Make external link/refresh use provider IDs, switch external account MFA to one-shot

Summary: Depends on D20113. Ref T6703. Continue moving toward a future where multiple copies of a given type of provider may exist. Switch MFA from session-MFA at the start to one-shot MFA at the actual link action. Add one-shot MFA to the unlink action. This theoretically prevents an attacker from unlinking an account while you're getting coffee, registering `alIce` which they control, adding a copy of your profile picture, and then trying to trick you into writing a private note with your personal secrets or something. Test Plan: Linked and unlinked accounts. Refreshed account. Unlinked, then registered a new account. Unlinked, then relinked to my old account. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T6703 Differential Revision: https://secure.phabricator.com/D20117
2019-02-06 17:12:12 -08:00
parent e5ee656fff
commit d22495a820
8 changed files with 76 additions and 60 deletions
--- a/src/applications/auth/controller/PhabricatorAuthUnlinkController.php
+++ b/src/applications/auth/controller/PhabricatorAuthUnlinkController.php
@@ -31,7 +31,7 @@ final class PhabricatorAuthUnlinkController
    $confirmations = $request->getStrList('confirmations');
    $confirmations = array_fuse($confirmations);

-    if (!$request->isFormPost() || !isset($confirmations['unlink'])) {
+    if (!$request->isFormOrHisecPost() || !isset($confirmations['unlink'])) {
      return $this->renderConfirmDialog($confirmations, $config, $done_uri);
    }

@@ -59,6 +59,14 @@ final class PhabricatorAuthUnlinkController
      }
    }

+    $workflow_key = sprintf(
+      'account.unlink(%s)',
+      $account->getPHID());
+
+    $hisec_token = id(new PhabricatorAuthSessionEngine())
+      ->setWorkflowKey($workflow_key)
+      ->requireHighSecurityToken($viewer, $request, $done_uri);
+
    $account->delete();

    id(new PhabricatorAuthSessionEngine())->terminateLoginSessions(