From 043c7523acd6af5288191b15f746fc360b73ab40 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Wed, 23 Sep 2015 11:54:41 +0800
Subject: Bug 1199087 - extend 2fa protection beyond login

---
 Bugzilla/Auth.pm | 38 +++++++++++++++++++++++++++++++-------
 1 file changed, 31 insertions(+), 7 deletions(-)

(limited to 'Bugzilla/Auth.pm')

diff --git a/Bugzilla/Auth.pm b/Bugzilla/Auth.pm
index a4f2dd9a9..b39bb827b 100644
--- a/Bugzilla/Auth.pm
+++ b/Bugzilla/Auth.pm
@@ -39,6 +39,8 @@ use Bugzilla::Auth::Login::Stack;
 use Bugzilla::Auth::Verify::Stack;
 use Bugzilla::Auth::Persist::Cookie;
 use Socket;
+use URI;
+use URI::QueryParam;
 
 sub new {
     my ($class, $params) = @_;
@@ -93,26 +95,48 @@ sub login {
     }
     $user->set_authorizer($self);
 
-    # trigger multi-factor auth.  once verified the provider calls mfa_verified()
+    # trigger multi-factor auth
     if ($self->{_info_getter}->{successful}->requires_verification
         && $user->mfa
         && !Bugzilla->sudoer
         && !i_am_webservice()
     ) {
-        $user->mfa_provider->prompt({ user => $user, type => $type });
-        exit;
+        my $params = Bugzilla->input_params;
+        my $cgi = Bugzilla->cgi;
+        my $uri = URI->new($cgi->self_url);
+        foreach my $param (qw( Bugzilla_remember Bugzilla_restrictlogin GoAheadAndLogIn )) {
+            $uri->query_param_delete($param);
+        }
+        $user->mfa_provider->verify_prompt({
+            user          => $user,
+            type          => $type,
+            reason        => 'Logging in as ' . $user->identity,
+            restrictlogin => $params->{Bugzilla_restrictlogin},
+            remember      => $params->{Bugzilla_remember},
+            url           => $uri->as_string,
+            postback      => {
+                action      => 'token.cgi',
+                token_field => 't',
+                fields      => {
+                    a => 'mfa_l',
+                },
+            }
+        });
     }
 
     return $self->_handle_login_result($login_info, $type);
 }
 
 sub mfa_verified {
-    my ($self, $user, $type) = @_;
+    my ($self, $user, $event) = @_;
     require Bugzilla::Auth::Login::CGI;
+
+    my $params = Bugzilla->input_params;
     $self->{_info_getter}->{successful} = Bugzilla::Auth::Login::CGI->new();
-    $self->_handle_login_result({ user => $user }, $type);
-    print Bugzilla->cgi->redirect('index.cgi');
-    exit;
+    $params->{Bugzilla_restrictlogin}   = $event->{restrictlogin};
+    $params->{Bugzilla_remember}        = $event->{remember};
+
+    $self->_handle_login_result({ user => $user }, $event->{type});
 }
 
 sub successful_info_getter {
-- 
cgit v1.2.3-24-g4f1b