mediawiki-extensions-OATHAuth/maintenance/disableOATHAuthForUser.php

<?php

use MediaWiki\Extension\OATHAuth\OATHAuthServices;
use MediaWiki\MediaWikiServices;
use MediaWiki\Session\SessionManager;

if ( getenv( 'MW_INSTALL_PATH' ) ) {
	$IP = getenv( 'MW_INSTALL_PATH' );
} else {
	$IP = __DIR__ . '/../../..';
}
require_once "$IP/maintenance/Maintenance.php";

class DisableOATHAuthForUser extends Maintenance {
	public function __construct() {
		parent::__construct();
		$this->addDescription( 'Remove all two-factor authentication devices from a specific user' );
		$this->addArg( 'user', 'The username to remove 2FA devices from.' );
		$this->requireExtension( 'OATHAuth' );
	}

	public function execute() {
		$username = $this->getArg( 0 );

		$user = MediaWikiServices::getInstance()->getUserFactory()
			->newFromName( $username );
		if ( $user === null || $user->getId() === 0 ) {
			$this->fatalError( "User $username doesn't exist!" );
		}

		$repo = OATHAuthServices::getInstance()->getUserRepository();
		$oathUser = $repo->findByUser( $user );
		if ( !$oathUser->isTwoFactorAuthEnabled() ) {
			$this->fatalError( "User $username does not have two-factor authentication enabled!" );
		}

		$repo->removeAll( $oathUser, 'Maintenance script', false );
		// Kill all existing sessions.
		// If this request to disable 2FA was social-engineered by an attacker,
		// the legitimate user will hopefully log in again to the wiki, and notice that the second factor
		// is missing or different, and alert the operators.
		SessionManager::singleton()->invalidateSessionsForUser( $user );

		$this->output( "Two-factor authentication disabled for $username.\n" );
	}
}

$maintClass = DisableOATHAuthForUser::class;
require_once RUN_MAINTENANCE_IF_MAIN;
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`<?php`

Do not use Module when disabling OAuth for a user Bug: T242031 Change-Id: I4d4922b9e17d9272e59d6a8af3cb4e2acd48dd9f 2023-10-10 21:10:48 +00:00			`use MediaWiki\Extension\OATHAuth\OATHAuthServices;`
build: Updating mediawiki/mediawiki-codesniffer to 29.0.0 The following sniffs are failing and were disabled: * MediaWiki.Commenting.FunctionComment.MissingDocumentationPrivate * MediaWiki.Commenting.FunctionComment.MissingParamName * MediaWiki.Commenting.FunctionComment.MissingParamTag * MediaWiki.Commenting.FunctionComment.MissingReturn Additional changes: * Also sorted "composer fix" command to run phpcbf last. Change-Id: Idb1b91244e653b2ba2e27bceb3eba769577124a9 2020-01-14 08:27:29 +00:00			`use MediaWiki\MediaWikiServices;`
			`use MediaWiki\Session\SessionManager;`
Make disableOATHAuthForUser.php log out the affected user Bug: T189537 Change-Id: Ib8141aedd674ebbc7b103e1f2e8ba6bf99945b61 2018-11-21 03:55:17 +00:00
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`if ( getenv( 'MW_INSTALL_PATH' ) ) {`
			`$IP = getenv( 'MW_INSTALL_PATH' );`
			`} else {`
build: Updating mediawiki/mediawiki-codesniffer to 0.11.0 Change-Id: I9cb1df1c9c56bbcb26c9606f33949185ba0235a4 2017-08-11 04:08:50 +00:00			`$IP = __DIR__ . '/../../..';`
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`}`
			`require_once "$IP/maintenance/Maintenance.php";`

