public function processRequest() { $request = $this->getRequest(); if ($request->getUser()->isLoggedIn()) { return $this->renderError(pht('You are already logged in.')); } $is_setup = false; if (strlen($this->accountKey)) { $result = $this->loadAccountForRegistrationOrLinking($this->accountKey); list($account, $provider, $response) = $result; $is_default = false; } else { if ($this->isFirstTimeSetup()) { list($account, $provider, $response) = $this->loadSetupAccount(); $is_default = true; $is_setup = true; } else { list($account, $provider, $response) = $this->loadDefaultAccount(); $is_default = true; } } if ($response) { return $response; } $invite = $this->loadInvite(); if (!$provider->shouldAllowRegistration()) { if ($invite) { // If the user has an invite, we allow them to register with any // provider, even a login-only provider. } else { // TODO: This is a routine error if you click "Login" on an external // auth source which doesn't allow registration. The error should be // more tailored. return $this->renderError(pht('The account you are attempting to register with uses an ' . 'authentication provider ("%s") which does not allow ' . 'registration. An administrator may have recently disabled ' . 'registration with this provider.', $provider->getProviderName())); } } $user = new PhabricatorUser(); $default_username = $account->getUsername(); $default_realname = $account->getRealName(); $default_email = $account->getEmail(); if ($invite) { $default_email = $invite->getEmailAddress(); } if (!PhabricatorUserEmail::isValidAddress($default_email)) { $default_email = null; } if ($default_email !== null) { // We should bypass policy here becase e.g. limiting an application use // to a subset of users should not allow the others to overwrite // configured application emails $application_email = id(new PhabricatorMetaMTAApplicationEmailQuery())->setViewer(PhabricatorUser::getOmnipotentUser())->withAddresses(array($default_email))->executeOne(); if ($application_email) { $default_email = null; } } if ($default_email !== null) { // If the account source provided an email, but it's not allowed by // the configuration, roadblock the user. Previously, we let the user // pick a valid email address instead, but this does not align well with // user expectation and it's not clear the cases it enables are valuable. // See discussion in T3472. if (!PhabricatorUserEmail::isAllowedAddress($default_email)) { return $this->renderError(array(pht('The account you are attempting to register with has an invalid ' . 'email address (%s). This Phabricator install only allows ' . 'registration with specific email addresses:', $default_email), phutil_tag('br'), phutil_tag('br'), PhabricatorUserEmail::describeAllowedAddresses())); } // If the account source provided an email, but another account already // has that email, just pretend we didn't get an email. // TODO: See T3472. if ($default_email !== null) { $same_email = id(new PhabricatorUserEmail())->loadOneWhere('address = %s', $default_email); if ($same_email) { if ($invite) { // We're allowing this to continue. The fact that we loaded the // invite means that the address is nonprimary and unverified and // we're OK to steal it. } else { $default_email = null; } } } } $profile = id(new PhabricatorRegistrationProfile())->setDefaultUsername($default_username)->setDefaultEmail($default_email)->setDefaultRealName($default_realname)->setCanEditUsername(true)->setCanEditEmail($default_email === null)->setCanEditRealName(true)->setShouldVerifyEmail(false); $event_type = PhabricatorEventType::TYPE_AUTH_WILLREGISTERUSER; $event_data = array('account' => $account, 'profile' => $profile); $event = id(new PhabricatorEvent($event_type, $event_data))->setUser($user); PhutilEventEngine::dispatchEvent($event); $default_username = $profile->getDefaultUsername(); $default_email = $profile->getDefaultEmail(); $default_realname = $profile->getDefaultRealName(); $can_edit_username = $profile->getCanEditUsername(); $can_edit_email = $profile->getCanEditEmail(); $can_edit_realname = $profile->getCanEditRealName(); $must_set_password = $provider->shouldRequireRegistrationPassword(); $can_edit_anything = $profile->getCanEditAnything() || $must_set_password; $force_verify = $profile->getShouldVerifyEmail(); // Automatically verify the administrator's email address during first-time // setup. if ($is_setup) { $force_verify = true; } $value_username = $default_username; $value_realname = $default_realname; $value_email = $default_email; $value_password = null; $errors = array(); $require_real_name = PhabricatorEnv::getEnvConfig('user.require-real-name'); $e_username = strlen($value_username) ? null : true; $e_realname = $require_real_name ? true : null; $e_email = strlen($value_email) ? null : true; $e_password = true; $e_captcha = true; $skip_captcha = false; if ($invite) { // If the user is accepting an invite, assume they're trustworthy enough // that we don't need to CAPTCHA them. $skip_captcha = true; } $min_len = PhabricatorEnv::getEnvConfig('account.minimum-password-length'); $min_len = (int) $min_len; $from_invite = $request->getStr('invite'); if ($from_invite && $can_edit_username) { $value_username = $request->getStr('username'); $e_username = null; } if (($request->isFormPost() || !$can_edit_anything) && !$from_invite) { $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); if ($must_set_password && !$skip_captcha) { $e_captcha = pht('Again'); $captcha_ok = AphrontFormRecaptchaControl::processCaptcha($request); if (!$captcha_ok) { $errors[] = pht('Captcha response is incorrect, try again.'); $e_captcha = pht('Invalid'); } } if ($can_edit_username) { $value_username = $request->getStr('username'); if (!strlen($value_username)) { $e_username = pht('Required'); $errors[] = pht('Username is required.'); } else { if (!PhabricatorUser::validateUsername($value_username)) { $e_username = pht('Invalid'); $errors[] = PhabricatorUser::describeValidUsername(); } else { $e_username = null; } } } if ($must_set_password) { $value_password = $request->getStr('password'); $value_confirm = $request->getStr('confirm'); if (!strlen($value_password)) { $e_password = pht('Required'); $errors[] = pht('You must choose a password.'); } else { if ($value_password !== $value_confirm) { $e_password = pht('No Match'); $errors[] = pht('Password and confirmation must match.'); } else { if (strlen($value_password) < $min_len) { $e_password = pht('Too Short'); $errors[] = pht('Password is too short (must be at least %d characters long).', $min_len); } else { if (PhabricatorCommonPasswords::isCommonPassword($value_password)) { $e_password = pht('Very Weak'); $errors[] = pht('Password is pathologically weak. This password is one of the ' . 'most common passwords in use, and is extremely easy for ' . 'attackers to guess. You must choose a stronger password.'); } else { $e_password = null; } } } } } if ($can_edit_email) { $value_email = $request->getStr('email'); if (!strlen($value_email)) { $e_email = pht('Required'); $errors[] = pht('Email is required.'); } else { if (!PhabricatorUserEmail::isValidAddress($value_email)) { $e_email = pht('Invalid'); $errors[] = PhabricatorUserEmail::describeValidAddresses(); } else { if (!PhabricatorUserEmail::isAllowedAddress($value_email)) { $e_email = pht('Disallowed'); $errors[] = PhabricatorUserEmail::describeAllowedAddresses(); } else { $e_email = null; } } } } if ($can_edit_realname) { $value_realname = $request->getStr('realName'); if (!strlen($value_realname) && $require_real_name) { $e_realname = pht('Required'); $errors[] = pht('Real name is required.'); } else { $e_realname = null; } } if (!$errors) { $image = $this->loadProfilePicture($account); if ($image) { $user->setProfileImagePHID($image->getPHID()); } try { $verify_email = false; if ($force_verify) { $verify_email = true; } if ($value_email === $default_email) { if ($account->getEmailVerified()) { $verify_email = true; } if ($provider->shouldTrustEmails()) { $verify_email = true; } if ($invite) { $verify_email = true; } } $email_obj = null; if ($invite) { // If we have a valid invite, this email may exist but be // nonprimary and unverified, so we'll reassign it. $email_obj = id(new PhabricatorUserEmail())->loadOneWhere('address = %s', $value_email); } if (!