No OneTemporary
Actions

Size

80 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
	index c052805224..38ae2201b8 100644
	--- a/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
	+++ b/src/applications/auth/engine/PhabricatorAuthSessionEngine.php
	@@ -1,1163 +1,1170 @@
	<?php

	/**
	*
	* @task use Using Sessions
	* @task new Creating Sessions
	* @task hisec High Security
	* @task partial Partial Sessions
	* @task onetime One Time Login URIs
	* @task cache User Cache
	*/
	final class PhabricatorAuthSessionEngine extends Phobject {

	/**
	* Session issued to normal users after they login through a standard channel.
	* Associates the client with a standard user identity.
	*/
	const KIND_USER = 'U';


	/**
	* Session issued to users who login with some sort of credentials but do not
	* have full accounts. These are sometimes called "grey users".
	*
	* TODO: We do not currently issue these sessions, see T4310.
	*/
	const KIND_EXTERNAL = 'X';


	/**
	* Session issued to logged-out users which has no real identity information.
	* Its purpose is to protect logged-out users from CSRF.
	*/
	const KIND_ANONYMOUS = 'A';


	/**
	* Session kind isn't known.
	*/
	const KIND_UNKNOWN = '?';


	const ONETIME_RECOVER = 'recover';
	const ONETIME_RESET = 'reset';
	const ONETIME_WELCOME = 'welcome';
	const ONETIME_USERNAME = 'rename';


	private $workflowKey;
	private $request;

	public function setWorkflowKey($workflow_key) {
	$this->workflowKey = $workflow_key;
	return $this;
	}

	public function getWorkflowKey() {

	// TODO: A workflow key should become required in order to issue an MFA
	// challenge, but allow things to keep working for now until we can update
	// callsites.
	if ($this->workflowKey === null) {
	return 'legacy';
	}

	return $this->workflowKey;
	}

	public function getRequest() {
	return $this->request;
	}


	/**
	* Get the session kind (e.g., anonymous, user, external account) from a
	* session token. Returns a `KIND_` constant.
	*
	* @param string Session token.
	* @return const Session kind constant.
	*/
	public static function getSessionKindFromToken($session_token) {
	if (strpos($session_token, '/') === false) {
	// Old-style session, these are all user sessions.
	return self::KIND_USER;
	}

	list($kind, $key) = explode('/', $session_token, 2);

	switch ($kind) {
	case self::KIND_ANONYMOUS:
	case self::KIND_USER:
	case self::KIND_EXTERNAL:
	return $kind;
	default:
	return self::KIND_UNKNOWN;
	}
	}


	/**
	* Load the user identity associated with a session of a given type,
	* identified by token.
	*
	* When the user presents a session token to an API, this method verifies
	* it is of the correct type and loads the corresponding identity if the
	* session exists and is valid.
	*
	* NOTE: `$session_type` is the type of session that is required by the
	* loading context. This prevents use of a Conduit sesssion as a Web
	* session, for example.
	*
	* @param const The type of session to load.
	* @param string The session token.
	* @return PhabricatorUser\|null
	* @task use
	*/
	public function loadUserForSession($session_type, $session_token) {
	$session_kind = self::getSessionKindFromToken($session_token);
	switch ($session_kind) {
	case self::KIND_ANONYMOUS:
	// Don't bother trying to load a user for an anonymous session, since
	// neither the session nor the user exist.
	return null;
	case self::KIND_UNKNOWN:
	// If we don't know what kind of session this is, don't go looking for
	// it.
	return null;
	case self::KIND_USER:
	break;
	case self::KIND_EXTERNAL:
	// TODO: Implement these (T4310).
	return null;
	}

	$session_table = new PhabricatorAuthSession();
	$user_table = new PhabricatorUser();
	$conn = $session_table->establishConnection('r');

	// TODO: See T13225. We're moving sessions to a more modern digest
	// algorithm, but still accept older cookies for compatibility.
	$session_key = PhabricatorAuthSession::newSessionDigest(
	new PhutilOpaqueEnvelope($session_token));
	$weak_key = PhabricatorHash::weakDigest($session_token);

	$cache_parts = $this->getUserCacheQueryParts($conn);
	list($cache_selects, $cache_joins, $cache_map, $types_map) = $cache_parts;

	$info = queryfx_one(
	$conn,
	'SELECT
	s.id AS s_id,
	s.phid AS s_phid,
	s.sessionExpires AS s_sessionExpires,
	s.sessionStart AS s_sessionStart,
	s.highSecurityUntil AS s_highSecurityUntil,
	s.isPartial AS s_isPartial,
	s.signedLegalpadDocuments as s_signedLegalpadDocuments,
	IF(s.sessionKey = %P, 1, 0) as s_weak,
	u.*
	%Q
	FROM %R u JOIN %R s ON u.phid = s.userPHID
	AND s.type = %s AND s.sessionKey IN (%P, %P) %Q',
	new PhutilOpaqueEnvelope($weak_key),
	$cache_selects,
	$user_table,
	$session_table,
	$session_type,
	new PhutilOpaqueEnvelope($session_key),
	new PhutilOpaqueEnvelope($weak_key),
	$cache_joins);

	if (!$info) {
	return null;
	}

	// TODO: Remove this, see T13225.
	$is_weak = (bool)$info['s_weak'];
	unset($info['s_weak']);

	$session_dict = array(
	'userPHID' => $info['phid'],
	'sessionKey' => $session_key,
	'type' => $session_type,
	);

	$cache_raw = array_fill_keys($cache_map, null);
	foreach ($info as $key => $value) {
	if (strncmp($key, 's_', 2) === 0) {
	unset($info[$key]);
	$session_dict[substr($key, 2)] = $value;
	continue;
	}

	if (isset($cache_map[$key])) {
	unset($info[$key]);
	$cache_raw[$cache_map[$key]] = $value;
	continue;
	}
	}

	$user = $user_table->loadFromArray($info);

	$cache_raw = $this->filterRawCacheData($user, $types_map, $cache_raw);
	$user->attachRawCacheData($cache_raw);

	switch ($session_type) {
	case PhabricatorAuthSession::TYPE_WEB:
	// Explicitly prevent bots and mailing lists from establishing web
	// sessions. It's normally impossible to attach authentication to these
	// accounts, and likewise impossible to generate sessions, but it's
	// technically possible that a session could exist in the database. If
	// one does somehow, refuse to load it.
	if (!$user->canEstablishWebSessions()) {
	return null;
	}
	break;
	}

	$session = id(new PhabricatorAuthSession())->loadFromArray($session_dict);

	$this->extendSession($session);

	// TODO: Remove this, see T13225.
	if ($is_weak) {
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$conn_w = $session_table->establishConnection('w');
	queryfx(
	$conn_w,
	'UPDATE %T SET sessionKey = %P WHERE id = %d',
	$session->getTableName(),
	new PhutilOpaqueEnvelope($session_key),
	$session->getID());
	unset($unguarded);
	}

	$user->attachSession($session);
	return $user;
	}


	/**
	* Issue a new session key for a given identity. Phabricator supports
	* different types of sessions (like "web" and "conduit") and each session
	* type may have multiple concurrent sessions (this allows a user to be
	* logged in on multiple browsers at the same time, for instance).
	*
	* Note that this method is transport-agnostic and does not set cookies or
	* issue other types of tokens, it ONLY generates a new session key.
	*
	* You can configure the maximum number of concurrent sessions for various
	* session types in the Phabricator configuration.
	*
	* @param const Session type constant (see
	* @{class:PhabricatorAuthSession}).
	* @param phid\|null Identity to establish a session for, usually a user
	* PHID. With `null`, generates an anonymous session.
	* @param bool True to issue a partial session.
	* @return string Newly generated session key.
	*/
	public function establishSession($session_type, $identity_phid, $partial) {
	// Consume entropy to generate a new session key, forestalling the eventual
	// heat death of the universe.
	$session_key = Filesystem::readRandomCharacters(40);

	if ($identity_phid === null) {
	return self::KIND_ANONYMOUS.'/'.$session_key;
	}

	$session_table = new PhabricatorAuthSession();
	$conn_w = $session_table->establishConnection('w');

	// This has a side effect of validating the session type.
	$session_ttl = PhabricatorAuthSession::getSessionTypeTTL(
	$session_type,
	$partial);

	$digest_key = PhabricatorAuthSession::newSessionDigest(
	new PhutilOpaqueEnvelope($session_key));

	// Logging-in users don't have CSRF stuff yet, so we have to unguard this
	// write.
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	id(new PhabricatorAuthSession())
	->setUserPHID($identity_phid)
	->setType($session_type)
	->setSessionKey($digest_key)
	->setSessionStart(time())
	->setSessionExpires(time() + $session_ttl)
	->setIsPartial($partial ? 1 : 0)
	->setSignedLegalpadDocuments(0)
	->save();

	$log = PhabricatorUserLog::initializeNewLog(
	null,
	$identity_phid,
	($partial
	? PhabricatorUserLog::ACTION_LOGIN_PARTIAL
	: PhabricatorUserLog::ACTION_LOGIN));

	$log->setDetails(
	array(
	'session_type' => $session_type,
	));
	$log->setSession($digest_key);
	$log->save();
	unset($unguarded);

