Allow "bin/auth recover" to generate a link which forces a full login session

Summary: Depends on D19902. Ref T13222. This is mostly a "while I'm in here..." change since MFA is getting touched so much anyway. Doing cluster support, I sometimes need to log into user accounts on instances that have MFA. I currently accomplish this by doing `bin/auth recover`, getting a parital session, and then forcing it into a full session in the database. This is inconvenient and somewhat dangerous. Instead, allow `bin/auth recover` to generate a link that skips the "partial session" stage: adding required MFA, providing MFA, and signing legalpad documents. Anyone who can run `bin/auth recover` can do this anyway, this just reduces the chance I accidentally bypass MFA on the wrong session when doing support stuff. Test Plan: - Logged in with `bin/auth recover`, was prompted for MFA. - Logged in with `bin/auth recover --force-full-session`, was not prompted for MFA. - Did a password reset, followed reset link, was prompted for MFA. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13222 Differential Revision: https://secure.phabricator.com/D19903
2018-12-18 11:09:06 -08:00
parent 6a6db0ac8e
commit ff49d1ef77
5 changed files with 44 additions and 7 deletions
--- a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
+++ b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
@@ -152,7 +152,12 @@ final class PhabricatorAuthOneTimeLoginController

      PhabricatorCookies::setNextURICookie($request, $next, $force = true);

-      return $this->loginUser($target_user);
+      $force_full_session = false;
+      if ($link_type === PhabricatorAuthSessionEngine::ONETIME_RECOVER) {
+        $force_full_session = $token->getShouldForceFullSession();
+      }
+
+      return $this->loginUser($target_user, $force_full_session);
    }

    // NOTE: We need to CSRF here so attackers can't generate an email link,