$email_obj) { $email_obj = id(new PhabricatorUserEmail())->setAddress($value_email); } $email_obj->setIsVerified((int) $verify_email); $user->setUsername($value_username); $user->setRealname($value_realname); if ($is_setup) { $must_approve = false; } else { if ($invite) { $must_approve = false; } else { $must_approve = PhabricatorEnv::getEnvConfig('auth.require-approval'); } } if ($must_approve) { $user->setIsApproved(0); } else { $user->setIsApproved(1); } if ($invite) { $allow_reassign_email = true; } else { $allow_reassign_email = false; } $user->openTransaction(); $editor = id(new PhabricatorUserEditor())->setActor($user); $editor->createNewUser($user, $email_obj, $allow_reassign_email); if ($must_set_password) { $envelope = new PhutilOpaqueEnvelope($value_password); $editor->changePassword($user, $envelope); } if ($is_setup) { $editor->makeAdminUser($user, true); } $account->setUserPHID($user->getPHID()); $provider->willRegisterAccount($account); $account->save(); $user->saveTransaction(); if (!$email_obj->getIsVerified()) { $email_obj->sendVerificationEmail($user); } if ($must_approve) { $this->sendWaitingForApprovalEmail($user); } if ($invite) { $invite->setAcceptedByPHID($user->getPHID())->save(); } return $this->loginUser($user); } catch (AphrontDuplicateKeyQueryException $exception) { $same_username = id(new PhabricatorUser())->loadOneWhere('userName = %s', $user->getUserName()); $same_email = id(new PhabricatorUserEmail())->loadOneWhere('address = %s', $value_email); if ($same_username) { $e_username = pht('Duplicate'); $errors[] = pht('Another user already has that username.'); } if ($same_email) { // TODO: See T3340. $e_email = pht('Duplicate'); $errors[] = pht('Another user already has that email.'); } if (!$same_username && !$same_email) { throw $exception; } } } unset($unguarded); } $form = id(new AphrontFormView())->setUser($request->getUser()); if (!$is_default) { $form->appendChild(id(new AphrontFormMarkupControl())->setLabel(pht('External Account'))->setValue(id(new PhabricatorAuthAccountView())->setUser($request->getUser())->setExternalAccount($account)->setAuthProvider($provider))); } if ($can_edit_username) { $form->appendChild(id(new AphrontFormTextControl())->setLabel(pht('Phabricator Username'))->setName('username')->setValue($value_username)->setError($e_username)); } else { $form->appendChild(id(new AphrontFormMarkupControl())->setLabel(pht('Phabricator Username'))->setValue($value_username)->setError($e_username)); } if ($can_edit_realname) { $form->appendChild(id(new AphrontFormTextControl())->setLabel(pht('Real Name'))->setName('realName')->setValue($value_realname)->setError($e_realname)); } if ($must_set_password) { $form->appendChild(id(new AphrontFormPasswordControl())->setLabel(pht('Password'))->setName('password')->setError($e_password)); $form->appendChild(id(new AphrontFormPasswordControl())->setLabel(pht('Confirm Password'))->setName('confirm')->setError($e_password)->setCaption($min_len ? pht('Minimum length of %d characters.', $min_len) : null)); } if ($can_edit_email) { $form->appendChild(id(new AphrontFormTextControl())->setLabel(pht('Email'))->setName('email')->setValue($value_email)->setCaption(PhabricatorUserEmail::describeAllowedAddresses())->setError($e_email)); } if ($must_set_password && !$skip_captcha) { $form->appendChild(id(new AphrontFormRecaptchaControl())->setLabel(pht('Captcha'))->setError($e_captcha)); } $submit = id(new AphrontFormSubmitControl()); if ($is_setup) { $submit->setValue(pht('Create Admin Account')); } else { $submit->addCancelButton($this->getApplicationURI('start/'))->setValue(pht('Register Phabricator Account')); } $form->appendChild($submit); $crumbs = $this->buildApplicationCrumbs(); if ($is_setup) { $crumbs->addTextCrumb(pht('Setup Admin Account')); $title = pht('Welcome to Phabricator'); } else { $crumbs->addTextCrumb(pht('Register')); $crumbs->addTextCrumb($provider->getProviderName()); $title = pht('Phabricator Registration'); } $welcome_view = null; if ($is_setup) { $welcome_view = id(new PHUIInfoView())->setSeverity(PHUIInfoView::SEVERITY_NOTICE)->setTitle(pht('Welcome to Phabricator'))->appendChild(pht('Installation is complete. Register your administrator account ' . 'below to log in. You will be able to configure options and add ' . 'other authentication mechanisms (like LDAP or OAuth) later on.')); } $object_box = id(new PHUIObjectBoxView())->setHeaderText($title)->setForm($form)->setFormErrors($errors); $invite_header = null; if ($invite) { $invite_header = $this->renderInviteHeader($invite); } return $this->buildApplicationPage(array($crumbs, $welcome_view, $invite_header, $object_box), array('title' => $title)); }
public function handleRequest(AphrontRequest $request) { if (!PhabricatorPasswordAuthProvider::getPasswordProvider()) { return new Aphront400Response(); } $e_email = true; $e_captcha = true; $errors = array(); $is_serious = PhabricatorEnv::getEnvConfig('phabricator.serious-business'); if ($request->isFormPost()) { $e_email = null; $e_captcha = pht('Again'); $captcha_ok = AphrontFormRecaptchaControl::processCaptcha($request); if (!$captcha_ok) { $errors[] = pht('Captcha response is incorrect, try again.'); $e_captcha = pht('Invalid'); } $email = $request->getStr('email'); if (!strlen($email)) { $errors[] = pht('You must provide an email address.'); $e_email = pht('Required'); } if (!$errors) { // NOTE: Don't validate the email unless the captcha is good; this makes // it expensive to fish for valid email addresses while giving the user // a better error if they goof their email. $target_email = id(new PhabricatorUserEmail())->loadOneWhere('address = %s', $email); $target_user = null; if ($target_email) { $target_user = id(new PhabricatorUser())->loadOneWhere('phid = %s', $target_email->getUserPHID()); } if (!$target_user) { $errors[] = pht('There is no account associated with that email address.'); $e_email = pht('Invalid'); } // If this address is unverified, only send a reset link to it if // the account has no verified addresses. This prevents an opportunistic // attacker from compromising an account if a user adds an email // address but mistypes it and doesn't notice. // (For a newly created account, all the addresses may be unverified, // which is why we'll send to an unverified address in that case.) if ($target_email && !$target_email->getIsVerified()) { $verified_addresses = id(new PhabricatorUserEmail())->loadAllWhere('userPHID = %s AND isVerified = 1', $target_email->getUserPHID()); if ($verified_addresses) { $errors[] = pht('That email address is not verified. You can only send ' . 'password reset links to a verified address.'); $e_email = pht('Unverified'); } } if (!$errors) { $engine = new PhabricatorAuthSessionEngine(); $uri = $engine->getOneTimeLoginURI($target_user, null, PhabricatorAuthSessionEngine::ONETIME_RESET); if ($is_serious) { $body = pht("You can use this link to reset your Phabricator password:"******"\n\n %s\n", $uri); } else { $body = pht("Condolences on forgetting your password. You can use this " . "link to reset it:\n\n" . " %s\n\n" . "After you set a new password, consider writing it down on a " . "sticky note and attaching it to your monitor so you don't " . "forget again! Choosing a very short, easy-to-remember password " . "like \"cat\" or \"1234\" might also help.\n\n" . "Best Wishes,\nPhabricator\n", $uri); } $mail = id(new PhabricatorMetaMTAMail())->setSubject(pht('[Phabricator] Password Reset'))->setForceDelivery(true)->addRawTos(array($target_email->getAddress()))->setBody($body)->saveAndSend(); return $this->newDialog()->setTitle(pht('Check Your Email'))->setShortTitle(pht('Email Sent'))->appendParagraph(pht('An email has been sent with a link you can use to login.'))