	$info = id(new PhabricatorAuthSessionInfo())
	->setSessionType($session_type)
	->setIdentityPHID($identity_phid)
	->setIsPartial($partial);

	$extensions = PhabricatorAuthSessionEngineExtension::getAllExtensions();
	foreach ($extensions as $extension) {
	$extension->didEstablishSession($info);
	}

	return $session_key;
	}


	/**
	* Terminate all of a user's login sessions.
	*
	* This is used when users change passwords, linked accounts, or add
	* multifactor authentication.
	*
	* @param PhabricatorUser User whose sessions should be terminated.
	* @param string\|null Optionally, one session to keep. Normally, the current
	* login session.
	*
	* @return void
	*/
	public function terminateLoginSessions(
	PhabricatorUser $user,
	PhutilOpaqueEnvelope $except_session = null) {

	$sessions = id(new PhabricatorAuthSessionQuery())
	->setViewer($user)
	->withIdentityPHIDs(array($user->getPHID()))
	->execute();

	if ($except_session !== null) {
	$except_session = PhabricatorAuthSession::newSessionDigest(
	$except_session);
	}

	foreach ($sessions as $key => $session) {
	if ($except_session !== null) {
	$is_except = phutil_hashes_are_identical(
	$session->getSessionKey(),
	$except_session);
	if ($is_except) {
	continue;
	}
	}

	$session->delete();
	}
	}

	public function logoutSession(
	PhabricatorUser $user,
	PhabricatorAuthSession $session) {

	$log = PhabricatorUserLog::initializeNewLog(
	$user,
	$user->getPHID(),
	PhabricatorUserLog::ACTION_LOGOUT);
	$log->save();

	$extensions = PhabricatorAuthSessionEngineExtension::getAllExtensions();
	foreach ($extensions as $extension) {
	$extension->didLogout($user, array($session));
	}

	$session->delete();
	}


	/* -( High Security )------------------------------------------------------ */


	/**
	* Require the user respond to a high security (MFA) check.
	*
	* This method differs from @{method:requireHighSecuritySession} in that it
	* does not upgrade the user's session as a side effect. This method is
	* appropriate for one-time checks.
	*
	* @param PhabricatorUser User whose session needs to be in high security.
	* @param AphrontReqeust Current request.
	* @param string URI to return the user to if they cancel.
	* @return PhabricatorAuthHighSecurityToken Security token.
	* @task hisec
	*/
	public function requireHighSecurityToken(
	PhabricatorUser $viewer,
	AphrontRequest $request,
	$cancel_uri) {

	return $this->newHighSecurityToken(
	$viewer,
	$request,
	$cancel_uri,
	false,
	false);
	}


	/**
	* Require high security, or prompt the user to enter high security.
	*
	* If the user's session is in high security, this method will return a
	* token. Otherwise, it will throw an exception which will eventually
	* be converted into a multi-factor authentication workflow.
	*
	* This method upgrades the user's session to high security for a short
	* period of time, and is appropriate if you anticipate they may need to
	* take multiple high security actions. To perform a one-time check instead,
	* use @{method:requireHighSecurityToken}.
	*
	* @param PhabricatorUser User whose session needs to be in high security.
	* @param AphrontReqeust Current request.
	* @param string URI to return the user to if they cancel.
	* @param bool True to jump partial sessions directly into high
	* security instead of just upgrading them to full
	* sessions.
	* @return PhabricatorAuthHighSecurityToken Security token.
	* @task hisec
	*/
	public function requireHighSecuritySession(
	PhabricatorUser $viewer,
	AphrontRequest $request,
	$cancel_uri,
	$jump_into_hisec = false) {

	return $this->newHighSecurityToken(
	$viewer,
	$request,
	$cancel_uri,
	$jump_into_hisec,
	true);
	}

	private function newHighSecurityToken(
	PhabricatorUser $viewer,
	AphrontRequest $request,
	$cancel_uri,
	$jump_into_hisec,
	$upgrade_session) {

	if (!$viewer->hasSession()) {
	throw new Exception(
	pht('Requiring a high-security session from a user with no session!'));
	}

	// TODO: If a user answers a "requireHighSecurityToken()" prompt and hits
	// a "requireHighSecuritySession()" prompt a short time later, the one-shot
	// token should be good enough to upgrade the session.

	$session = $viewer->getSession();

	// Check if the session is already in high security mode.
	$token = $this->issueHighSecurityToken($session);
	if ($token) {
	return $token;
	}

	// Load the multi-factor auth sources attached to this account. Note that
	// we order factors from oldest to newest, which is not the default query
	// ordering but makes the greatest sense in context.
	$factors = id(new PhabricatorAuthFactorConfigQuery())
	->setViewer($viewer)
	->withUserPHIDs(array($viewer->getPHID()))
	->withFactorProviderStatuses(
	array(
	PhabricatorAuthFactorProviderStatus::STATUS_ACTIVE,
	PhabricatorAuthFactorProviderStatus::STATUS_DEPRECATED,
	))
	->execute();

	// Sort factors in the same order that they appear in on the Settings
	// panel. This means that administrators changing provider statuses may
	// change the order of prompts for users, but the alternative is that the
	// Settings panel order disagrees with the prompt order, which seems more
	// disruptive.
	$factors = msort($factors, 'newSortVector');

	// If the account has no associated multi-factor auth, just issue a token
	// without putting the session into high security mode. This is generally
	// easier for users. A minor but desirable side effect is that when a user
	// adds an auth factor, existing sessions won't get a free pass into hisec,
	// since they never actually got marked as hisec.
	if (!$factors) {
	return $this->issueHighSecurityToken($session, true);
	}

	$this->request = $request;
	foreach ($factors as $factor) {
	$factor->setSessionEngine($this);
	}

	// Check for a rate limit without awarding points, so the user doesn't
	// get partway through the workflow only to get blocked.
	PhabricatorSystemActionEngine::willTakeAction(
	array($viewer->getPHID()),
	new PhabricatorAuthTryFactorAction(),
	0);

	$now = PhabricatorTime::getNow();

	// We need to do challenge validation first, since this happens whether you
	// submitted responses or not. You can't get a "bad response" error before
	// you actually submit a response, but you can get a "wait, we can't
	// issue a challenge yet" response. Load all issued challenges which are
	// currently valid.
	$challenges = id(new PhabricatorAuthChallengeQuery())
	->setViewer($viewer)
	->withFactorPHIDs(mpull($factors, 'getPHID'))
	->withUserPHIDs(array($viewer->getPHID()))
	->withChallengeTTLBetween($now, null)
	->execute();

	PhabricatorAuthChallenge::newChallengeResponsesFromRequest(
	$challenges,
	$request);

	$challenge_map = mgroup($challenges, 'getFactorPHID');

	$validation_results = array();
	$ok = true;

	// Validate each factor against issued challenges. For example, this
	// prevents you from receiving or responding to a TOTP challenge if another
	// challenge was recently issued to a different session.
	foreach ($factors as $factor) {
	$factor_phid = $factor->getPHID();
	$issued_challenges = idx($challenge_map, $factor_phid, array());
	$provider = $factor->getFactorProvider();
	$impl = $provider->getFactor();

	$new_challenges = $impl->getNewIssuedChallenges(
	$factor,
	$viewer,
	$issued_challenges);

	// NOTE: We may get a list of challenges back, or may just get an early
	// result. For example, this can happen on an SMS factor if all SMS
	// mailers have been disabled.
	if ($new_challenges instanceof PhabricatorAuthFactorResult) {
	$result = $new_challenges;

	if (!$result->getIsValid()) {
	$ok = false;
	}

	$validation_results[$factor_phid] = $result;
	$challenge_map[$factor_phid] = $issued_challenges;
	continue;
	}

	foreach ($new_challenges as $new_challenge) {
	$issued_challenges[] = $new_challenge;
	}
	$challenge_map[$factor_phid] = $issued_challenges;

	if (!$issued_challenges) {
	continue;
	}

	$result = $impl->getResultFromIssuedChallenges(
	$factor,
	$viewer,
	$issued_challenges);

	if (!$result) {
	continue;
	}

	if (!$result->getIsValid()) {
	$ok = false;
	}

	$validation_results[$factor_phid] = $result;
	}

	if ($request->isHTTPPost()) {
	$request->validateCSRF();
	if ($request->getExists(AphrontRequest::TYPE_HISEC)) {

	// Limit factor verification rates to prevent brute force attacks.
	$any_attempt = false;
	foreach ($factors as $factor) {
	$factor_phid = $factor->getPHID();

	$provider = $factor->getFactorProvider();
	$impl = $provider->getFactor();

	// If we already have a result (normally "wait..."), we won't try
	// to validate whatever the user submitted, so this doesn't count as
	// an attempt for rate limiting purposes.
	if (isset($validation_results[$factor_phid])) {
	continue;
	}

	if ($impl->getRequestHasChallengeResponse($factor, $request)) {
	$any_attempt = true;
	break;
	}
	}

	if ($any_attempt) {
	PhabricatorSystemActionEngine::willTakeAction(
	array($viewer->getPHID()),
	new PhabricatorAuthTryFactorAction(),
	1);
	}

	foreach ($factors as $factor) {
	$factor_phid = $factor->getPHID();

