@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Use new modular temporary auth token constants in one-time login and password reset flows
Summary:
Ref T10603. This converts existing hard-codes to modular constants.
Also removes one small piece of code duplication.
Test Plan:
- Performed one-time logins.
- Performed a password reset.
- Verified temporary tokens were revoked properly.
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T10603
Differential Revision: https://secure.phabricator.com/D15476
+18
-31
+8
-13
src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
+8
-13
src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
···
105
105
// the link in the "Welcome" email is good enough, without requiring users
106
106
// to go through a second round of email verification.
107
107
108
+
$editor = id(new PhabricatorUserEditor())
109
+
->setActor($target_user);
110
+
108
111
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
109
112
// Nuke the token and all other outstanding password reset tokens.
110
113
// There is no particular security benefit to destroying them all, but
111
114
// it should reduce HackerOne reports of nebulous harm.
112
-
113
-
PhabricatorAuthTemporaryToken::revokeTokens(
114
-
$target_user,
115
-
array($target_user->getPHID()),
116
-
array(
117
-
PhabricatorAuthSessionEngine::ONETIME_TEMPORARY_TOKEN_TYPE,
118
-
PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE,
119
-
));
115
+
$editor->revokePasswordResetLinks($target_user);
120
116
121
117
if ($target_email) {
122
-
id(new PhabricatorUserEditor())
123
-
->setActor($target_user)
124
-
->verifyEmail($target_user, $target_email);
118
+
$editor->verifyEmail($target_user, $target_email);
125
119
}
126
120
unset($unguarded);
127
121
···
133
127
// We're going to let the user reset their password without knowing
134
128
// the old one. Generate a one-time token for that.
135
129
$key = Filesystem::readRandomCharacters(16);
130
+
$password_type =
131
+
PhabricatorAuthPasswordResetTemporaryTokenType::TOKENTYPE;
136
132
137
133
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
138
134
id(new PhabricatorAuthTemporaryToken())
139
135
->setObjectPHID($target_user->getPHID())
140
-
->setTokenType(
141
-
PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE)
136
+
->setTokenType($password_type)
142
137
->setTokenExpires(time() + phutil_units('1 hour in seconds'))
143
138
->setTokenCode(PhabricatorHash::digest($key))
144
139
->save();
+4
-13
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+4
-13
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
···
39
39
const KIND_UNKNOWN = '?';
40
40
41
41
42
-
/**
43
-
* Temporary tokens for one time logins.
44
-
*/
45
-
const ONETIME_TEMPORARY_TOKEN_TYPE = 'login:onetime';
46
-
47
-
48
-
/**
49
-
* Temporary tokens for password recovery after one time login.
50
-
*/
51
-
const PASSWORD_TEMPORARY_TOKEN_TYPE = 'login:password';
52
-
53
42
const ONETIME_RECOVER = 'recover';
54
43
const ONETIME_RESET = 'reset';
55
44
const ONETIME_WELCOME = 'welcome';
···
642
631
643
632
$key = Filesystem::readRandomCharacters(32);
644
633
$key_hash = $this->getOneTimeLoginKeyHash($user, $email, $key);
634
+
$onetime_type = PhabricatorAuthOneTimeLoginTemporaryTokenType::TOKENTYPE;
645
635
646
636
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
647
637
id(new PhabricatorAuthTemporaryToken())
648
638
->setObjectPHID($user->getPHID())
649
-
->setTokenType(self::ONETIME_TEMPORARY_TOKEN_TYPE)
639
+
->setTokenType($onetime_type)
650
640
->setTokenExpires(time() + phutil_units('1 day in seconds'))
651
641
->setTokenCode($key_hash)
652
642
->save();
···
685
675
$key = null) {
686
676
687
677
$key_hash = $this->getOneTimeLoginKeyHash($user, $email, $key);
678
+
$onetime_type = PhabricatorAuthOneTimeLoginTemporaryTokenType::TOKENTYPE;
688
679
689
680
return id(new PhabricatorAuthTemporaryTokenQuery())
690
681
->setViewer($user)
691
682
->withObjectPHIDs(array($user->getPHID()))
692
-
->withTokenTypes(array(self::ONETIME_TEMPORARY_TOKEN_TYPE))
683
+
->withTokenTypes(array($onetime_type))
693
684
->withTokenCodes(array($key_hash))
694
685
->withExpired(false)
695
686
->executeOne();
+3
-3
src/applications/people/editor/PhabricatorUserEditor.php
+3
-3
src/applications/people/editor/PhabricatorUserEditor.php
···
700
700
}
701
701
}
702
702
703
-
private function revokePasswordResetLinks(PhabricatorUser $user) {
703
+
public function revokePasswordResetLinks(PhabricatorUser $user) {
704
704
// Revoke any outstanding password reset links. If an attacker compromises
705
705
// an account, changes the email address, and sends themselves a password
706
706
// reset link, it could otherwise remain live for a short period of time
···
710
710
$user,
711
711
array($user->getPHID()),
712
712
array(
713
-
PhabricatorAuthSessionEngine::ONETIME_TEMPORARY_TOKEN_TYPE,
714
-
PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE,
713
+
PhabricatorAuthOneTimeLoginTemporaryTokenType::TOKENTYPE,
714
+
PhabricatorAuthPasswordResetTemporaryTokenType::TOKENTYPE,
715
715
));
716
716
}
717
717
+3
-2
src/applications/settings/panel/PhabricatorPasswordSettingsPanel.php
+3
-2
src/applications/settings/panel/PhabricatorPasswordSettingsPanel.php
···
40
40
// the workflow from a password reset email.
41
41
42
42
$key = $request->getStr('key');
43
+
$password_type = PhabricatorAuthPasswordResetTemporaryTokenType::TOKENTYPE;
44
+
43
45
$token = null;
44
46
if ($key) {
45
47
$token = id(new PhabricatorAuthTemporaryTokenQuery())
46
48
->setViewer($user)
47
49
->withObjectPHIDs(array($user->getPHID()))
48
-
->withTokenTypes(
49
-
array(PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE))
50
+
->withTokenTypes(array($password_type))
50
51
->withTokenCodes(array(PhabricatorHash::digest($key)))
51
52
->withExpired(false)
52
53
->executeOne();