->addCancelButton('/', pht('Done')); } } } $error_view = null; if ($errors) { $error_view = new PHUIInfoView(); $error_view->setErrors($errors); } $email_auth = new PHUIFormLayoutView(); $email_auth->appendChild($error_view); $email_auth->setUser($request->getUser())->setFullWidth(true)->appendChild(id(new AphrontFormTextControl())->setLabel(pht('Email'))->setName('email')->setValue($request->getStr('email'))->setError($e_email))->appendChild(id(new AphrontFormRecaptchaControl())->setLabel(pht('Captcha'))->setError($e_captcha)); $crumbs = $this->buildApplicationCrumbs(); $crumbs->addTextCrumb(pht('Reset Password')); $dialog = new AphrontDialogView(); $dialog->setUser($request->getUser()); $dialog->setTitle(pht('Forgot Password / Email Login')); $dialog->appendChild($email_auth); $dialog->addSubmitButton(pht('Send Email')); $dialog->setSubmitURI('/login/email/'); return $this->buildApplicationPage(array($crumbs, $dialog), array('title' => pht('Forgot Password'))); }
public function processLoginRequest(PhabricatorAuthLoginController $controller) { $request = $controller->getRequest(); $viewer = $request->getUser(); $require_captcha = false; $captcha_valid = false; if (AphrontFormRecaptchaControl::isRecaptchaEnabled()) { $failed_attempts = PhabricatorUserLog::loadRecentEventsFromThisIP(PhabricatorUserLog::ACTION_LOGIN_FAILURE, 60 * 15); if (count($failed_attempts) > 5) { $require_captcha = true; $captcha_valid = AphrontFormRecaptchaControl::processCaptcha($request); } } $response = null; $account = null; $log_user = null; if ($request->isFormPost()) { if (!$require_captcha || $captcha_valid) { $username_or_email = $request->getStr('username'); if (strlen($username_or_email)) { $user = id(new PhabricatorUser())->loadOneWhere('username = %s', $username_or_email); if (!$user) { $user = PhabricatorUser::loadOneWithEmailAddress($username_or_email); } if ($user) { $envelope = new PhutilOpaqueEnvelope($request->getStr('password')); if ($user->comparePassword($envelope)) { $account = $this->loadOrCreateAccount($user->getPHID()); $log_user = $user; // If the user's password is stored using a less-than-optimal // hash, upgrade them to the strongest available hash. $hash_envelope = new PhutilOpaqueEnvelope($user->getPasswordHash()); if (PhabricatorPasswordHasher::canUpgradeHash($hash_envelope)) { $user->setPassword($envelope); $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites(); $user->save(); unset($unguarded); } } } } } } if (!$account) { if ($request->isFormPost()) { $log = PhabricatorUserLog::initializeNewLog(null, $log_user ? $log_user->getPHID() : null, PhabricatorUserLog::ACTION_LOGIN_FAILURE); $log->save(); } $request->clearCookie(PhabricatorCookies::COOKIE_USERNAME); $response = $controller->buildProviderPageResponse($this, $this->renderPasswordLoginForm($request, $require_captcha, $captcha_valid)); } return array($account, $response); }
public function processRequest() { $request = $this->getRequest(); if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) { return new Aphront400Response(); } $e_email = true; $e_captcha = true; $errors = array(); if ($request->isFormPost()) { $e_email = null; $e_captcha = 'Again'; $captcha_ok = AphrontFormRecaptchaControl::processCaptcha($request); if (!$captcha_ok) { $errors[] = "Captcha response is incorrect, try again."; $e_captcha = 'Invalid'; } $email = $request->getStr('email'); if (!strlen($email)) { $errors[] = "You must provide an email address."; $e_email = 'Required'; } if (!$errors) { // NOTE: Don't validate the email unless the captcha is good; this makes // it expensive to fish for valid email addresses while giving the user // a better error if they goof their email. $target_user = id(new PhabricatorUser())->loadOneWhere('email = %s', $email); if (!$target_user) { $errors[] = "There is no account associated with that email address."; $e_email = "Invalid"; } if (!