@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Correct a possible fatal in the non-CSRF Duo MFA workflow
Summary:
Ref T13259. If we miss the separate CSRF step in Duo and proceed directly to prompting, we may fail to build a response which turns into a real control and fatal on `null->setLabel()`.
Instead, let MFA providers customize their "bare prompt dialog" response, then make Duo use the same "you have an outstanding request" response for the CSRF and no-CSRF workflows.
Test Plan: Hit Duo auth on a non-CSRF workflow (e.g., edit an MFA provider with Duo enabled). Previously: `setLabel()` fatal. After patch: smooth sailing.
Reviewers: amckinley
Reviewed By: amckinley
Maniphest Tasks: T13259
Differential Revision: https://secure.phabricator.com/D20234
+55
-1
+8
-1
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
+8
-1
src/applications/auth/engine/PhabricatorAuthSessionEngine.php
···
714
714
if (isset($validation_results[$factor_phid])) {
715
715
continue;
716
716
}
717
-
$validation_results[$factor_phid] = new PhabricatorAuthFactorResult();
717
+
718
+
$issued_challenges = idx($challenge_map, $factor_phid, array());
719
+
720
+
$validation_results[$factor_phid] = $impl->getResultForPrompt(
721
+
$factor,
722
+
$viewer,
723
+
$request,
724
+
$issued_challenges);
718
725
}
719
726
720
727
throw id(new PhabricatorAuthHighSecurityRequiredException())
+34
src/applications/auth/factor/PhabricatorAuthFactor.php
+34
src/applications/auth/factor/PhabricatorAuthFactor.php
···
221
221
return $result;
222
222
}
223
223
224
+
final public function getResultForPrompt(
225
+
PhabricatorAuthFactorConfig $config,
226
+
PhabricatorUser $viewer,
227
+
AphrontRequest $request,
228
+
array $challenges) {
229
+
assert_instances_of($challenges, 'PhabricatorAuthChallenge');
230
+
231
+
$result = $this->newResultForPrompt(
232
+
$config,
233
+
$viewer,
234
+
$request,
235
+
$challenges);
236
+
237
+
if (!$this->isAuthResult($result)) {
238
+
throw new Exception(
239
+
pht(
240
+
'Expected "newResultForPrompt()" to return an object of class "%s", '.
241
+
'but it returned something else ("%s"; in "%s").',
242
+
'PhabricatorAuthFactorResult',
243
+
phutil_describe_type($result),
244
+
get_class($this)));
245
+
}
246
+
247
+
return $result;
248
+
}
249
+
250
+
protected function newResultForPrompt(
251
+
PhabricatorAuthFactorConfig $config,
252
+
PhabricatorUser $viewer,
253
+
AphrontRequest $request,
254
+
array $challenges) {
255
+
return $this->newResult();
256
+
}
257
+
224
258
abstract protected function newResultFromIssuedChallenges(
225
259
PhabricatorAuthFactorConfig $config,
226
260
PhabricatorUser $viewer,
+13
src/applications/auth/factor/PhabricatorDuoAuthFactor.php
+13
src/applications/auth/factor/PhabricatorDuoAuthFactor.php
···
681
681
AphrontRequest $request,
682
682
array $challenges) {
683
683
684
+
return $this->getResultForPrompt(
685
+
$config,
686
+
$viewer,
687
+
$request,
688
+
$challenges);
689
+
}
690
+
691
+
protected function newResultForPrompt(
692
+
PhabricatorAuthFactorConfig $config,
693
+
PhabricatorUser $viewer,
694
+
AphrontRequest $request,
695
+
array $challenges) {
696
+
684
697
$result = $this->newResult()
685
698
->setIsContinue(true)
686
699
->setErrorMessage(