			`class DisableOATHAuthForUser extends Maintenance {`
Add method scope visibility Change-Id: I6f4d4acf4fcb4aab318ca217dd4e6185f383e27e 2018-11-02 10:26:41 +00:00			`public function __construct() {`
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`parent::__construct();`
Make Key objects aware of their database IDs Bug: T242031 Depends-On: I1db9b04a42783b8b64ed69f1f950c794c8659209 Change-Id: I0d8d0a42ce627387949dbbbb32fc318088b3538e 2023-01-31 09:42:52 +00:00			`$this->addDescription( 'Remove all two-factor authentication devices from a specific user' );`
			`$this->addArg( 'user', 'The username to remove 2FA devices from.' );`
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`$this->requireExtension( 'OATHAuth' );`
			`}`

			`public function execute() {`
			`$username = $this->getArg( 0 );`

Various minor cleanup Change-Id: Idbf84a1f49f1afbd2d3a342cedd72895c5378bc6 2023-10-10 21:42:36 +00:00			`$user = MediaWikiServices::getInstance()->getUserFactory()`
			`->newFromName( $username );`
			`if ( $user === null \|\| $user->getId() === 0 ) {`
disableOATHAuthForUser: Use fatalError Bug: T268303 Change-Id: I93474a87e4263edfb46dce80e7216ec74a94580c 2020-11-20 02:40:17 +00:00			`$this->fatalError( "User $username doesn't exist!" );`
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`}`

Do not use Module when disabling OAuth for a user Bug: T242031 Change-Id: I4d4922b9e17d9272e59d6a8af3cb4e2acd48dd9f 2023-10-10 21:10:48 +00:00			`$repo = OATHAuthServices::getInstance()->getUserRepository();`
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`$oathUser = $repo->findByUser( $user );`
Do not use Module when disabling OAuth for a user Bug: T242031 Change-Id: I4d4922b9e17d9272e59d6a8af3cb4e2acd48dd9f 2023-10-10 21:10:48 +00:00			`if ( !$oathUser->isTwoFactorAuthEnabled() ) {`
Make Key objects aware of their database IDs Bug: T242031 Depends-On: I1db9b04a42783b8b64ed69f1f950c794c8659209 Change-Id: I0d8d0a42ce627387949dbbbb32fc318088b3538e 2023-01-31 09:42:52 +00:00			`$this->fatalError( "User $username does not have two-factor authentication enabled!" );`
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`}`

Make Key objects aware of their database IDs Bug: T242031 Depends-On: I1db9b04a42783b8b64ed69f1f950c794c8659209 Change-Id: I0d8d0a42ce627387949dbbbb32fc318088b3538e 2023-01-31 09:42:52 +00:00			`$repo->removeAll( $oathUser, 'Maintenance script', false );`
Various minor cleanup Change-Id: Idbf84a1f49f1afbd2d3a342cedd72895c5378bc6 2023-10-10 21:42:36 +00:00			`// Kill all existing sessions.`
			`// If this request to disable 2FA was social-engineered by an attacker,`
			`// the legitimate user will hopefully log in again to the wiki, and notice that the second factor`
Make disableOATHAuthForUser.php log out the affected user Bug: T189537 Change-Id: Ib8141aedd674ebbc7b103e1f2e8ba6bf99945b61 2018-11-21 03:55:17 +00:00			`// is missing or different, and alert the operators.`
			`SessionManager::singleton()->invalidateSessionsForUser( $user );`

Make Key objects aware of their database IDs Bug: T242031 Depends-On: I1db9b04a42783b8b64ed69f1f950c794c8659209 Change-Id: I0d8d0a42ce627387949dbbbb32fc318088b3538e 2023-01-31 09:42:52 +00:00			`$this->output( "Two-factor authentication disabled for $username.\n" );`
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`}`
			`}`

Use ::class for class name resolution Available since php5.5 Change-Id: Ibb6c84372ac5b82099536fea304fcdefd3693f60 2019-03-03 01:05:56 +00:00			`$maintClass = DisableOATHAuthForUser::class;`
Add a maintenance script to disable oathauth for a username Change-Id: I230ce0eafc7576a84dd577dd594ed46236924688 2017-06-16 21:21:18 +00:00			`require_once RUN_MAINTENANCE_IF_MAIN;`