$errors) { $uri = $target_user->getEmailLoginURI(); $body = <<<EOBODY Condolences on forgetting your password. You can use this link to reset it: {$uri} After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't forget again! Choosing a very short, easy-to-remember password like "cat" or "1234" might also help. Best Wishes, Phabricator EOBODY; $mail = new PhabricatorMetaMTAMail(); $mail->setSubject('[Phabricator] Password Reset'); $mail->setFrom($target_user->getPHID()); $mail->addTos(array($target_user->getPHID())); $mail->setBody($body); $mail->saveAndSend(); $view = new AphrontRequestFailureView(); $view->setHeader('Check Your Email'); $view->appendChild('<p>An email has been sent with a link you can use to login.</p>'); return $this->buildStandardPageResponse($view, array('title' => 'Email Sent')); } } } $email_auth = new AphrontFormView(); $email_auth->setAction('/login/email/')->setUser($request->getUser())->appendChild(id(new AphrontFormTextControl())->setLabel('Email')->setName('email')->setValue($request->getStr('email'))->setError($e_email))->appendChild(id(new AphrontFormRecaptchaControl())->setLabel('Captcha')->setError($e_captcha))->appendChild(id(new AphrontFormSubmitControl())->setValue('Send Email')); $error_view = null; if ($errors) { $error_view = new AphrontErrorView(); $error_view->setTitle('Login Error'); $error_view->setErrors($errors); } $panel = new AphrontPanelView(); $panel->setWidth(AphrontPanelView::WIDTH_FORM); $panel->appendChild('<h1>Forgot Password / Email Login</h1>'); $panel->appendChild($email_auth); return $this->buildStandardPageResponse(array($error_view, $panel), array('title' => 'Create New Account')); }
public function processRequest() { $request = $this->getRequest(); if ($request->getUser()->getPHID()) { // Kick the user out if they're already logged in. return id(new AphrontRedirectResponse())->setURI('/'); } if ($request->isConduit()) { // A common source of errors in Conduit client configuration is getting // the request path wrong. The client will end up here, so make some // effort to give them a comprehensible error message. $request_path = $this->getRequest()->getPath(); $conduit_path = '/api/<method>'; $example_path = '/api/conduit.ping'; $message = "ERROR: You are making a Conduit API request to '{$request_path}', " . "but the correct HTTP request path to use in order to access a " . "Conduit method is '{$conduit_path}' (for example, " . "'{$example_path}'). Check your configuration."; return id(new AphrontPlainTextResponse())->setContent($message); } $error_view = null; if ($request->getCookie('phusr') && $request->getCookie('phsid')) { // The session cookie is invalid, so clear it. $request->clearCookie('phusr'); $request->clearCookie('phsid'); $error_view = new AphrontErrorView(); $error_view->setTitle('Invalid Session'); $error_view->setErrors(array("Your login session is invalid. Try logging in again. If that " . "doesn't work, clear your browser cookies.")); } $next_uri = $this->getRequest()->getPath(); if ($next_uri == '/login/') { $next_uri = '/'; } if (!$request->isFormPost()) { $request->setCookie('next_uri', $next_uri); } $password_auth = PhabricatorEnv::getEnvConfig('auth.password-auth-enabled'); $forms = array(); $errors = array(); if ($password_auth) { $require_captcha = false; $e_captcha = true; $username_or_email = $request->getCookie('phusr'); if ($request->isFormPost()) { if (AphrontFormRecaptchaControl::isRecaptchaEnabled()) { $failed_attempts = PhabricatorUserLog::loadRecentEventsFromThisIP(PhabricatorUserLog::ACTION_LOGIN_FAILURE, 60 * 15); if (count($failed_attempts) > 5) { $require_captcha = true; if (!AphrontFormRecaptchaControl::processCaptcha($request)) { if (AphrontFormRecaptchaControl::hasCaptchaResponse($request)) { $e_captcha = 'Invalid'; $errors[] = 'CAPTCHA was not entered correctly.'; } else { $e_captcha = 'Required'; $errors[] = 'Too many login failures recently. You must ' . 