archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Validate logins, and simplify email password resets

Browse Source 
Summary:
  - There are some recent reports of login issues, see T755 and T754. I'm not
really sure what's going on, but this is an attempt at getting some more
information.
  - When we login a user by setting 'phusr' and 'phsid', send them to
/login/validate/ to validate that the cookies actually got set.
  - Do email password resets in two steps: first, log the user in. Redirect them
through validate, then give them the option to reset their password.
  - Don't CSRF logged-out users. It technically sort of works most of the time
right now, but is silly. If we need logged-out CSRF we should generate it in
some more reliable way.

Test Plan:
  - Logged in with username/password.
  - Logged in with OAuth.
  - Logged in with email password reset.
  - Sent bad values to /login/validate/, got appropriate errors.
  - Reset password.
  - Verified next_uri still works.

Reviewers: btrahan, jungejason

Reviewed By: btrahan

CC: aran, btrahan, j3kuntz

Maniphest Tasks: T754, T755

Differential Revision: https://secure.phabricator.com/D1353
This commit is contained in:
epriestley
2012-01-10 14:42:07 -08:00
parent af37b637f5
commit d75007cf42
12 changed files with 306 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/applications/auth/controller/oauth/PhabricatorOAuthLoginController.php
View File

@@ -1,7 +1,7 @@
<?php
/*
* Copyright 2011 Facebook, Inc.
* Copyright 2012 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -134,8 +134,6 @@ class PhabricatorOAuthLoginController extends PhabricatorAuthController {
->setURI('/settings/page/'.$provider_key.'/');
}
$next_uri = $request->getCookie('next_uri', '/');
// Login with known auth.
if ($oauth_info->getID()) {
@@ -154,9 +152,14 @@ class PhabricatorOAuthLoginController extends PhabricatorAuthController {
$request->setCookie('phusr', $known_user->getUsername());
$request->setCookie('phsid', $session_key);
$request->clearCookie('next_uri');
return id(new AphrontRedirectResponse())
->setURI($next_uri);
$uri = new PhutilURI('/login/validate/');
$uri->setQueryParams(
array(
'phusr' => $known_user->getUsername(),
));
return id(new AphrontRedirectResponse())->setURI((string)$uri);
}
$oauth_email = $provider->retrieveUserEmail();