	// If we already have a validation result from previously issued
	// challenges, skip validating this factor.
	if (isset($validation_results[$factor_phid])) {
	continue;
	}

	$issued_challenges = idx($challenge_map, $factor_phid, array());

	$provider = $factor->getFactorProvider();
	$impl = $provider->getFactor();

	$validation_result = $impl->getResultFromChallengeResponse(
	$factor,
	$viewer,
	$request,
	$issued_challenges);

	if (!$validation_result->getIsValid()) {
	$ok = false;
	}

	$validation_results[$factor_phid] = $validation_result;
	}

	if ($ok) {
	// We're letting you through, so mark all the challenges you
	// responded to as completed. These challenges can never be used
	// again, even by the same session and workflow: you can't use the
	// same response to take two different actions, even if those actions
	// are of the same type.
	foreach ($validation_results as $validation_result) {
	$challenge = $validation_result->getAnsweredChallenge()
	->markChallengeAsCompleted();
	}

	// Give the user a credit back for a successful factor verification.
	if ($any_attempt) {
	PhabricatorSystemActionEngine::willTakeAction(
	array($viewer->getPHID()),
	new PhabricatorAuthTryFactorAction(),
	-1);
	}

	if ($session->getIsPartial() && !$jump_into_hisec) {
	// If we have a partial session and are not jumping directly into
	// hisec, just issue a token without putting it in high security
	// mode.
	return $this->issueHighSecurityToken($session, true);
	}

	// If we aren't upgrading the session itself, just issue a token.
	if (!$upgrade_session) {
	return $this->issueHighSecurityToken($session, true);
	}

	$until = time() + phutil_units('15 minutes in seconds');
	$session->setHighSecurityUntil($until);

	queryfx(
	$session->establishConnection('w'),
	'UPDATE %T SET highSecurityUntil = %d WHERE id = %d',
	$session->getTableName(),
	$until,
	$session->getID());

	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_ENTER_HISEC);
	$log->save();
	} else {
	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_FAIL_HISEC);
	$log->save();
	}
	}
	}

	$token = $this->issueHighSecurityToken($session);
	if ($token) {
	return $token;
	}

	// If we don't have a validation result for some factors yet, fill them
	// in with an empty result so form rendering doesn't have to care if the
	// results exist or not. This happens when you first load the form and have
	// not submitted any responses yet.
	foreach ($factors as $factor) {
	$factor_phid = $factor->getPHID();
	if (isset($validation_results[$factor_phid])) {
	continue;
	}
	- $validation_results[$factor_phid] = new PhabricatorAuthFactorResult();
	+
	+ $issued_challenges = idx($challenge_map, $factor_phid, array());
	+
	+ $validation_results[$factor_phid] = $impl->getResultForPrompt(
	+ $factor,
	+ $viewer,
	+ $request,
	+ $issued_challenges);
	}

	throw id(new PhabricatorAuthHighSecurityRequiredException())
	->setCancelURI($cancel_uri)
	->setIsSessionUpgrade($upgrade_session)
	->setFactors($factors)
	->setFactorValidationResults($validation_results);
	}


	/**
	* Issue a high security token for a session, if authorized.
	*
	* @param PhabricatorAuthSession Session to issue a token for.
	* @param bool Force token issue.
	* @return PhabricatorAuthHighSecurityToken\|null Token, if authorized.
	* @task hisec
	*/
	private function issueHighSecurityToken(
	PhabricatorAuthSession $session,
	$force = false) {

	if ($session->isHighSecuritySession() \|\| $force) {
	return new PhabricatorAuthHighSecurityToken();
	}

	return null;
	}


	/**
	* Render a form for providing relevant multi-factor credentials.
	*
	* @param PhabricatorUser Viewing user.
	* @param AphrontRequest Current request.
	* @return AphrontFormView Renderable form.
	* @task hisec
	*/
	public function renderHighSecurityForm(
	array $factors,
	array $validation_results,
	PhabricatorUser $viewer,
	AphrontRequest $request) {
	assert_instances_of($validation_results, 'PhabricatorAuthFactorResult');

	$form = id(new AphrontFormView())
	->setUser($viewer)
	->appendRemarkupInstructions('');

	$answered = array();
	foreach ($factors as $factor) {
	$result = $validation_results[$factor->getPHID()];

	$provider = $factor->getFactorProvider();
	$impl = $provider->getFactor();

	$impl->renderValidateFactorForm(
	$factor,
	$form,
	$viewer,
	$result);

	$answered_challenge = $result->getAnsweredChallenge();
	if ($answered_challenge) {
	$answered[] = $answered_challenge;
	}
	}

	$form->appendRemarkupInstructions('');

	if ($answered) {
	$http_params = PhabricatorAuthChallenge::newHTTPParametersFromChallenges(
	$answered);
	foreach ($http_params as $key => $value) {
	$form->addHiddenInput($key, $value);
	}
	}

	return $form;
	}


	/**
	* Strip the high security flag from a session.
	*
	* Kicks a session out of high security and logs the exit.
	*
	* @param PhabricatorUser Acting user.
	* @param PhabricatorAuthSession Session to return to normal security.
	* @return void
	* @task hisec
	*/
	public function exitHighSecurity(
	PhabricatorUser $viewer,
	PhabricatorAuthSession $session) {

	if (!$session->getHighSecurityUntil()) {
	return;
	}

	queryfx(
	$session->establishConnection('w'),
	'UPDATE %T SET highSecurityUntil = NULL WHERE id = %d',
	$session->getTableName(),
	$session->getID());

	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_EXIT_HISEC);
	$log->save();
	}


	/* -( Partial Sessions )--------------------------------------------------- */


	/**
	* Upgrade a partial session to a full session.
	*
	* @param PhabricatorAuthSession Session to upgrade.
	* @return void
	* @task partial
	*/
	public function upgradePartialSession(PhabricatorUser $viewer) {

	if (!$viewer->hasSession()) {
	throw new Exception(
	pht('Upgrading partial session of user with no session!'));
	}

	$session = $viewer->getSession();

	if (!$session->getIsPartial()) {
	throw new Exception(pht('Session is not partial!'));
	}

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$session->setIsPartial(0);

	queryfx(
	$session->establishConnection('w'),
	'UPDATE %T SET isPartial = %d WHERE id = %d',
	$session->getTableName(),
	0,
	$session->getID());

	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_LOGIN_FULL);
	$log->save();
	unset($unguarded);
	}


	/* -( Legalpad Documents )-------------------------------------------------- */


	/**
	* Upgrade a session to have all legalpad documents signed.
	*
	* @param PhabricatorUser User whose session should upgrade.
	* @param array LegalpadDocument objects
	* @return void
	* @task partial
	*/
	public function signLegalpadDocuments(PhabricatorUser $viewer, array $docs) {

	if (!$viewer->hasSession()) {
	throw new Exception(
	pht('Signing session legalpad documents of user with no session!'));
	}

	$session = $viewer->getSession();

	if ($session->getSignedLegalpadDocuments()) {
	throw new Exception(pht(
	'Session has already signed required legalpad documents!'));
	}

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$session->setSignedLegalpadDocuments(1);

	queryfx(
	$session->establishConnection('w'),
	'UPDATE %T SET signedLegalpadDocuments = %d WHERE id = %d',
	$session->getTableName(),
	1,
	$session->getID());

	if (!empty($docs)) {
	$log = PhabricatorUserLog::initializeNewLog(
	$viewer,
	$viewer->getPHID(),
	PhabricatorUserLog::ACTION_LOGIN_LEGALPAD);
	$log->save();
	}
	unset($unguarded);
	}


	/* -( One Time Login URIs )------------------------------------------------ */


	/**
	* Retrieve a temporary, one-time URI which can log in to an account.
	*
	* These URIs are used for password recovery and to regain access to accounts
	* which users have been locked out of.
	*
	* @param PhabricatorUser User to generate a URI for.
	* @param PhabricatorUserEmail Optionally, email to verify when
	* link is used.
	* @param string Optional context string for the URI. This is purely cosmetic
	* and used only to customize workflow and error messages.
	* @param bool True to generate a URI which forces an immediate upgrade to
	* a full session, bypassing MFA and other login checks.
	* @return string Login URI.
	* @task onetime
	*/
	public function getOneTimeLoginURI(
	PhabricatorUser $user,
	PhabricatorUserEmail $email = null,
	$type = self::ONETIME_RESET,
	$force_full_session = false) {

	$key = Filesystem::readRandomCharacters(32);
	$key_hash = $this->getOneTimeLoginKeyHash($user, $email, $key);
	$onetime_type = PhabricatorAuthOneTimeLoginTemporaryTokenType::TOKENTYPE;

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	$token = id(new PhabricatorAuthTemporaryToken())
	->setTokenResource($user->getPHID())
	->setTokenType($onetime_type)
	->setTokenExpires(time() + phutil_units('1 day in seconds'))
	->setTokenCode($key_hash)
	->setShouldForceFullSession($force_full_session)
	->save();
	unset($unguarded);

