushEvent") to represent an entire push transaction 2014-03-26 13:51:06 -07:00
20140325.push.3.groups.php Provide a real object ("PhabricatorRepositoryPushEvent") to represent an entire push transaction 2014-03-26 13:51:06 -07:00
20140325.push.4.prune.sql Provide a real object ("PhabricatorRepositoryPushEvent") to represent an entire push transaction 2014-03-26 13:51:06 -07:00
20140326.project.1.colxaction.sql Workboards - add column detail page 2014-03-26 14:40:47 -07:00
20140328.releeph.1.productxaction.sql Rename Releeph "Project" transactions to "Product" 2014-03-29 09:15:09 -07:00
20140330.flagtext.sql Allow very long notes on flags 2014-03-30 19:51:46 -07:00
20140402.actionlog.sql Add semi-generic rate limiting infrastructure 2014-04-03 11:22:38 -07:00
20140410.accountsecret.1.sql Use better secrets in generating account tokens 2014-04-10 11:45:10 -07:00
20140410.accountsecret.2.php Use better secrets in generating account tokens 2014-04-10 11:45:10 -07:00
20140416.harbor.1.sql Drop nonsense buildStatus field from Buildable 2014-04-17 16:01:06 -07:00
20140420.rel.1.objectphid.sql Add "requestedObjectPHID" to ReleephRequest 2014-04-20 11:55:18 -07:00
20140420.rel.2.objectmig.php Add "requestedObjectPHID" to ReleephRequest 2014-04-20 11:55:18 -07:00
20140421.slowvotecolumnsisclosed.sql Ability to close poll 2014-04-24 12:02:56 -07:00
20140423.session.1.hisec.sql Add "High Security" mode to support multi-factor auth 2014-04-27 17:31:11 -07:00
20140427.mfactor.1.sql Add multi-factor auth and TOTP support 2014-04-28 09:27:11 -07:00
20140430.auth.1.partial.sql Require multiple auth factors to establish web sessions 2014-05-01 10:23:02 -07:00
20140430.dash.1.paneltype.sql Add dashboard panel types 2014-04-30 14:28:20 -07:00
20140430.dash.2.edge.sql Allow panels to appear on dashboards 2014-04-30 14:28:55 -07:00
20140501.passphraselockcredential.sql Add a "Lock Permanently" action to Passphrase 2014-05-02 18:21:51 -07:00
20140501.remove.1.dlog.sql Implement bin/remove, for structured destruction of objects 2014-05-01 18:23:31 -07:00
20140507.smstable.sql Add SMS support 2014-05-09 12:47:21 -07:00
20140509.coverage.1.sql Provide a rough, unstable API for reporting coverage into Diffusion 2014-05-17 16:10:54 -07:00
20140509.dashboardlayoutconfig.sql Dashboards - add layout mode to dashboards 2014-05-15 19:12:40 -07:00
20140512.dparents.1.sql Record parent relationships when discovering commits 2014-05-12 11:47:22 -07:00
20140514.harbormasterbuildabletransaction.sql Show command transactions in Harbormaster builds 2014-05-15 07:04:34 -07:00
20140514.pholiomockclose.sql Close pholio mocks 2014-05-19 11:34:23 -07:00
20140515.trust-emails.sql can now tell phabricator you trust an auth provider's emails (useful for Google OAuth), which will mark emails as "verified" and will skip email verification. 2014-05-16 14:14:06 -07:00
20140517.dxbinarycache.sql Fix binary/utf8 issues with Differential changeset parse cache 2014-05-17 16:34:13 -07:00
20140518.dxmorebinarycache.sql Change LONGTEXT cache column to BINARY 2014-05-17 22:38:56 -07:00
20140519.dashboardinstall.sql Dashboards - add ability to install dashboard as home 2014-05-19 16:09:31 -07:00
20140520.authtemptoken.sql Add "temporary tokens" to auth, for SMS codes, TOTP codes, reset codes, etc 2014-05-20 11:43:45 -07:00