Add a garbage collector for MFA challenges · recaptime.dev/phorge@5e94343

@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge

phorge phabricator

fork

Add a garbage collector for MFA challenges

Summary:
Depends on D19886. Ref T13222. Clean up MFA challenges after they expire.

(There's maybe some argument to keeping these around for a little while for debugging/forensics, but I suspect it would never actually be valuable and figure we can cross that bridge if we come to it.)

Test Plan:
- Ran `bin/garbage collect --collector ...` and saw old MFA challenges collected.
- Triggered a new challenge, GC'd again, saw it survive GC while still active.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13222

Differential Revision: https://secure.phabricator.com/D19888

epriestley 7 years ago 5e94343c b8cbfda0

+33

3 changed files

expand all

src

__phutil_library_map__.php

applications

auth

garbagecollector

PhabricatorAuthChallengeGarbageCollector.php

storage

PhabricatorAuthChallenge.php

src/__phutil_library_map__.php

··· 2188 2188 'PhabricatorAuthAuthFactorPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthFactorPHIDType.php', 2189 2189 'PhabricatorAuthAuthProviderPHIDType' => 'applications/auth/phid/PhabricatorAuthAuthProviderPHIDType.php', 2190 2190 'PhabricatorAuthChallenge' => 'applications/auth/storage/PhabricatorAuthChallenge.php', 2191 + 'PhabricatorAuthChallengeGarbageCollector' => 'applications/auth/garbagecollector/PhabricatorAuthChallengeGarbageCollector.php', 2191 2192 'PhabricatorAuthChallengePHIDType' => 'applications/auth/phid/PhabricatorAuthChallengePHIDType.php', 2192 2193 'PhabricatorAuthChallengeQuery' => 'applications/auth/query/PhabricatorAuthChallengeQuery.php', 2193 2194 'PhabricatorAuthChangePasswordAction' => 'applications/auth/action/PhabricatorAuthChangePasswordAction.php', ··· 7830 7831 'PhabricatorAuthDAO', 7831 7832 'PhabricatorPolicyInterface', 7832 7833 ), 7834 + 'PhabricatorAuthChallengeGarbageCollector' => 'PhabricatorGarbageCollector', 7833 7835 'PhabricatorAuthChallengePHIDType' => 'PhabricatorPHIDType', 7834 7836 'PhabricatorAuthChallengeQuery' => 'PhabricatorCursorPagedPolicyAwareQuery', 7835 7837 'PhabricatorAuthChangePasswordAction' => 'PhabricatorSystemAction',

+28

src/applications/auth/garbagecollector/PhabricatorAuthChallengeGarbageCollector.php

··· 1 + <?php 2 + 3 + final class PhabricatorAuthChallengeGarbageCollector 4 + extends PhabricatorGarbageCollector { 5 + 6 + const COLLECTORCONST = 'auth.challenges'; 7 + 8 + public function getCollectorName() { 9 + return pht('Authentication Challenges'); 10 + } 11 + 12 + public function hasAutomaticPolicy() { 13 + return true; 14 + } 15 + 16 + protected function collectGarbage() { 17 + $challenge_table = new PhabricatorAuthChallenge(); 18 + $conn = $challenge_table->establishConnection('w'); 19 + 20 + queryfx( 21 + $conn, 22 + 'DELETE FROM %R WHERE challengeTTL < UNIX_TIMESTAMP() LIMIT 100', 23 + $challenge_table); 24 + 25 + return ($conn->getAffectedRows() == 100); 26 + } 27 + 28 + }

src/applications/auth/storage/PhabricatorAuthChallenge.php

··· 25 25 'key_issued' => array( 26 26 'columns' => array('userPHID', 'challengeTTL'), 27 27 ), 28 + 'key_collection' => array( 29 + 'columns' => array('challengeTTL'), 30 + ), 28 31 ), 29 32 ) + parent::getConfiguration(); 30 33 }

Configure Feed

Configure Feed