[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  final class PhabricatorAuthFinishController
   4    extends PhabricatorAuthController {
   5  
   6    public function shouldRequireLogin() {
   7      return false;
   8    }
   9  
  10    public function shouldAllowPartialSessions() {
  11      return true;
  12    }
  13  
  14    public function processRequest() {
  15      $request = $this->getRequest();
  16      $viewer = $request->getUser();
  17  
  18      // If the user already has a full session, just kick them out of here.
  19      $has_partial_session = $viewer->hasSession() &&
  20                             $viewer->getSession()->getIsPartial();
  21      if (!$has_partial_session) {
  22        return id(new AphrontRedirectResponse())->setURI('/');
  23      }
  24  
  25      $engine = new PhabricatorAuthSessionEngine();
  26  
  27      // If this cookie is set, the user is headed into a high security area
  28      // after login (normally because of a password reset) so if they are
  29      // able to pass the checkpoint we just want to put their account directly
  30      // into high security mode, rather than prompt them again for the same
  31      // set of credentials.
  32      $jump_into_hisec = $request->getCookie(PhabricatorCookies::COOKIE_HISEC);
  33  
  34      try {
  35        $token = $engine->requireHighSecuritySession(
  36          $viewer,
  37          $request,
  38          '/logout/',
  39          $jump_into_hisec);
  40      } catch (PhabricatorAuthHighSecurityRequiredException $ex) {
  41        $form = id(new PhabricatorAuthSessionEngine())->renderHighSecurityForm(
  42          $ex->getFactors(),
  43          $ex->getFactorValidationResults(),
  44          $viewer,
  45          $request);
  46  
  47        return $this->newDialog()
  48          ->setTitle(pht('Provide Multi-Factor Credentials'))
  49          ->setShortTitle(pht('Multi-Factor Login'))
  50          ->setWidth(AphrontDialogView::WIDTH_FORM)
  51          ->addHiddenInput(AphrontRequest::TYPE_HISEC, true)
  52          ->appendParagraph(
  53            pht(
  54              'Welcome, %s. To complete the login process, provide your '.
  55              'multi-factor credentials.',
  56              phutil_tag('strong', array(), $viewer->getUsername())))
  57          ->appendChild($form->buildLayoutView())
  58          ->setSubmitURI($request->getPath())
  59          ->addCancelButton($ex->getCancelURI())
  60          ->addSubmitButton(pht('Continue'));
  61      }
  62  
  63      // Upgrade the partial session to a full session.
  64      $engine->upgradePartialSession($viewer);
  65  
  66      // TODO: It might be nice to add options like "bind this session to my IP"
  67      // here, even for accounts without multi-factor auth attached to them.
  68  
  69      $next = PhabricatorCookies::getNextURICookie($request);
  70      $request->clearCookie(PhabricatorCookies::COOKIE_NEXTURI);
  71      $request->clearCookie(PhabricatorCookies::COOKIE_HISEC);
  72  
  73      if (!PhabricatorEnv::isValidLocalWebResource($next)) {
  74        $next = '/';
  75      }
  76  
  77      return id(new AphrontRedirectResponse())->setURI($next);
  78    }
  79  
  80  }