	$uri = '/login/once/'.$type.'/'.$user->getID().'/'.$key.'/';
	if ($email) {
	$uri = $uri.$email->getID().'/';
	}

	try {
	$uri = PhabricatorEnv::getProductionURI($uri);
	} catch (Exception $ex) {
	// If a user runs `bin/auth recover` before configuring the base URI,
	// just show the path. We don't have any way to figure out the domain.
	// See T4132.
	}

	return $uri;
	}


	/**
	* Load the temporary token associated with a given one-time login key.
	*
	* @param PhabricatorUser User to load the token for.
	* @param PhabricatorUserEmail Optionally, email to verify when
	* link is used.
	* @param string Key user is presenting as a valid one-time login key.
	* @return PhabricatorAuthTemporaryToken\|null Token, if one exists.
	* @task onetime
	*/
	public function loadOneTimeLoginKey(
	PhabricatorUser $user,
	PhabricatorUserEmail $email = null,
	$key = null) {

	$key_hash = $this->getOneTimeLoginKeyHash($user, $email, $key);
	$onetime_type = PhabricatorAuthOneTimeLoginTemporaryTokenType::TOKENTYPE;

	return id(new PhabricatorAuthTemporaryTokenQuery())
	->setViewer($user)
	->withTokenResources(array($user->getPHID()))
	->withTokenTypes(array($onetime_type))
	->withTokenCodes(array($key_hash))
	->withExpired(false)
	->executeOne();
	}


	/**
	* Hash a one-time login key for storage as a temporary token.
	*
	* @param PhabricatorUser User this key is for.
	* @param PhabricatorUserEmail Optionally, email to verify when
	* link is used.
	* @param string The one time login key.
	* @return string Hash of the key.
	* task onetime
	*/
	private function getOneTimeLoginKeyHash(
	PhabricatorUser $user,
	PhabricatorUserEmail $email = null,
	$key = null) {

	$parts = array(
	$key,
	$user->getAccountSecret(),
	);

	if ($email) {
	$parts[] = $email->getVerificationCode();
	}

	return PhabricatorHash::weakDigest(implode(':', $parts));
	}


	/* -( User Cache )--------------------------------------------------------- */


	/**
	* @task cache
	*/
	private function getUserCacheQueryParts(AphrontDatabaseConnection $conn) {
	$cache_selects = array();
	$cache_joins = array();
	$cache_map = array();

	$keys = array();
	$types_map = array();

	$cache_types = PhabricatorUserCacheType::getAllCacheTypes();
	foreach ($cache_types as $cache_type) {
	foreach ($cache_type->getAutoloadKeys() as $autoload_key) {
	$keys[] = $autoload_key;
	$types_map[$autoload_key] = $cache_type;
	}
	}

	$cache_table = id(new PhabricatorUserCache())->getTableName();

	$cache_idx = 1;
	foreach ($keys as $key) {
	$join_as = 'ucache_'.$cache_idx;
	$select_as = 'ucache_'.$cache_idx.'_v';

	$cache_selects[] = qsprintf(
	$conn,
	'%T.cacheData %T',
	$join_as,
	$select_as);

	$cache_joins[] = qsprintf(
	$conn,
	'LEFT JOIN %T AS %T ON u.phid = %T.userPHID
	AND %T.cacheIndex = %s',
	$cache_table,
	$join_as,
	$join_as,
	$join_as,
	PhabricatorHash::digestForIndex($key));

	$cache_map[$select_as] = $key;

	$cache_idx++;
	}

	if ($cache_selects) {
	$cache_selects = qsprintf($conn, ', %LQ', $cache_selects);
	} else {
	$cache_selects = qsprintf($conn, '');
	}

	if ($cache_joins) {
	$cache_joins = qsprintf($conn, '%LJ', $cache_joins);
	} else {
	$cache_joins = qsprintf($conn, '');
	}

	return array($cache_selects, $cache_joins, $cache_map, $types_map);
	}

	private function filterRawCacheData(
	PhabricatorUser $user,
	array $types_map,
	array $cache_raw) {

	foreach ($cache_raw as $cache_key => $cache_data) {
	$type = $types_map[$cache_key];
	if ($type->shouldValidateRawCacheData()) {
	if (!$type->isRawCacheDataValid($user, $cache_key, $cache_data)) {
	unset($cache_raw[$cache_key]);
	}
	}
	}

	return $cache_raw;
	}

	public function willServeRequestForUser(PhabricatorUser $user) {
	// We allow the login user to generate any missing cache data inline.
	$user->setAllowInlineCacheGeneration(true);

	// Switch to the user's translation.
	PhabricatorEnv::setLocaleCode($user->getTranslation());

	$extensions = PhabricatorAuthSessionEngineExtension::getAllExtensions();
	foreach ($extensions as $extension) {
	$extension->willServeRequestForUser($user);
	}
	}

	private function extendSession(PhabricatorAuthSession $session) {
	$is_partial = $session->getIsPartial();

	// Don't extend partial sessions. You have a relatively short window to
	// upgrade into a full session, and your session expires otherwise.
	if ($is_partial) {
	return;
	}

	$session_type = $session->getType();

	$ttl = PhabricatorAuthSession::getSessionTypeTTL(
	$session_type,
	$session->getIsPartial());

	// If more than 20% of the time on this session has been used, refresh the
	// TTL back up to the full duration. The idea here is that sessions are
	// good forever if used regularly, but get GC'd when they fall out of use.

	$now = PhabricatorTime::getNow();
	if ($now + (0.80 * $ttl) <= $session->getSessionExpires()) {
	return;
	}

	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
	queryfx(
	$session->establishConnection('w'),
	'UPDATE %R SET sessionExpires = UNIX_TIMESTAMP() + %d
	WHERE id = %d',
	$session,
	$ttl,
	$session->getID());
	unset($unguarded);
	}


	}
	diff --git a/src/applications/auth/factor/PhabricatorAuthFactor.php b/src/applications/auth/factor/PhabricatorAuthFactor.php
	index d7e6e60ecc..fefd9b5fd1 100644
	--- a/src/applications/auth/factor/PhabricatorAuthFactor.php
	+++ b/src/applications/auth/factor/PhabricatorAuthFactor.php
	@@ -1,592 +1,626 @@
	<?php

	abstract class PhabricatorAuthFactor extends Phobject {

	abstract public function getFactorName();
	abstract public function getFactorShortName();
	abstract public function getFactorKey();
	abstract public function getFactorCreateHelp();
	abstract public function getFactorDescription();
	abstract public function processAddFactorForm(
	PhabricatorAuthFactorProvider $provider,
	AphrontFormView $form,
	AphrontRequest $request,
	PhabricatorUser $user);

	abstract public function renderValidateFactorForm(
	PhabricatorAuthFactorConfig $config,
	AphrontFormView $form,
	PhabricatorUser $viewer,
	PhabricatorAuthFactorResult $validation_result);

	public function getParameterName(
	PhabricatorAuthFactorConfig $config,
	$name) {
	return 'authfactor.'.$config->getID().'.'.$name;
	}

	public static function getAllFactors() {
	return id(new PhutilClassMapQuery())
	->setAncestorClass(__CLASS__)
	->setUniqueMethod('getFactorKey')
	->execute();
	}

	protected function newConfigForUser(PhabricatorUser $user) {
	return id(new PhabricatorAuthFactorConfig())
	->setUserPHID($user->getPHID())
	->setFactorSecret('');
	}

	protected function newResult() {
	return new PhabricatorAuthFactorResult();
	}

	public function newIconView() {
	return id(new PHUIIconView())
	->setIcon('fa-mobile');
	}

	public function canCreateNewProvider() {
	return true;
	}

	public function getProviderCreateDescription() {
	return null;
	}

	public function canCreateNewConfiguration(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {
	return true;
	}

	public function getConfigurationCreateDescription(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {
	return null;
	}

	public function getConfigurationListDetails(
	PhabricatorAuthFactorConfig $config,
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $viewer) {
	return null;
	}

	public function newEditEngineFields(
	PhabricatorEditEngine $engine,
	PhabricatorAuthFactorProvider $provider) {
	return array();
	}

	public function newChallengeStatusView(
	PhabricatorAuthFactorConfig $config,
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $viewer,
	PhabricatorAuthChallenge $challenge) {
	return null;
	}

	/**
	* Is this a factor which depends on the user's contact number?
	*
	* If a user has a "contact number" factor configured, they can not modify
	* or switch their primary contact number.
	*
	* @return bool True if this factor should lock contact numbers.
	*/
	public function isContactNumberFactor() {
	return false;
	}

	abstract public function getEnrollDescription(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user);

	public function getEnrollButtonText(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {
	return pht('Continue');
	}

	public function getFactorOrder() {
	return 1000;
	}

	final public function newSortVector() {
	return id(new PhutilSortVector())
	->addInt($this->canCreateNewProvider() ? 0 : 1)
	->addInt($this->getFactorOrder())
	->addString($this->getFactorName());
	}

	protected function newChallenge(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer) {

	$engine = $config->getSessionEngine();

	return PhabricatorAuthChallenge::initializeNewChallenge()
	->setUserPHID($viewer->getPHID())
	->setSessionPHID($viewer->getSession()->getPHID())
	->setFactorPHID($config->getPHID())
	->setIsNewChallenge(true)
	->setWorkflowKey($engine->getWorkflowKey());
	}

	abstract public function getRequestHasChallengeResponse(
	PhabricatorAuthFactorConfig $config,
	AphrontRequest $response);

	final public function getNewIssuedChallenges(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	array $challenges) {
	assert_instances_of($challenges, 'PhabricatorAuthChallenge');

