From 043c7523acd6af5288191b15f746fc360b73ab40 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Wed, 23 Sep 2015 11:54:41 +0800
Subject: Bug 1199087 - extend 2fa protection beyond login

---
 Bugzilla/MFA.pm | 39 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)

(limited to 'Bugzilla/MFA.pm')

diff --git a/Bugzilla/MFA.pm b/Bugzilla/MFA.pm
index 5db38e55e..21f42fbfb 100644
--- a/Bugzilla/MFA.pm
+++ b/Bugzilla/MFA.pm
@@ -8,6 +8,8 @@
 package Bugzilla::MFA;
 use strict;
 
+use Bugzilla::Token qw( issue_short_lived_session_token set_token_extra_data get_token_extra_data delete_token );
+
 sub new {
     my ($class, $user) = @_;
     return bless({ user => $user }, $class);
@@ -27,9 +29,42 @@ sub prompt {}
 # throws errors if code is invalid
 sub check {}
 
-# during-login verification
-sub check_login {}
+# verification
+
+sub verify_prompt {
+    my ($self, $event) = @_;
+    my $user = delete $event->{user} // Bugzilla->user;
+
+    # generate token and attach mfa data
+    my $token = issue_short_lived_session_token('mfa', $user);
+    set_token_extra_data($token, $event);
+
+    # trigger provider verification
+    my $token_field = $event->{postback}->{token_field} // 'mfa_token';
+    $event->{postback}->{fields}->{$token_field} = $token;
+    $self->prompt($event);
+    exit;
+}
 
+sub verify_check {
+    my ($self, $token) = @_;
+
+    # check token
+    my ($user_id) = Bugzilla::Token::GetTokenData($token);
+    my $user = Bugzilla::User->check({ id => $user_id, cache => 1 });
+
+    # mfa verification
+    $self->check(Bugzilla->input_params);
+
+    # return event data
+    my $event = get_token_extra_data($token);
+    delete_token($token);
+    if (!$event) {
+        print Bugzilla->cgi->redirect('index.cgi');
+        exit;
+    }
+    return $event;
+}
 
 # helpers
 
-- 
cgit v1.2.3-24-g4f1b