Validate logins, and simplify email password resets
Summary: - There are some recent reports of login issues, see T755 and T754. I'm not really sure what's going on, but this is an attempt at getting some more information. - When we login a user by setting 'phusr' and 'phsid', send them to /login/validate/ to validate that the cookies actually got set. - Do email password resets in two steps: first, log the user in. Redirect them through validate, then give them the option to reset their password. - Don't CSRF logged-out users. It technically sort of works most of the time right now, but is silly. If we need logged-out CSRF we should generate it in some more reliable way. Test Plan: - Logged in with username/password. - Logged in with OAuth. - Logged in with email password reset. - Sent bad values to /login/validate/, got appropriate errors. - Reset password. - Verified next_uri still works. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: aran, btrahan, j3kuntz Maniphest Tasks: T754, T755 Differential Revision: https://secure.phabricator.com/D1353
This commit is contained in:
epriestley
@@ -0,0 +1,95 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
* Copyright 2012 Facebook, Inc.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
class PhabricatorLoginValidateController extends PhabricatorAuthController {
|
||||
|
||||
public function shouldRequireLogin() {
|
||||
return false;
|
||||
}
|
||||
|
||||
public function processRequest() {
|
||||
$request = $this->getRequest();
|
||||
|
||||
$failures = array();
|
||||
|
||||
if (!$request->getStr('phusr')) {
|
||||
throw new Exception(
|
||||
"Login validation is missing expected parameters!");
|
||||
}
|
||||
|
||||
$expect_phusr = $request->getStr('phusr');
|
||||
$actual_phusr = $request->getCookie('phusr');
|
||||
if ($actual_phusr != $expect_phusr) {
|
||||
|
||||
if ($actual_phusr) {
|
||||
$cookie_info = "sent back a cookie with the value '{$actual_phusr}'.";
|
||||
} else {
|
||||
$cookie_info = "did not accept the cookie.";
|
||||
}
|
||||
|
||||
$failures[] =
|
||||
"Attempted to set 'phusr' cookie to '{$expect_phusr}', but your ".
|
||||
"browser {$cookie_info}";
|
||||
}
|
||||
|
||||
if (!$failures) {
|
||||
if (!$request->getUser()->getPHID()) {
|
||||
$failures[] = "Cookies were set correctly, but your session ".
|
||||
"isn't valid.";
|
||||
}
|
||||
}
|
||||
|
||||
if ($failures) {
|
||||
|
||||
$list = array();
|
||||
foreach ($failures as $failure) {
|
||||
$list[] = '<li>'.phutil_escape_html($failure).'</li>';
|
||||
}
|
||||
$list = '<ul>'.implode("\n", $list).'</ul>';
|
||||
|
||||
$view = new AphrontRequestFailureView();
|
||||
$view->setHeader('Login Failed');
|
||||
$view->appendChild(
|
||||
'<p>Login failed:</p>'.
|
||||
$list.
|
||||
'<p><strong>Clear your cookies</strong> and try again.</p>');
|
||||
$view->appendChild(
|
||||
'<div class="aphront-failure-continue">'.
|
||||
'<a class="button" href="/login/">Try Again</a>'.
|
||||
'</div>');
|
||||
return $this->buildStandardPageResponse(
|
||||
$view,
|
||||
array(
|
||||
'title' => 'Login Failed',
|
||||
));
|
||||
}
|
||||
|
||||
$next = nonempty(
|
||||
$request->getStr('next'),
|
||||
$request->getCookie('next_uri'),
|
||||
'/');
|
||||
$request->clearCookie('next_uri');
|
||||
|
||||
if (strpos($next, '/') !== 0) {
|
||||
$next = '/';
|
||||
}
|
||||
|
||||
return id(new AphrontRedirectResponse())->setURI($next);
|
||||
}
|
||||
|
||||
}
|
||||
17
src/applications/auth/controller/validate/__init__.php
Normal file
17
src/applications/auth/controller/validate/__init__.php
Normal file
@@ -0,0 +1,17 @@
|
||||
<?php
|
||||
/**
|
||||
* This file is automatically generated. Lint this module to rebuild it.
|
||||
* @generated
|
||||
*/
|
||||
|
||||
|
||||
|
||||
phutil_require_module('phabricator', 'aphront/response/redirect');
|
||||
phutil_require_module('phabricator', 'applications/auth/controller/base');
|
||||
phutil_require_module('phabricator', 'view/page/failure');
|
||||
|
||||
phutil_require_module('phutil', 'markup');
|
||||
phutil_require_module('phutil', 'utils');
|
||||
|
||||
|
||||
phutil_require_source('PhabricatorLoginValidateController.php');
|
||||
Reference in New Issue
Block a user