	$now = PhabricatorTime::getNow();

	// Factor implementations may need to perform writes in order to issue
	// challenges, particularly push factors like SMS.
	$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();

	$new_challenges = $this->newIssuedChallenges(
	$config,
	$viewer,
	$challenges);

	if ($this->isAuthResult($new_challenges)) {
	unset($unguarded);
	return $new_challenges;
	}

	assert_instances_of($new_challenges, 'PhabricatorAuthChallenge');

	foreach ($new_challenges as $new_challenge) {
	$ttl = $new_challenge->getChallengeTTL();
	if (!$ttl) {
	throw new Exception(
	pht('Newly issued MFA challenges must have a valid TTL!'));
	}

	if ($ttl < $now) {
	throw new Exception(
	pht(
	'Newly issued MFA challenges must have a future TTL. This '.
	'factor issued a bad TTL ("%s"). (Did you use a relative '.
	'time instead of an epoch?)',
	$ttl));
	}
	}

	foreach ($new_challenges as $challenge) {
	$challenge->save();
	}

	unset($unguarded);

	return $new_challenges;
	}

	abstract protected function newIssuedChallenges(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	array $challenges);

	final public function getResultFromIssuedChallenges(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	array $challenges) {
	assert_instances_of($challenges, 'PhabricatorAuthChallenge');

	$result = $this->newResultFromIssuedChallenges(
	$config,
	$viewer,
	$challenges);

	if ($result === null) {
	return $result;
	}

	if (!$this->isAuthResult($result)) {
	throw new Exception(
	pht(
	'Expected "newResultFromIssuedChallenges()" to return null or '.
	'an object of class "%s"; got something else (in "%s").',
	'PhabricatorAuthFactorResult',
	get_class($this)));
	}

	return $result;
	}

	+ final public function getResultForPrompt(
	+ PhabricatorAuthFactorConfig $config,
	+ PhabricatorUser $viewer,
	+ AphrontRequest $request,
	+ array $challenges) {
	+ assert_instances_of($challenges, 'PhabricatorAuthChallenge');
	+
	+ $result = $this->newResultForPrompt(
	+ $config,
	+ $viewer,
	+ $request,
	+ $challenges);
	+
	+ if (!$this->isAuthResult($result)) {
	+ throw new Exception(
	+ pht(
	+ 'Expected "newResultForPrompt()" to return an object of class "%s", '.
	+ 'but it returned something else ("%s"; in "%s").',
	+ 'PhabricatorAuthFactorResult',
	+ phutil_describe_type($result),
	+ get_class($this)));
	+ }
	+
	+ return $result;
	+ }
	+
	+ protected function newResultForPrompt(
	+ PhabricatorAuthFactorConfig $config,
	+ PhabricatorUser $viewer,
	+ AphrontRequest $request,
	+ array $challenges) {
	+ return $this->newResult();
	+ }
	+
	abstract protected function newResultFromIssuedChallenges(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	array $challenges);

	final public function getResultFromChallengeResponse(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	AphrontRequest $request,
	array $challenges) {
	assert_instances_of($challenges, 'PhabricatorAuthChallenge');

	$result = $this->newResultFromChallengeResponse(
	$config,
	$viewer,
	$request,
	$challenges);

	if (!$this->isAuthResult($result)) {
	throw new Exception(
	pht(
	'Expected "newResultFromChallengeResponse()" to return an object '.
	'of class "%s"; got something else (in "%s").',
	'PhabricatorAuthFactorResult',
	get_class($this)));
	}

	return $result;
	}

	abstract protected function newResultFromChallengeResponse(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	AphrontRequest $request,
	array $challenges);

	final protected function newAutomaticControl(
	PhabricatorAuthFactorResult $result) {

	$is_error = $result->getIsError();
	if ($is_error) {
	return $this->newErrorControl($result);
	}

	$is_continue = $result->getIsContinue();
	if ($is_continue) {
	return $this->newContinueControl($result);
	}

	$is_answered = (bool)$result->getAnsweredChallenge();
	if ($is_answered) {
	return $this->newAnsweredControl($result);
	}

	$is_wait = $result->getIsWait();
	if ($is_wait) {
	return $this->newWaitControl($result);
	}

	return null;
	}

	private function newWaitControl(
	PhabricatorAuthFactorResult $result) {

	$error = $result->getErrorMessage();

	$icon = $result->getIcon();
	if (!$icon) {
	$icon = id(new PHUIIconView())
	->setIcon('fa-clock-o', 'red');
	}

	return id(new PHUIFormTimerControl())
	->setIcon($icon)
	->appendChild($error)
	->setError(pht('Wait'));
	}

	private function newAnsweredControl(
	PhabricatorAuthFactorResult $result) {

	$icon = $result->getIcon();
	if (!$icon) {
	$icon = id(new PHUIIconView())
	->setIcon('fa-check-circle-o', 'green');
	}

	return id(new PHUIFormTimerControl())
	->setIcon($icon)
	->appendChild(
	pht('You responded to this challenge correctly.'));
	}

	private function newErrorControl(
	PhabricatorAuthFactorResult $result) {

	$error = $result->getErrorMessage();

	$icon = $result->getIcon();
	if (!$icon) {
	$icon = id(new PHUIIconView())
	->setIcon('fa-times', 'red');
	}

	return id(new PHUIFormTimerControl())
	->setIcon($icon)
	->appendChild($error)
	->setError(pht('Error'));
	}

	private function newContinueControl(
	PhabricatorAuthFactorResult $result) {

	$error = $result->getErrorMessage();

	$icon = $result->getIcon();
	if (!$icon) {
	$icon = id(new PHUIIconView())
	->setIcon('fa-commenting', 'green');
	}

	$control = id(new PHUIFormTimerControl())
	->setIcon($icon)
	->appendChild($error);

	$status_challenge = $result->getStatusChallenge();
	if ($status_challenge) {
	$id = $status_challenge->getID();
	$uri = "/auth/mfa/challenge/status/{$id}/";
	$control->setUpdateURI($uri);
	}

	return $control;
	}



	/* -( Synchronizing New Factors )------------------------------------------ */


	final protected function loadMFASyncToken(
	PhabricatorAuthFactorProvider $provider,
	AphrontRequest $request,
	AphrontFormView $form,
	PhabricatorUser $user) {

	// If the form included a synchronization key, load the corresponding
	// token. The user must synchronize to a key we generated because this
	// raises the barrier to theoretical attacks where an attacker might
	// provide a known key for factors like TOTP.

	// (We store and verify the hash of the key, not the key itself, to limit
	// how useful the data in the table is to an attacker.)

	$sync_type = PhabricatorAuthMFASyncTemporaryTokenType::TOKENTYPE;
	$sync_token = null;

	$sync_key = $request->getStr($this->getMFASyncTokenFormKey());
	if (strlen($sync_key)) {
	$sync_key_digest = PhabricatorHash::digestWithNamedKey(
	$sync_key,
	PhabricatorAuthMFASyncTemporaryTokenType::DIGEST_KEY);

	$sync_token = id(new PhabricatorAuthTemporaryTokenQuery())
	->setViewer($user)
	->withTokenResources(array($user->getPHID()))
	->withTokenTypes(array($sync_type))
	->withExpired(false)
	->withTokenCodes(array($sync_key_digest))
	->executeOne();
	}

	if (!$sync_token) {

	// Don't generate a new sync token if there are too many outstanding
	// tokens already. This is mostly relevant for push factors like SMS,
	// where generating a token has the side effect of sending a user a
	// message.

	$outstanding_limit = 10;
	$outstanding_tokens = id(new PhabricatorAuthTemporaryTokenQuery())
	->setViewer($user)
	->withTokenResources(array($user->getPHID()))
	->withTokenTypes(array($sync_type))
	->withExpired(false)
	->execute();
	if (count($outstanding_tokens) > $outstanding_limit) {
	throw new Exception(
	pht(
	'Your account has too many outstanding, incomplete MFA '.
	'synchronization attempts. Wait an hour and try again.'));
	}

	$now = PhabricatorTime::getNow();

	$sync_key = Filesystem::readRandomCharacters(32);
	$sync_key_digest = PhabricatorHash::digestWithNamedKey(
	$sync_key,
	PhabricatorAuthMFASyncTemporaryTokenType::DIGEST_KEY);
	$sync_ttl = $this->getMFASyncTokenTTL();

	$sync_token = id(new PhabricatorAuthTemporaryToken())
	->setIsNewTemporaryToken(true)
	->setTokenResource($user->getPHID())
	->setTokenType($sync_type)
	->setTokenCode($sync_key_digest)
	->setTokenExpires($now + $sync_ttl);

	$properties = $this->newMFASyncTokenProperties(
	$provider,
	$user);

	if ($this->isAuthResult($properties)) {
	return $properties;
	}

	foreach ($properties as $key => $value) {
	$sync_token->setTemporaryTokenProperty($key, $value);
	}

