Use new modular temporary auth token constants in one-time login and password reset flows

Summary: Ref T10603. This converts existing hard-codes to modular constants. Also removes one small piece of code duplication. Test Plan: - Performed one-time logins. - Performed a password reset. - Verified temporary tokens were revoked properly. Reviewers: chad Reviewed By: chad Maniphest Tasks: T10603 Differential Revision: https://secure.phabricator.com/D15476
2016-03-16 05:32:55 -07:00
parent cf15e0de43
commit 8e3ea4e034
4 changed files with 18 additions and 31 deletions
--- a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
+++ b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
@@ -105,23 +105,17 @@ final class PhabricatorAuthOneTimeLoginController
      // the link in the "Welcome" email is good enough, without requiring users
      // to go through a second round of email verification.

+      $editor = id(new PhabricatorUserEditor())
+        ->setActor($target_user);
+
      $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
        // Nuke the token and all other outstanding password reset tokens.
        // There is no particular security benefit to destroying them all, but
        // it should reduce HackerOne reports of nebulous harm.
-
-        PhabricatorAuthTemporaryToken::revokeTokens(
-          $target_user,
-          array($target_user->getPHID()),
-          array(
-            PhabricatorAuthSessionEngine::ONETIME_TEMPORARY_TOKEN_TYPE,
-            PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE,
-          ));
+        $editor->revokePasswordResetLinks($target_user);

        if ($target_email) {
-          id(new PhabricatorUserEditor())
-            ->setActor($target_user)
-            ->verifyEmail($target_user, $target_email);
+          $editor->verifyEmail($target_user, $target_email);
        }
      unset($unguarded);

@@ -133,12 +127,13 @@ final class PhabricatorAuthOneTimeLoginController
        // We're going to let the user reset their password without knowing
        // the old one. Generate a one-time token for that.
        $key = Filesystem::readRandomCharacters(16);
+        $password_type =
+          PhabricatorAuthPasswordResetTemporaryTokenType::TOKENTYPE;

        $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
          id(new PhabricatorAuthTemporaryToken())
            ->setObjectPHID($target_user->getPHID())
-            ->setTokenType(
-              PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE)
+            ->setTokenType($password_type)
            ->setTokenExpires(time() + phutil_units('1 hour in seconds'))
            ->setTokenCode(PhabricatorHash::digest($key))
            ->save();