When issuing a "no-op" MFA token because no MFA is configured, don't give the timeline story a badge

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Summary:
Fixes T13475. Sometimes, we issue a "no op" / "default permit" / "unchallenged" MFA token, when a user with no MFA configured does something which is configured to attempt (but not strictly require) MFA.

An example of this kind of action is changing a username: usernames may be changed even if MFA is not set up.

(Some other operations, notably "Sign With MFA", strictly require that MFA actually be set up.)

When a user with no MFA configured takes a "try MFA" action, we see that they have no factors configured and issue a token so they can continue. This is correct. However, this token causes the assocaited timeline story to get an MFA badge.

This badge is incorrect or at least wildly misleading, since the technical assertion it currently makes ("the user answered any configured MFA challenge to do this, if one exists") isn't explained properly and isn't useful anyway.

Instead, only badge the story if the user actually has MFA and actually responded to some kind of MFA challege. The badge now asserts "this user responded to an MFA challenge", which is expected/desired.

Test Plan:
- As a user with no MFA, renamed a user. Before patch: badged story. After patch: no badge.
- As a user with MFA, renamed a user. Got badged stories in both cases.

Maniphest Tasks: T13475

Differential Revision: https://secure.phabricator.com/D20958

epriestley 6 years ago 12c33709 c99485e8

+22 -5

3 changed files

expand all

src

applications

auth

data

PhabricatorAuthHighSecurityToken.php

engine

PhabricatorAuthSessionEngine.php

transactions

editor

PhabricatorApplicationTransactionEditor.php

+15 -1

src/applications/auth/data/PhabricatorAuthHighSecurityToken.php

··· 1 1 <?php 2 2 3 - final class PhabricatorAuthHighSecurityToken extends Phobject {} 3 + final class PhabricatorAuthHighSecurityToken 4 + extends Phobject { 5 + 6 + private $isUnchallengedToken = false; 7 + 8 + public function setIsUnchallengedToken($is_unchallenged_token) { 9 + $this->isUnchallengedToken = $is_unchallenged_token; 10 + return $this; 11 + } 12 + 13 + public function getIsUnchallengedToken() { 14 + return $this->isUnchallengedToken; 15 + } 16 + 17 + }

+2 -1

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

··· 493 493 // adds an auth factor, existing sessions won't get a free pass into hisec, 494 494 // since they never actually got marked as hisec. 495 495 if (!$factors) { 496 - return $this->issueHighSecurityToken($session, true); 496 + return $this->issueHighSecurityToken($session, true) 497 + ->setIsUnchallengedToken(true); 497 498 } 498 499 499 500 $this->request = $request;

+5 -3

src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php

··· 5152 5152 'an MFA check.')); 5153 5153 } 5154 5154 5155 - id(new PhabricatorAuthSessionEngine()) 5155 + $token = id(new PhabricatorAuthSessionEngine()) 5156 5156 ->setWorkflowKey($workflow_key) 5157 5157 ->requireHighSecurityToken($actor, $request, $cancel_uri); 5158 5158 5159 - foreach ($xactions as $xaction) { 5160 - $xaction->setIsMFATransaction(true); 5159 + if (!$token->getIsUnchallengedToken()) { 5160 + foreach ($xactions as $xaction) { 5161 + $xaction->setIsMFATransaction(true); 5162 + } 5161 5163 } 5162 5164 } 5163 5165

Configure Feed

Configure Feed