	$sync_token->save();
	}

	$form->addHiddenInput($this->getMFASyncTokenFormKey(), $sync_key);

	return $sync_token;
	}

	protected function newMFASyncTokenProperties(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {
	return array();
	}

	private function getMFASyncTokenFormKey() {
	return 'sync.key';
	}

	private function getMFASyncTokenTTL() {
	return phutil_units('1 hour in seconds');
	}

	final protected function getChallengeForCurrentContext(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	array $challenges) {

	$session_phid = $viewer->getSession()->getPHID();
	$engine = $config->getSessionEngine();
	$workflow_key = $engine->getWorkflowKey();

	foreach ($challenges as $challenge) {
	if ($challenge->getSessionPHID() !== $session_phid) {
	continue;
	}

	if ($challenge->getWorkflowKey() !== $workflow_key) {
	continue;
	}

	if ($challenge->getIsCompleted()) {
	continue;
	}

	if ($challenge->getIsReusedChallenge()) {
	continue;
	}

	return $challenge;
	}

	return null;
	}


	/**
	* @phutil-external-symbol class QRcode
	*/
	final protected function newQRCode($uri) {
	$root = dirname(phutil_get_library_root('phabricator'));
	require_once $root.'/externals/phpqrcode/phpqrcode.php';

	$lines = QRcode::text($uri);

	$total_width = 240;
	$cell_size = floor($total_width / count($lines));

	$rows = array();
	foreach ($lines as $line) {
	$cells = array();
	for ($ii = 0; $ii < strlen($line); $ii++) {
	if ($line[$ii] == '1') {
	$color = '#000';
	} else {
	$color = '#fff';
	}

	$cells[] = phutil_tag(
	'td',
	array(
	'width' => $cell_size,
	'height' => $cell_size,
	'style' => 'background: '.$color,
	),
	'');
	}
	$rows[] = phutil_tag('tr', array(), $cells);
	}

	return phutil_tag(
	'table',
	array(
	'style' => 'margin: 24px auto;',
	),
	$rows);
	}

	final protected function getInstallDisplayName() {
	$uri = PhabricatorEnv::getURI('/');
	$uri = new PhutilURI($uri);
	return $uri->getDomain();
	}

	final protected function getChallengeResponseParameterName(
	PhabricatorAuthFactorConfig $config) {
	return $this->getParameterName($config, 'mfa.response');
	}

	final protected function getChallengeResponseFromRequest(
	PhabricatorAuthFactorConfig $config,
	AphrontRequest $request) {

	$name = $this->getChallengeResponseParameterName($config);

	$value = $request->getStr($name);
	$value = (string)$value;
	$value = trim($value);

	return $value;
	}

	final protected function hasCSRF(PhabricatorAuthFactorConfig $config) {
	$engine = $config->getSessionEngine();
	$request = $engine->getRequest();

	if (!$request->isHTTPPost()) {
	return false;
	}

	return $request->validateCSRF();
	}

	final protected function loadConfigurationsForProvider(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {

	return id(new PhabricatorAuthFactorConfigQuery())
	->setViewer($user)
	->withUserPHIDs(array($user->getPHID()))
	->withFactorProviderPHIDs(array($provider->getPHID()))
	->execute();
	}

	final protected function isAuthResult($object) {
	return ($object instanceof PhabricatorAuthFactorResult);
	}

	}
	diff --git a/src/applications/auth/factor/PhabricatorDuoAuthFactor.php b/src/applications/auth/factor/PhabricatorDuoAuthFactor.php
	index 66bd7c9ebd..a84337a764 100644
	--- a/src/applications/auth/factor/PhabricatorDuoAuthFactor.php
	+++ b/src/applications/auth/factor/PhabricatorDuoAuthFactor.php
	@@ -1,854 +1,867 @@
	<?php

	final class PhabricatorDuoAuthFactor
	extends PhabricatorAuthFactor {

	const PROP_CREDENTIAL = 'duo.credentialPHID';
	const PROP_ENROLL = 'duo.enroll';
	const PROP_USERNAMES = 'duo.usernames';
	const PROP_HOSTNAME = 'duo.hostname';

	public function getFactorKey() {
	return 'duo';
	}

	public function getFactorName() {
	return pht('Duo Security');
	}

	public function getFactorShortName() {
	return pht('Duo');
	}

	public function getFactorCreateHelp() {
	return pht('Support for Duo push authentication.');
	}

	public function getFactorDescription() {
	return pht(
	'When you need to authenticate, a request will be pushed to the '.
	'Duo application on your phone.');
	}

	public function getEnrollDescription(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {
	return pht(
	'To add a Duo factor, first download and install the Duo application '.
	'on your phone. Once you have launched the application and are ready '.
	'to perform setup, click continue.');
	}

	public function canCreateNewConfiguration(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {

	if ($this->loadConfigurationsForProvider($provider, $user)) {
	return false;
	}

	return true;
	}

	public function getConfigurationCreateDescription(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {

	$messages = array();

	if ($this->loadConfigurationsForProvider($provider, $user)) {
	$messages[] = id(new PHUIInfoView())
	->setSeverity(PHUIInfoView::SEVERITY_WARNING)
	->setErrors(
	array(
	pht(
	'You already have Duo authentication attached to your account '.
	'for this provider.'),
	));
	}

	return $messages;
	}

	public function getConfigurationListDetails(
	PhabricatorAuthFactorConfig $config,
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $viewer) {

	$duo_user = $config->getAuthFactorConfigProperty('duo.username');

	return pht('Duo Username: %s', $duo_user);
	}


	public function newEditEngineFields(
	PhabricatorEditEngine $engine,
	PhabricatorAuthFactorProvider $provider) {

	$viewer = $engine->getViewer();

	$credential_phid = $provider->getAuthFactorProviderProperty(
	self::PROP_CREDENTIAL);

	$hostname = $provider->getAuthFactorProviderProperty(self::PROP_HOSTNAME);
	$usernames = $provider->getAuthFactorProviderProperty(self::PROP_USERNAMES);
	$enroll = $provider->getAuthFactorProviderProperty(self::PROP_ENROLL);

	$credential_type = PassphrasePasswordCredentialType::CREDENTIAL_TYPE;
	$provides_type = PassphrasePasswordCredentialType::PROVIDES_TYPE;

	$credentials = id(new PassphraseCredentialQuery())
	->setViewer($viewer)
	->withIsDestroyed(false)
	->withProvidesTypes(array($provides_type))
	->execute();

	$xaction_hostname =
	PhabricatorAuthFactorProviderDuoHostnameTransaction::TRANSACTIONTYPE;
	$xaction_credential =
	PhabricatorAuthFactorProviderDuoCredentialTransaction::TRANSACTIONTYPE;
	$xaction_usernames =
	PhabricatorAuthFactorProviderDuoUsernamesTransaction::TRANSACTIONTYPE;
	$xaction_enroll =
	PhabricatorAuthFactorProviderDuoEnrollTransaction::TRANSACTIONTYPE;

	return array(
	id(new PhabricatorTextEditField())
	->setLabel(pht('Duo API Hostname'))
	->setKey('duo.hostname')
	->setValue($hostname)
	->setTransactionType($xaction_hostname)
	->setIsRequired(true),
	id(new PhabricatorCredentialEditField())
	->setLabel(pht('Duo API Credential'))
	->setKey('duo.credential')
	->setValue($credential_phid)
	->setTransactionType($xaction_credential)
	->setCredentialType($credential_type)
	->setCredentials($credentials),
	id(new PhabricatorSelectEditField())
	->setLabel(pht('Duo Username'))
	->setKey('duo.usernames')
	->setValue($usernames)
	->setTransactionType($xaction_usernames)
	->setOptions(
	array(
	'username' => pht('Use Phabricator Username'),
	'email' => pht('Use Primary Email Address'),
	)),
	id(new PhabricatorSelectEditField())
	->setLabel(pht('Create Accounts'))
	->setKey('duo.enroll')
	->setValue($enroll)
	->setTransactionType($xaction_enroll)
	->setOptions(
	array(
	'deny' => pht('Require Existing Duo Account'),
	'allow' => pht('Create New Duo Account'),
	)),
	);
	}


	public function processAddFactorForm(
	PhabricatorAuthFactorProvider $provider,
	AphrontFormView $form,
	AphrontRequest $request,
	PhabricatorUser $user) {

	$token = $this->loadMFASyncToken($provider, $request, $form, $user);
	if ($this->isAuthResult($token)) {
	$form->appendChild($this->newAutomaticControl($token));
	return;
	}

	$enroll = $token->getTemporaryTokenProperty('duo.enroll');
	$duo_id = $token->getTemporaryTokenProperty('duo.user-id');
	$duo_uri = $token->getTemporaryTokenProperty('duo.uri');
	$duo_user = $token->getTemporaryTokenProperty('duo.username');

	$is_external = ($enroll === 'external');
	$is_auto = ($enroll === 'auto');
	$is_blocked = ($enroll === 'blocked');

	if (!$token->getIsNewTemporaryToken()) {
	if ($is_auto) {
	return $this->newDuoConfig($user, $duo_user);
	} else if ($is_external \|\| $is_blocked) {
	$parameters = array(
	'username' => $duo_user,
	);

	$result = $this->newDuoFuture($provider)
	->setMethod('preauth', $parameters)
	->resolve();

