No OneTemporary
Actions

Size

14 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
	index a40ab02d89..312367d03a 100644
	--- a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
	+++ b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
	@@ -1,199 +1,199 @@
	<?php

	final class PhabricatorAuthOneTimeLoginController
	extends PhabricatorAuthController {

	private $id;
	private $key;
	private $emailID;
	private $linkType;

	public function shouldRequireLogin() {
	return false;
	}

	public function willProcessRequest(array $data) {
	$this->linkType = $data['type'];
	$this->id = $data['id'];
	$this->key = $data['key'];
	$this->emailID = idx($data, 'emailID');
	}

	public function processRequest() {
	$request = $this->getRequest();

	if ($request->getUser()->isLoggedIn()) {
	return $this->renderError(
	pht('You are already logged in.'));
	}

	$target_user = id(new PhabricatorPeopleQuery())
	->setViewer(PhabricatorUser::getOmnipotentUser())
	->withIDs(array($this->id))
	->executeOne();
	if (!$target_user) {
	return new Aphront404Response();
	}

	// NOTE: As a convenience to users, these one-time login URIs may also
	// be associated with an email address which will be verified when the
	// URI is used.

	// This improves the new user experience for users receiving "Welcome"
	// emails on installs that require verification: if we did not verify the
	// email, they'd immediately get roadblocked with a "Verify Your Email"
	// error and have to go back to their email account, wait for a
	// "Verification" email, and then click that link to actually get access to
	// their account. This is hugely unwieldy, and if the link was only sent
	// to the user's email in the first place we can safely verify it as a
	// side effect of login.

	// The email hashed into the URI so users can't verify some email they
	// do not own by doing this:
	//
	// - Add some address you do not own;
	// - request a password reset;
	// - change the URI in the email to the address you don't own;
	// - login via the email link; and
	// - get a "verified" address you don't control.

	$target_email = null;
	if ($this->emailID) {
	$target_email = id(new PhabricatorUserEmail())->loadOneWhere(
	'userPHID = %s AND id = %d',
	$target_user->getPHID(),
	$this->emailID);
	if (!$target_email) {
	return new Aphront404Response();
	}
	}

	$engine = new PhabricatorAuthSessionEngine();
	$token = $engine->loadOneTimeLoginKey(
	$target_user,
	$target_email,
	$this->key);

	if (!$token) {
	return $this->newDialog()
	->setTitle(pht('Unable to Login'))
	->setShortTitle(pht('Login Failure'))
	->appendParagraph(
	pht(
	'The login link you clicked is invalid, out of date, or has '.
	'already been used.'))
	->appendParagraph(
	pht(
	'Make sure you are copy-and-pasting the entire link into '.
	'your browser. Login links are only valid for 24 hours, and '.
	'can only be used once.'))
	->appendParagraph(
	pht('You can try again, or request a new link via email.'))
	->addCancelButton('/login/email/', pht('Send Another Email'));
	}

	if ($request->isFormPost()) {
	// If we have an email bound into this URI, verify email so that clicking
	// the link in the "Welcome" email is good enough, without requiring users
	// to go through a second round of email verification.

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	// Nuke the token and all other outstanding password reset tokens.
	// There is no particular security benefit to destroying them all, but
	// it should reduce HackerOne reports of nebulous harm.

	PhabricatorAuthTemporaryToken::revokeTokens(
	$target_user,
	array($target_user->getPHID()),
	array(
	PhabricatorAuthSessionEngine::ONETIME_TEMPORARY_TOKEN_TYPE,
	PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE,
	));

	if ($target_email) {
	id(new PhabricatorUserEditor())
	->setActor($target_user)
	->verifyEmail($target_user, $target_email);
	}
	unset($unguarded);

	$next = '/';
	if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) {
	$next = '/settings/panel/external/';
	- } else if (PhabricatorEnv::getEnvConfig('account.editable')) {
	+ } else {

	// We're going to let the user reset their password without knowing
	// the old one. Generate a one-time token for that.
	$key = Filesystem::readRandomCharacters(16);

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	id(new PhabricatorAuthTemporaryToken())
	->setObjectPHID($target_user->getPHID())
	->setTokenType(
	PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE)
	->setTokenExpires(time() + phutil_units('1 hour in seconds'))
	->setTokenCode(PhabricatorHash::digest($key))
	->save();
	unset($unguarded);

