1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 17:22:42 +01:00
phorge-phorge/src/applications/auth
epriestley 1d0b99e1f8 Allow applications to require a High Security token without doing a session upgrade
Summary:
Ref T13222. See PHI873. Currently, when applications prompt users to enter MFA, their session upgrades as a side effect.

In some cases (like managing your email addresses) it makes sense to upgrade your session for a little while since it's common to make multiple edits in sequence (add a new address, make it primary, remove an old address). We generally want MFA to stay out of the way and not feel annoying.

In other cases, we don't expect multiple high-security actions in a row. Notably, PHI873 looks at more "one-shot" use cases where a prompt is answering a specific workflow. We already have at least one of these in the upstream: answering an MFA prompt when signing a Legalpad document.

Introduce a "token" workflow (in contrast to the existing "session") workflow that just does a one-shot prompt without upgrading your session statefully. Then, make Legalpad use this new workflow.

Note that this workflow has a significant problem: if the form submission is invalid for some other reason, we re-prompt you on resubmit. In Legalpad, this workflow looks like:

  - Forget to check the "I agree" checkbox.
  - Submit the form.
  - Get prompted for MFA.
  - Answer MFA prompt.
  - Get dumped back to the form with an error.
  - When you fix the error and submit again, you have to do another MFA check.

This isn't a fatal flaw in Legalpad, but would become a problem with wider adoption. I'll work on fixing this (so the MFA token sticks to the form) in the next set of changes.

Roughly, this is headed toward "MFA sticks to the form/workflow" instead of "MFA sticks to the user/session".

Test Plan:
  - Signed a legalpad document with MFA enabled.
  - Was prompted for MFA.
  - Session no longer upgraded (no purple "session in high security" badge).
  - Submitted form with error, answered MFA, fixed error, submitted form again.
    - Bad behavior: got re-prompted for MFA. In the future, MFA should stick to the form.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D19843
2018-11-28 13:39:59 -08:00
..
__tests__ Prevent users from selecting excessively bad passwords based on their username or email address 2018-11-06 12:44:07 -08:00
action Add a rate limit for guessing old passwords when changing passwords 2018-01-23 13:46:06 -08:00
application Add a bin/auth revoke revoker for SSH keys 2018-01-22 15:35:07 -08:00
capability Auth - add "manage providers" capability 2015-01-12 14:37:58 -08:00
conduit Deactivate SSH keys instead of destroying them completely 2016-05-18 14:54:28 -07:00
constants Support invites in the registration and login flow 2015-02-11 06:06:28 -08:00
controller Never generate file download forms which point to the CDN domain, tighten "form-action" CSP 2018-02-28 17:20:12 -08:00
data Add session and request hooks to PhabricatorAuthSessionEngine 2016-11-17 13:09:29 -08:00
editor Use object PHIDs for "Thread-Topic" headers in mail 2018-02-08 06:21:00 -08:00
engine Allow applications to require a High Security token without doing a session upgrade 2018-11-28 13:39:59 -08:00
exception Add email invites to Phabricator (logic only) 2015-02-09 16:12:36 -08:00
extension Add a more modern object for storing password hashes 2018-01-22 15:35:28 -08:00
factor Use 160-bit TOTP keys rather than 80-bit TOTP keys 2018-11-07 15:44:02 -08:00
garbagecollector Provide bin/garbage for interacting with garbage collection 2015-10-02 09:17:24 -07:00
guidance Add a bunch of Phacility-specific code to the upstream, thinly veiled as generic code 2016-11-15 09:11:22 -08:00
handler Modularize generation of supplemental login messages 2015-09-04 10:34:39 -07:00
mail Send forced mail on SSH key edits 2016-05-19 15:01:25 -07:00
management Add "bin/auth revoke --list" to explain what can be revoked 2018-01-23 14:01:39 -08:00
password Prevent users from selecting excessively bad passwords based on their username or email address 2018-11-06 12:44:07 -08:00
phid Add a more modern object for storing password hashes 2018-01-22 15:35:28 -08:00
provider Include OAuth targets in "form-action" Content-Security-Policy 2018-02-28 19:28:35 -08:00
query Continue making application fixes to Phabricator for changes to %Q semantics 2018-11-15 03:50:02 -08:00
revoker Add "bin/auth revoke --list" to explain what can be revoked 2018-01-23 14:01:39 -08:00
sshkey Send forced mail on SSH key edits 2016-05-19 15:01:25 -07:00
storage When a user takes actions while in a high security session, note it on the resulting transactions 2018-09-12 12:57:02 -07:00
tokentype Redesign Config Application 2016-08-29 15:49:49 -07:00
view Explicitly add rel="noreferrer" to all external links 2018-02-17 17:46:11 -08:00
worker Send emails for email invites 2015-02-11 06:06:09 -08:00
xaction Add test coverage to the PasswordEngine upgrade workflow and fix a few bugs 2018-01-23 10:55:35 -08:00