archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
Files
d75007cf42d1169f14a8190f285d889ae6d444b4
phabricator/src/applications/auth/controller/validate/PhabricatorLoginValidateController.php
epriestley d75007cf42 Validate logins, and simplify email password resets 
Summary:
  - There are some recent reports of login issues, see T755 and T754. I'm not
really sure what's going on, but this is an attempt at getting some more
information.
  - When we login a user by setting 'phusr' and 'phsid', send them to
/login/validate/ to validate that the cookies actually got set.
  - Do email password resets in two steps: first, log the user in. Redirect them
through validate, then give them the option to reset their password.
  - Don't CSRF logged-out users. It technically sort of works most of the time
right now, but is silly. If we need logged-out CSRF we should generate it in
some more reliable way.

Test Plan:
  - Logged in with username/password.
  - Logged in with OAuth.
  - Logged in with email password reset.
  - Sent bad values to /login/validate/, got appropriate errors.
  - Reset password.
  - Verified next_uri still works.

Reviewers: btrahan, jungejason

Reviewed By: btrahan

CC: aran, btrahan, j3kuntz

Maniphest Tasks: T754, T755

Differential Revision: https://secure.phabricator.com/D1353
2012-01-11 08:25:55 -08:00

96 lines
2.6 KiB
PHP
Raw Blame History

<?php
/*
* Copyright 2012 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
class PhabricatorLoginValidateController extends PhabricatorAuthController {
public function shouldRequireLogin() {
return false;
}
public function processRequest() {
$request = $this->getRequest();
$failures = array();
if (!$request->getStr('phusr')) {
throw new Exception(
"Login validation is missing expected parameters!");
}
$expect_phusr = $request->getStr('phusr');
$actual_phusr = $request->getCookie('phusr');
if ($actual_phusr != $expect_phusr) {
if ($actual_phusr) {
$cookie_info = "sent back a cookie with the value '{$actual_phusr}'.";
} else {
$cookie_info = "did not accept the cookie.";
}
$failures[] =
"Attempted to set 'phusr' cookie to '{$expect_phusr}', but your ".
"browser {$cookie_info}";
}
if (!$failures) {
if (!$request->getUser()->getPHID()) {
$failures[] = "Cookies were set correctly, but your session ".
"isn't valid.";
}
}
if ($failures) {
$list = array();
foreach ($failures as $failure) {
$list[] = '<li>'.phutil_escape_html($failure).'</li>';
}
$list = '<ul>'.implode("\n", $list).'</ul>';
$view = new AphrontRequestFailureView();
$view->setHeader('Login Failed');
$view->appendChild(
'<p>Login failed:</p>'.
$list.
'<p><strong>Clear your cookies</strong> and try again.</p>');
$view->appendChild(
'<div class="aphront-failure-continue">'.
'<a class="button" href="/login/">Try Again</a>'.
'</div>');
return $this->buildStandardPageResponse(
$view,
array(
'title' => 'Login Failed',
));
}
$next = nonempty(
$request->getStr('next'),
$request->getCookie('next_uri'),
'/');
$request->clearCookie('next_uri');
if (strpos($next, '/') !== 0) {
$next = '/';
}
return id(new AphrontRedirectResponse())->setURI($next);
}
}
Reference in New Issue View Git Blame Copy Permalink