	$next = (string)id(new PhutilURI('/settings/panel/password/'))
	->setQueryParams(
	array(
	'key' => $key,
	));

	$request->setTemporaryCookie(PhabricatorCookies::COOKIE_HISEC, 'yes');
	}

	PhabricatorCookies::setNextURICookie($request, $next, $force = true);

	return $this->loginUser($target_user);
	}

	// NOTE: We need to CSRF here so attackers can't generate an email link,
	// then log a user in to an account they control via sneaky invisible
	// form submissions.

	switch ($this->linkType) {
	case PhabricatorAuthSessionEngine::ONETIME_WELCOME:
	$title = pht('Welcome to Phabricator');
	break;
	case PhabricatorAuthSessionEngine::ONETIME_RECOVER:
	$title = pht('Account Recovery');
	break;
	case PhabricatorAuthSessionEngine::ONETIME_USERNAME:
	case PhabricatorAuthSessionEngine::ONETIME_RESET:
	default:
	$title = pht('Login to Phabricator');
	break;
	}

	$body = array();
	$body[] = pht(
	'Use the button below to log in as: %s',
	phutil_tag('strong', array(), $target_user->getUsername()));

	if ($target_email && !$target_email->getIsVerified()) {
	$body[] = pht(
	'Logging in will verify %s as an email address you own.',
	phutil_tag('strong', array(), $target_email->getAddress()));

	}

	$body[] = pht(
	'After logging in you should set a password for your account, or '.
	'link your account to an external account that you can use to '.
	'authenticate in the future.');

	$dialog = $this->newDialog()
	->setTitle($title)
	->addSubmitButton(pht('Login (%s)', $target_user->getUsername()))
	->addCancelButton('/');

	foreach ($body as $paragraph) {
	$dialog->appendParagraph($paragraph);
	}

	return id(new AphrontDialogResponse())->setDialog($dialog);
	}
	}
	diff --git a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
	index eeb9b3410e..8524e5baa0 100644
	--- a/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
	+++ b/src/applications/settings/panel/PhabricatorSettingsPanelPassword.php
	@@ -1,224 +1,217 @@
	<?php

	final class PhabricatorSettingsPanelPassword
	extends PhabricatorSettingsPanel {

	public function getPanelKey() {
	return 'password';
	}

	public function getPanelName() {
	return pht('Password');
	}

	public function getPanelGroup() {
	return pht('Authentication');
	}

	public function isEnabled() {
	- // There's no sense in showing a change password panel if the user
	- // can't change their password...
	-
	- if (!PhabricatorEnv::getEnvConfig('account.editable')) {
	- return false;
	- }
	-
	- // ...or this install doesn't support password authentication at all.
	-
	+ // There's no sense in showing a change password panel if this install
	+ // doesn't support password authentication.
	if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) {
	return false;
	}

	return true;
	}

	public function processRequest(AphrontRequest $request) {
	$user = $request->getUser();

	$token = id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
	$user,
	$request,
	'/settings/');

	$min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length');
	$min_len = (int)$min_len;

	// NOTE: To change your password, you need to prove you own the account,
	// either by providing the old password or by carrying a token to
	// the workflow from a password reset email.

	$key = $request->getStr('key');
	$token = null;
	if ($key) {
	$token = id(new PhabricatorAuthTemporaryTokenQuery())
	->setViewer($user)
	->withObjectPHIDs(array($user->getPHID()))
	->withTokenTypes(
	array(PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE))
	->withTokenCodes(array(PhabricatorHash::digest($key)))
	->withExpired(false)
	->executeOne();
	}

	$e_old = true;
	$e_new = true;
	$e_conf = true;

	$errors = array();
	if ($request->isFormPost()) {
	if (!$token) {
	$envelope = new PhutilOpaqueEnvelope($request->getStr('old_pw'));
	if (!$user->comparePassword($envelope)) {
	$errors[] = pht('The old password you entered is incorrect.');
	$e_old = pht('Invalid');
	}
	}