'submit a CAPTCHA with your login request.'; } } } } $username_or_email = $request->getStr('username_or_email'); $user = id(new PhabricatorUser())->loadOneWhere('username = %s', $username_or_email); if (!$user) { $user = id(new PhabricatorUser())->loadOneWhere('email = %s', $username_or_email); } if (!$errors) { // Perform username/password tests only if we didn't get rate limited // by the CAPTCHA. if (!$user || !$user->comparePassword($request->getStr('password'))) { $errors[] = 'Bad username/password.'; } } if (!$errors) { $session_key = $user->establishSession('web'); $request->setCookie('phusr', $user->getUsername()); $request->setCookie('phsid', $session_key); $uri = new PhutilURI('/login/validate/'); $uri->setQueryParams(array('phusr' => $user->getUsername())); return id(new AphrontRedirectResponse())->setURI((string) $uri); } else { $log = PhabricatorUserLog::newLog(null, $user, PhabricatorUserLog::ACTION_LOGIN_FAILURE); $log->save(); $request->clearCookie('phusr'); $request->clearCookie('phsid'); } } if ($errors) { $error_view = new AphrontErrorView(); $error_view->setTitle('Login Failed'); $error_view->setErrors($errors); } $form = new AphrontFormView(); $form->setUser($request->getUser())->setAction('/login/')->appendChild(id(new AphrontFormTextControl())->setLabel('Username/Email')->setName('username_or_email')->setValue($username_or_email))->appendChild(id(new AphrontFormPasswordControl())->setLabel('Password')->setName('password')->setCaption('<a href="/login/email/">' . 'Forgot your password? / Email Login</a>')); if ($require_captcha) { $form->appendChild(id(new AphrontFormRecaptchaControl())->setError($e_captcha)); } $form->appendChild(id(new AphrontFormSubmitControl())->setValue('Login')); // $panel->setCreateButton('Register New Account', '/login/register/'); $forms['Phabricator Login'] = $form; } $providers = PhabricatorOAuthProvider::getAllProviders(); foreach ($providers as $provider) { $enabled = $provider->isProviderEnabled(); if (!$enabled) { continue; } $auth_uri = $provider->getAuthURI(); $redirect_uri = $provider->getRedirectURI(); $client_id = $provider->getClientID(); $provider_name = $provider->getProviderName(); $minimum_scope = $provider->getMinimumScope(); $extra_auth = $provider->getExtraAuthParameters(); // TODO: In theory we should use 'state' to prevent CSRF, but the total // effect of the CSRF attack is that an attacker can cause a user to login // to Phabricator if they're already logged into some OAuth provider. This // does not seem like the most severe threat in the world, and generating // CSRF for logged-out users is vaugely tricky. if ($provider->isProviderRegistrationEnabled()) { $title = "Login or Register with {$provider_name}"; $body = 'Login or register for Phabricator using your ' . phutil_escape_html($provider_name) . ' account.'; $button = "Login or Register with {$provider_name}"; } else { $title = "Login with {$provider_name}"; $body = 'Login to your existing Phabricator account using your ' . phutil_escape_html($provider_name) . ' account.<br /><br />' . '<strong>You can not use ' . phutil_escape_html($provider_name) . ' to register a new ' . 'account.</strong>'; $button = "Login with {$provider_name}"; } $auth_form = new AphrontFormView(); $auth_form->setAction($auth_uri)->addHiddenInput('client_id', $client_id)->addHiddenInput('redirect_uri', $redirect_uri)->addHiddenInput('scope', $minimum_scope); foreach ($extra_auth as $key => $value) { $auth_form->addHiddenInput($key, $value); } $auth_form->setUser($request->getUser())->setMethod('GET')->appendChild('<p class="aphront-form-instructions">' . $body . '</p>')->appendChild(id(new AphrontFormSubmitControl())->setValue("{$button} »")); $forms[$title] = $auth_form; } $panel = new AphrontPanelView(); $panel->setWidth(AphrontPanelView::WIDTH_FORM); foreach ($forms as $name => $form) { $panel->appendChild('<h1>' . $name . '</h1>'); $panel->appendChild($form); $panel->appendChild('<br />'); } return $this->buildStandardPageResponse(array($error_view, $panel), array('title' => 'Login')); }