	$result_code = $result['response']['result'];
	switch ($result_code) {
	case 'auth':
	case 'allow':
	return $this->newDuoConfig($user, $duo_user);
	case 'enroll':
	if ($is_blocked) {
	// We'll render an equivalent static control below, so skip
	// rendering here. We explicitly don't want to give the user
	// an enroll workflow.
	break;
	}

	$duo_uri = $result['response']['enroll_portal_url'];

	$waiting_icon = id(new PHUIIconView())
	->setIcon('fa-mobile', 'red');

	$waiting_control = id(new PHUIFormTimerControl())
	->setIcon($waiting_icon)
	->setError(pht('Not Complete'))
	->appendChild(
	pht(
	'You have not completed Duo enrollment yet. '.
	'Complete enrollment, then click continue.'));

	$form->appendControl($waiting_control);
	break;
	default:
	case 'deny':
	break;
	}
	} else {
	$parameters = array(
	'user_id' => $duo_id,
	'activation_code' => $duo_uri,
	);

	$future = $this->newDuoFuture($provider)
	->setMethod('enroll_status', $parameters);

	$result = $future->resolve();
	$response = $result['response'];

	switch ($response) {
	case 'success':
	return $this->newDuoConfig($user, $duo_user);
	case 'waiting':
	$waiting_icon = id(new PHUIIconView())
	->setIcon('fa-mobile', 'red');

	$waiting_control = id(new PHUIFormTimerControl())
	->setIcon($waiting_icon)
	->setError(pht('Not Complete'))
	->appendChild(
	pht(
	'You have not activated this enrollment in the Duo '.
	'application on your phone yet. Complete activation, then '.
	'click continue.'));

	$form->appendControl($waiting_control);
	break;
	case 'invalid':
	default:
	throw new Exception(
	pht(
	'This Duo enrollment attempt is invalid or has '.
	'expired ("%s"). Cancel the workflow and try again.',
	$response));
	}
	}
	}

	if ($is_blocked) {
	$blocked_icon = id(new PHUIIconView())
	->setIcon('fa-times', 'red');

	$blocked_control = id(new PHUIFormTimerControl())
	->setIcon($blocked_icon)
	->appendChild(
	pht(
	'Your Duo account ("%s") has not completed Duo enrollment. '.
	'Check your email and complete enrollment to continue.',
	phutil_tag('strong', array(), $duo_user)));

	$form->appendControl($blocked_control);
	} else if ($is_auto) {
	$auto_icon = id(new PHUIIconView())
	->setIcon('fa-check', 'green');

	$auto_control = id(new PHUIFormTimerControl())
	->setIcon($auto_icon)
	->appendChild(
	pht(
	'Duo account ("%s") is fully enrolled.',
	phutil_tag('strong', array(), $duo_user)));

	$form->appendControl($auto_control);
	} else {
	$duo_button = phutil_tag(
	'a',
	array(
	'href' => $duo_uri,
	'class' => 'button button-grey',
	'target' => ($is_external ? '_blank' : null),
	),
	pht('Enroll Duo Account: %s', $duo_user));

	$duo_button = phutil_tag(
	'div',
	array(
	'class' => 'mfa-form-enroll-button',
	),
	$duo_button);

	if ($is_external) {
	$form->appendRemarkupInstructions(
	pht(
	'Complete enrolling your phone with Duo:'));

	$form->appendControl(
	id(new AphrontFormMarkupControl())
	->setValue($duo_button));
	} else {

	$form->appendRemarkupInstructions(
	pht(
	'Scan this QR code with the Duo application on your mobile '.
	'phone:'));


	$qr_code = $this->newQRCode($duo_uri);
	$form->appendChild($qr_code);

	$form->appendRemarkupInstructions(
	pht(
	'If you are currently using your phone to view this page, '.
	'click this button to open the Duo application:'));

	$form->appendControl(
	id(new AphrontFormMarkupControl())
	->setValue($duo_button));
	}

	$form->appendRemarkupInstructions(
	pht(
	'Once you have completed setup on your phone, click continue.'));
	}
	}


	protected function newMFASyncTokenProperties(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {

	$duo_user = $this->getDuoUsername($provider, $user);

	// Duo automatically normalizes usernames to lowercase. Just do that here
	// so that our value agrees more closely with Duo.
	$duo_user = phutil_utf8_strtolower($duo_user);

	$parameters = array(
	'username' => $duo_user,
	);

	$result = $this->newDuoFuture($provider)
	->setMethod('preauth', $parameters)
	->resolve();

	$external_uri = null;
	$result_code = $result['response']['result'];
	$status_message = $result['response']['status_msg'];
	switch ($result_code) {
	case 'auth':
	case 'allow':
	// If the user already has a Duo account, they don't need to do
	// anything.
	return array(
	'duo.enroll' => 'auto',
	'duo.username' => $duo_user,
	);
	case 'enroll':
	if (!$this->shouldAllowDuoEnrollment($provider)) {
	return array(
	'duo.enroll' => 'blocked',
	'duo.username' => $duo_user,
	);
	}

	$external_uri = $result['response']['enroll_portal_url'];

	// Otherwise, enrollment is permitted so we're going to continue.
	break;
	default:
	case 'deny':
	return $this->newResult()
	->setIsError(true)
	->setErrorMessage(
	pht(
	'Your Duo account ("%s") is not permitted to access this '.
	'system. Contact your Duo administrator for help. '.
	'The Duo preauth API responded with status message ("%s"): %s',
	$duo_user,
	$result_code,
	$status_message));
	}

	// Duo's "/enroll" API isn't repeatable for the same username. If we're
	// the first call, great: we can do inline enrollment, which is way more
	// user friendly. Otherwise, we have to send the user on an adventure.

	$parameters = array(
	'username' => $duo_user,
	'valid_secs' => phutil_units('1 hour in seconds'),
	);

	try {
	$result = $this->newDuoFuture($provider)
	->setMethod('enroll', $parameters)
	->resolve();
	} catch (HTTPFutureHTTPResponseStatus $ex) {
	return array(
	'duo.enroll' => 'external',
	'duo.username' => $duo_user,
	'duo.uri' => $external_uri,
	);
	}

	return array(
	'duo.enroll' => 'inline',
	'duo.uri' => $result['response']['activation_code'],
	'duo.username' => $duo_user,
	'duo.user-id' => $result['response']['user_id'],
	);
	}

	protected function newIssuedChallenges(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	array $challenges) {

	// If we already issued a valid challenge for this workflow and session,
	// don't issue a new one.

	$challenge = $this->getChallengeForCurrentContext(
	$config,
	$viewer,
	$challenges);
	if ($challenge) {
	return array();
	}

	if (!$this->hasCSRF($config)) {
	return $this->newResult()
	->setIsContinue(true)
	->setErrorMessage(
	pht(
	'An authorization request will be pushed to the Duo '.
	'application on your phone.'));
	}

	$provider = $config->getFactorProvider();

	// Otherwise, issue a new challenge.
	$duo_user = (string)$config->getAuthFactorConfigProperty('duo.username');

	$parameters = array(
	'username' => $duo_user,
	);

	$response = $this->newDuoFuture($provider)
	->setMethod('preauth', $parameters)
	->resolve();
	$response = $response['response'];

	$next_step = $response['result'];
	$status_message = $response['status_msg'];
	switch ($next_step) {
	case 'auth':
	// We're good to go.
	break;
	case 'allow':
	// Duo is telling us to bypass MFA. For now, refuse.
	return $this->newResult()
	->setIsError(true)
	->setErrorMessage(
	pht(
	'Duo is not requiring a challenge, which defeats the '.
	'purpose of MFA. Duo must be configured to challenge you.'));
	case 'enroll':
	return $this->newResult()
	->setIsError(true)
	->setErrorMessage(
	pht(
	'Your Duo account ("%s") requires enrollment. Contact your '.
	'Duo administrator for help. Duo status message: %s',
	$duo_user,
	$status_message));
	case 'deny':
	default:
	return $this->newResult()
	->setIsError(true)
	->setErrorMessage(
	pht(
	'Your Duo account ("%s") is not permitted to access this '.
	'system. Contact your Duo administrator for help. The Duo '.
	'preauth API responded with status message ("%s"): %s',
	$duo_user,
	$next_step,
	$status_message));
	}

	$has_push = false;
	$devices = $response['devices'];
	foreach ($devices as $device) {
	$capabilities = array_fuse($device['capabilities']);
	if (isset($capabilities['push'])) {
	$has_push = true;
	break;
	}
	}

	if (!$has_push) {
	return $this->newResult()
	->setIsError(true)
	->setErrorMessage(
	pht(
	'This factor has been removed from your device, so Phabricator '.
	'can not send you a challenge. To continue, an administrator '.
	'must strip this factor from your account.'));
	}

	$push_info = array(
	pht('Domain') => $this->getInstallDisplayName(),
	);
	$push_info = phutil_build_http_querystring($push_info);

	$parameters = array(
	'username' => $duo_user,
	'factor' => 'push',
	'async' => '1',

	// Duo allows us to specify a device, or to pass "auto" to have it pick
	// the first one. For now, just let it pick.
	'device' => 'auto',

	// This is a hard-coded prefix for the word "... request" in the Duo UI,
	// which defaults to "Login". We could pass richer information from
	// workflows here, but it's not very flexible anyway.
	'type' => 'Authentication',