	$pass = $request->getStr('new_pw');
	$conf = $request->getStr('conf_pw');

	if (strlen($pass) < $min_len) {
	$errors[] = pht('Your new password is too short.');
	$e_new = pht('Too Short');
	} else if ($pass !== $conf) {
	$errors[] = pht('New password and confirmation do not match.');
	$e_conf = pht('Invalid');
	} else if (PhabricatorCommonPasswords::isCommonPassword($pass)) {
	$e_new = pht('Very Weak');
	$e_conf = pht('Very Weak');
	$errors[] = pht(
	'Your new password is very weak: it is one of the most common '.
	'passwords in use. Choose a stronger password.');
	}

	if (!$errors) {
	// This write is unguarded because the CSRF token has already
	// been checked in the call to $request->isFormPost() and
	// the CSRF token depends on the password hash, so when it
	// is changed here the CSRF token check will fail.
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();

	$envelope = new PhutilOpaqueEnvelope($pass);
	id(new PhabricatorUserEditor())
	->setActor($user)
	->changePassword($user, $envelope);

	unset($unguarded);

	if ($token) {
	// Destroy the token.
	$token->delete();

	// If this is a password set/reset, kick the user to the home page
	// after we update their account.
	$next = '/';
	} else {
	$next = $this->getPanelURI('?saved=true');
	}

	id(new PhabricatorAuthSessionEngine())->terminateLoginSessions(
	$user,
	$request->getCookie(PhabricatorCookies::COOKIE_SESSION));

	return id(new AphrontRedirectResponse())->setURI($next);
	}
	}

	$hash_envelope = new PhutilOpaqueEnvelope($user->getPasswordHash());
	if (strlen($hash_envelope->openEnvelope())) {
	try {
	$can_upgrade = PhabricatorPasswordHasher::canUpgradeHash(
	$hash_envelope);
	} catch (PhabricatorPasswordHasherUnavailableException $ex) {
	$can_upgrade = false;

	// Only show this stuff if we aren't on the reset workflow. We can
	// do resets regardless of the old hasher's availability.
	if (!$token) {
	$errors[] = pht(
	'Your password is currently hashed using an algorithm which is '.
	'no longer available on this install.');
	$errors[] = pht(
	'Because the algorithm implementation is missing, your password '.
	'can not be used or updated.');
	$errors[] = pht(
	'To set a new password, request a password reset link from the '.
	'login screen and then follow the instructions.');
	}
	}

	if ($can_upgrade) {
	$errors[] = pht(
	'The strength of your stored password hash can be upgraded. '.
	'To upgrade, either: log out and log in using your password; or '.
	'change your password.');
	}
	}

	$len_caption = null;
	if ($min_len) {
	$len_caption = pht('Minimum password length: %d characters.', $min_len);
	}

	$form = new AphrontFormView();
	$form
	->setUser($user)
	->addHiddenInput('key', $key);

	if (!$token) {
	$form->appendChild(
	id(new AphrontFormPasswordControl())
	->setLabel(pht('Old Password'))
	->setError($e_old)
	->setName('old_pw'));
	}

	$form
	->appendChild(
	id(new AphrontFormPasswordControl())
	->setDisableAutocomplete(true)
	->setLabel(pht('New Password'))
	->setError($e_new)
	->setName('new_pw'));
	$form
	->appendChild(
	id(new AphrontFormPasswordControl())
	->setDisableAutocomplete(true)
	->setLabel(pht('Confirm Password'))
	->setCaption($len_caption)
	->setError($e_conf)
	->setName('conf_pw'));
	$form
	->appendChild(
	id(new AphrontFormSubmitControl())
	->setValue(pht('Change Password')));

	$form->appendChild(
	id(new AphrontFormStaticControl())
	->setLabel(pht('Current Algorithm'))
	->setValue(PhabricatorPasswordHasher::getCurrentAlgorithmName(
	new PhutilOpaqueEnvelope($user->getPasswordHash()))));

	$form->appendChild(
	id(new AphrontFormStaticControl())
	->setLabel(pht('Best Available Algorithm'))
	->setValue(PhabricatorPasswordHasher::getBestAlgorithmName()));

	$form->appendRemarkupInstructions(
	pht(
	'NOTE: Changing your password will terminate any other outstanding '.
	'login sessions.'));

	$form_box = id(new PHUIObjectBoxView())
	->setHeaderText(pht('Change Password'))
	->setFormSaved($request->getStr('saved'))
	->setFormErrors($errors)
	->setForm($form);

	return array(
	$form_box,
	);
	}


	}

File Metadata

Mime Type: text/x-diff
Expires: Mon, Mar 16, 9:47 AM (1 d, 4 h)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 962559
Default Alt Text: (14 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions