Once a token is used, cache it in memcached
for a brief amount of time (specifically, until
the window in which it is valid ends). That way
once a token is used it cannot be re-used in
a replay attack.
Bug: 53196
Change-Id: I7b8e92875a573f3ac95e13c881ef85464bcecf85
* Removed use of deprecated core features
* Made code style fixes
* Made pass phpcs-strict
* Fixed special page aliases
Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6
Tokens are one time passwords. There's no strong reason to mask
them and listing it as a password field screws up many password
managers.
Change-Id: Iaf5446d80ec61ddec2403554b527781ab26493b3
Warning: Missing argument 1 for OATHUser::regenerateScratchTokens(), called in
/var/www/wiki/mediawiki/extensions/OATHAuth/OATHUser.php on line 42 and defined
in /var/www/wiki/mediawiki/extensions/OATHAuth/OATHUser.php on line 56
Change-Id: I52a683f9680661df5d506e48d83509f35b145e26
Notice: Undefined variable: reset in /var/www/wiki/mediawiki/extensions/OATHAuth/OATHUser.php on line 61
Setting it to 3, has the effect of doing the LDAP first and then the token,
which fits the user model
Order of boxes is Username, password, domain, token
These then have a tab index of 1, 2, 3, 2
Tabbing down takes you in the order username, password, token, labs, which is... irritating, to say the least!
Change-Id: Idabb70c963d16f2cd223c5d94e0211ccaf6fdedd