	'display_username' => $viewer->getUsername(),
	'pushinfo' => $push_info,
	);

	$result = $this->newDuoFuture($provider)
	->setMethod('auth', $parameters)
	->resolve();

	$duo_xaction = $result['response']['txid'];

	// The Duo push timeout is 60 seconds. Set our challenge to expire slightly
	// more quickly so that we'll re-issue a new challenge before Duo times out.
	// This should keep users away from a dead-end where they can't respond to
	// Duo but Phabricator won't issue a new challenge yet.
	$ttl_seconds = 55;

	return array(
	$this->newChallenge($config, $viewer)
	->setChallengeKey($duo_xaction)
	->setChallengeTTL(PhabricatorTime::getNow() + $ttl_seconds),
	);
	}

	protected function newResultFromIssuedChallenges(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	array $challenges) {

	$challenge = $this->getChallengeForCurrentContext(
	$config,
	$viewer,
	$challenges);

	if ($challenge->getIsAnsweredChallenge()) {
	return $this->newResult()
	->setAnsweredChallenge($challenge);
	}

	$provider = $config->getFactorProvider();
	$duo_xaction = $challenge->getChallengeKey();

	$parameters = array(
	'txid' => $duo_xaction,
	);

	// This endpoint always long-polls, so use a timeout to force it to act
	// more asynchronously.
	try {
	$result = $this->newDuoFuture($provider)
	->setHTTPMethod('GET')
	->setMethod('auth_status', $parameters)
	->setTimeout(3)
	->resolve();

	$state = $result['response']['result'];
	$status = $result['response']['status'];
	} catch (HTTPFutureCURLResponseStatus $exception) {
	if ($exception->isTimeout()) {
	$state = 'waiting';
	$status = 'poll';
	} else {
	throw $exception;
	}
	}

	$now = PhabricatorTime::getNow();

	switch ($state) {
	case 'allow':
	$ttl = PhabricatorTime::getNow()
	+ phutil_units('15 minutes in seconds');

	$challenge
	->markChallengeAsAnswered($ttl);

	return $this->newResult()
	->setAnsweredChallenge($challenge);
	case 'waiting':
	// If we didn't just issue this challenge, give the user a stronger
	// hint that they need to follow the instructions.
	if (!$challenge->getIsNewChallenge()) {
	return $this->newResult()
	->setIsContinue(true)
	->setIcon(
	id(new PHUIIconView())
	->setIcon('fa-exclamation-triangle', 'yellow'))
	->setErrorMessage(
	pht(
	'You must approve the challenge which was sent to your '.
	'phone. Open the Duo application and confirm the challenge, '.
	'then continue.'));
	}

	// Otherwise, we'll construct a default message later on.
	break;
	default:
	case 'deny':
	if ($status === 'timeout') {
	return $this->newResult()
	->setIsError(true)
	->setErrorMessage(
	pht(
	'This request has timed out because you took too long to '.
	'respond.'));
	} else {
	$wait_duration = ($challenge->getChallengeTTL() - $now) + 1;

	return $this->newResult()
	->setIsWait(true)
	->setErrorMessage(
	pht(
	'You denied this request. Wait %s second(s) to try again.',
	new PhutilNumber($wait_duration)));
	}
	break;
	}

	return null;
	}

	public function renderValidateFactorForm(
	PhabricatorAuthFactorConfig $config,
	AphrontFormView $form,
	PhabricatorUser $viewer,
	PhabricatorAuthFactorResult $result) {

	$control = $this->newAutomaticControl($result);

	$control
	->setLabel(pht('Duo'))
	->setCaption(pht('Factor Name: %s', $config->getFactorName()));

	$form->appendChild($control);
	}

	public function getRequestHasChallengeResponse(
	PhabricatorAuthFactorConfig $config,
	AphrontRequest $request) {
	return false;
	}

	protected function newResultFromChallengeResponse(
	PhabricatorAuthFactorConfig $config,
	PhabricatorUser $viewer,
	AphrontRequest $request,
	array $challenges) {

	+ return $this->getResultForPrompt(
	+ $config,
	+ $viewer,
	+ $request,
	+ $challenges);
	+ }
	+
	+ protected function newResultForPrompt(
	+ PhabricatorAuthFactorConfig $config,
	+ PhabricatorUser $viewer,
	+ AphrontRequest $request,
	+ array $challenges) {
	+
	$result = $this->newResult()
	->setIsContinue(true)
	->setErrorMessage(
	pht(
	'A challenge has been sent to your phone. Open the Duo '.
	'application and confirm the challenge, then continue.'));

	$challenge = $this->getChallengeForCurrentContext(
	$config,
	$viewer,
	$challenges);
	if ($challenge) {
	$result
	->setStatusChallenge($challenge)
	->setIcon(
	id(new PHUIIconView())
	->setIcon('fa-refresh', 'green ph-spin'));
	}

	return $result;
	}

	private function newDuoFuture(PhabricatorAuthFactorProvider $provider) {
	$credential_phid = $provider->getAuthFactorProviderProperty(
	self::PROP_CREDENTIAL);

	$omnipotent = PhabricatorUser::getOmnipotentUser();

	$credential = id(new PassphraseCredentialQuery())
	->setViewer($omnipotent)
	->withPHIDs(array($credential_phid))
	->needSecrets(true)
	->executeOne();
	if (!$credential) {
	throw new Exception(
	pht(
	'Unable to load Duo API credential ("%s").',
	$credential_phid));
	}

	$duo_key = $credential->getUsername();
	$duo_secret = $credential->getSecret();
	if (!$duo_secret) {
	throw new Exception(
	pht(
	'Duo API credential ("%s") has no secret key.',
	$credential_phid));
	}

	$duo_host = $provider->getAuthFactorProviderProperty(
	self::PROP_HOSTNAME);
	self::requireDuoAPIHostname($duo_host);

	return id(new PhabricatorDuoFuture())
	->setIntegrationKey($duo_key)
	->setSecretKey($duo_secret)
	->setAPIHostname($duo_host)
	->setTimeout(10)
	->setHTTPMethod('POST');
	}

	private function getDuoUsername(
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $user) {

	$mode = $provider->getAuthFactorProviderProperty(self::PROP_USERNAMES);
	switch ($mode) {
	case 'username':
	return $user->getUsername();
	case 'email':
	return $user->loadPrimaryEmailAddress();
	default:
	throw new Exception(
	pht(
	'Duo username pairing mode ("%s") is not supported.',
	$mode));
	}
	}

	private function shouldAllowDuoEnrollment(
	PhabricatorAuthFactorProvider $provider) {

	$mode = $provider->getAuthFactorProviderProperty(self::PROP_ENROLL);
	switch ($mode) {
	case 'deny':
	return false;
	case 'allow':
	return true;
	default:
	throw new Exception(
	pht(
	'Duo enrollment mode ("%s") is not supported.',
	$mode));
	}
	}

	private function newDuoConfig(PhabricatorUser $user, $duo_user) {
	$config_properties = array(
	'duo.username' => $duo_user,
	);

	$config = $this->newConfigForUser($user)
	->setFactorName(pht('Duo (%s)', $duo_user))
	->setProperties($config_properties);

	return $config;
	}

	public static function requireDuoAPIHostname($hostname) {
	if (preg_match('/\.duosecurity\.com\z/', $hostname)) {
	return;
	}

	throw new Exception(
	pht(
	'Duo API hostname ("%s") is invalid, hostname must be '.
	'"*.duosecurity.com".',
	$hostname));
	}

	public function newChallengeStatusView(
	PhabricatorAuthFactorConfig $config,
	PhabricatorAuthFactorProvider $provider,
	PhabricatorUser $viewer,
	PhabricatorAuthChallenge $challenge) {

	$duo_xaction = $challenge->getChallengeKey();

	$parameters = array(
	'txid' => $duo_xaction,
	);

	$default_result = id(new PhabricatorAuthChallengeUpdate())
	->setRetry(true);

	try {
	$result = $this->newDuoFuture($provider)
	->setHTTPMethod('GET')
	->setMethod('auth_status', $parameters)
	->setTimeout(5)
	->resolve();

	$state = $result['response']['result'];
	} catch (HTTPFutureCURLResponseStatus $exception) {
	// If we failed or timed out, retry. Usually, this is a timeout.
	return id(new PhabricatorAuthChallengeUpdate())
	->setRetry(true);
	}

	// For now, don't update the view for anything but an "Allow". Updates
	// here are just about providing more visual feedback for user convenience.
	if ($state !== 'allow') {
	return id(new PhabricatorAuthChallengeUpdate())
	->setRetry(false);
	}

	$icon = id(new PHUIIconView())
	->setIcon('fa-check-circle-o', 'green');

	$view = id(new PHUIFormTimerControl())
	->setIcon($icon)
	->appendChild(pht('You responded to this challenge correctly.'))
	->newTimerView();

	return id(new PhabricatorAuthChallengeUpdate())
	->setState('allow')
	->setRetry(false)
	->setMarkup($view);
	}

	}

File Metadata

Mime Type: text/x-diff
Expires: Mon, Jul 28, 12:55 AM (1 w, 7 h ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 186290
Default Alt Text: (80 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions