Commit graph

55 commits

Author SHA1 Message Date
MarcoAurelio da8f0445f8 Fix typo: s/to log/the log/
See e.g. `abusefilter-log` or `checkuser-log` for a similar wording.

Change-Id: Ibdc11631df71bab6f1a73d743189919e5b7e89ba
2023-03-28 18:00:52 +00:00
Kunal Mehta c896015a44 Allow filtering Special:Log/oath by action
Configure "ActionFilteredLogs" in extension.json to allow filtering
the oath log by its two actions, verify ("checking" in the UI) and
disable-other.

== Test plan ==
* Enable 2FA on your administrator account, use Special:VerifyOATHForUser
  and Special:VerifyOATHForUser to generate two log entries.
* Visit Special:Log/oath and use the new action selector, testing each
  state to verify the correct set of logs are shown.
* Screenshots showing this testing are posted at T310487#7999991.

Bug: T310487
Change-Id: I10632c86689e330b21b44a096b098436ebe47e3e
2022-06-13 14:28:22 -04:00
Reedy b5a762d7fe Rename oauthauth-ui-no-module
Change-Id: I23a05cd04756b87d0a97db32ddedc1ea8af0c1b7
2022-04-02 21:39:07 +00:00
Reedy 16bc5d7168 Send a notification when 2FA is enabled
Bug: T301987
Change-Id: I0fe32b735e34753442ec9811ea41d15b76999d87
2022-02-24 00:39:37 +00:00
Kunal Mehta 329c3133d6 Send a notification when 2FA is disabled
Notify users when 2FA is disabled on their account in case something was
fishy about it. This notification is a "system" notification that will
be displayed in the web UI and sent over email. It can't be opted out of
as a preference.

The notification links to Special:Preferences, where users can see their
2FA status and re-enable it if they want. A secondary help link goes to
[[mw:Help:Two-factor authentication]], but can be overridden by
adjusting the "oathauth-notifications-disable-helplink" message. The
notification text is different based on whether the user disabled 2FA on
their own, or an admin used the special page or a maint script to do it.

On Wikimedia wikis, we'll use the WikimediaMessages extension to
customize the messages.

The Echo (Notifications) extension is not required, this will gracefully
do nothing if it's not enabled.

Bug: T210075
Bug: T210963
Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
2022-02-17 00:14:20 -08:00
Kunal Mehta 498dcfeb80 Require OATHAuth for membership in specified user groups
Users in groups listed in $wgOATHRequiredForGroups (default none) must
have two-factor authentication enabled otherwise their membership in
those groups will be disabled. This is done using the
UserEffectiveGroups hook, which allows dynamically adding or removing
user groups.

If a user doesn't have 2FA enabled, it will appear to them as if they
aren't a member of the group at all. Special:Preferences will show which
groups are disabled. In the future it would be good to have a hook into
PermissionsError to show this as well. The UserGetRights hook is used to
ensure the user still has the "oathauth-enable" user right in case it
was only granted to them as part of the user group they are disabled
from.

On the outside, Special:ListUsers will still show the user as a member
of the group. The API list=users&prop=groups|groupmemberships will show
inconsistent informaiton, groups will remove disabled groups while
groupmemberships will not.

This functionality was somewhat already available with
$wgOATHExclusiveRights, except that implementation has flaws outlined at
T150562#6078263 and haven't been resolved in I69af6a58e4 for over a year
now. If this works out, it's expected that will be deprecated/removed.

Bug: T150562
Change-Id: I07ebddafc6f2233ccec216fa8ac6e996553499fb
2022-02-14 00:47:20 -08:00
Martin Urbanec cab4f104c9 [i18n] Add a period to "oathauth-disable-method-warning"
Sentences usually end with a period.

Bug: T261597
Change-Id: I85c3378cef65b2ce5d7ced90d8a1108f814c1794
2020-10-09 19:03:42 +00:00
DannyS712 635fba26b7 Add missing message verifyoathforuser
Bug: T209749
Change-Id: I0494dc670db9cd05fd0646b97a96618c84d6e1e2
2020-05-23 15:26:46 +00:00
DannyS712 130e649191 Add Special:VerifyOATHForUser to check if users have OATH enabled
Bug: T209749
Change-Id: Idbac3940b36ce21a0b40044482514a28c5fbd45f
2020-04-22 00:47:22 +00:00
zoranzoki21 e1d6ac5053 Add missing oathauth-module-invalid message
Bug: T228269
Change-Id: I7f3ceaf27cb13bbf1acc0e7784f405fef35e3001
2019-11-09 18:17:43 +00:00
Dejan Savuljesku 920136e67b Do not store proper objects in session data
Bug: T233146
Change-Id: I2f75261b276993d27f6c96e066ea7769cf7fc082
2019-10-16 13:04:49 +02:00
Dejan Savuljesku 8ca4dabd70 Add warning page before method gets disabled
- When explictly disabling a method
- When method is implicity disabled if user switches to another method

Bug: T232008
Change-Id: I97a96ca7c1935ecb3a81aea35f607b8ff9f8817d
2019-09-28 16:22:41 +00:00
Dejan Savuljesku 630a17da01 UI upgrade
Help messages for 2FA in general and for TOTP module are taken from Wikipedia.
Those could probably be improved, any suggestions are welcome

Bug: T218214
Bug: T226056
Change-Id: Ifc81a3c0e1adc9f6d0d49e7eee086714fc2c0f81
2019-08-29 10:38:10 +00:00
jenkins-bot cfe1f744e8 Merge "Remove orphaned oathauth-ui-error-page-no-module message" 2019-07-31 15:50:51 +00:00
Dejan Savuljesku 6c09ac0c53 Allow revocation of user rights if 2FA isn't enabled on an account
Bug: T199118
Bug: T218215

Change-Id: I7036dd0d95598b90654a1fcf3130c6bdc6b635b4
2019-07-31 13:36:33 +00:00
Reedy cbda0da987 Remove orphaned oathauth-ui-error-page-no-module message
Bug: T226058
Change-Id: I9c846ac57576b8d357d25cb7462ba27638c679c4
2019-07-31 14:29:38 +01:00
MarcoAurelio f24600d153 Add final dot to oathauth-auth-ui
This is the message that displays right after successfully
introducing username and password. It appears standalone in
a box and misses the final dot.

Change-Id: I7911bb0f9c2ab30756ff53d96d6bda3df6e822b0
2019-07-20 10:13:52 +00:00
Amir Aharoni 53251f752c Split apihelp messages to a separate file
Bug: T189982
Change-Id: I04f84c10c99de9bdd5d7b9828e852615488328db
2019-07-04 20:09:00 +01:00
rvogel b9f768e20a Refactor includes to src #2
Bug: T218210

Change-Id: I079e6e819c079b68bbfecdac0d873b26d4e16e86
2019-07-04 13:36:13 +00:00
rvogel b04722a1eb Rework the way user interacts with 2FA settings
Bug: T218210

Change-Id: Iaa6f6ae1c25f47ef43a0e6467474284d89a7a213
2019-07-04 12:45:27 +00:00
Dejan Savuljesku ea984e5c2b Refactor the extension to support multiple auth modules
Please note, this patch requires a schema change before merging

Change-Id: I71286534d21d95083436d64d79811943c1a1d032
ERM: #14484
Bug: T218210
2019-06-18 10:45:21 +00:00
Amir Aharoni c45d9c35aa Add the possessive apostrophe
If I understand correctly, the messages is about the
"two-factor authentication status of users", so it should
be written as possessive.

Change-Id: I084029d6cdf6288b904f22e9ed2e098a42dbefb0
2019-04-14 13:05:55 +03:00
Reedy f7ab8e724e Add action-oathauth-disable-for-user
Bug: T220778
Change-Id: I5097d0c294e11502a6dbc8be25eee5c98138025f
2019-04-12 14:10:03 +01:00
Amir Sarabadani 808df6dc55 Add private logging when user disables 2fa for someone else
It's better that we add for when someone enables or disables for self too
But that can be done in a follow-up patch

Bug: T180896
Change-Id: Ic173ebb7e39d22e40fea23c2b906d246adef1e05
2019-04-12 12:10:43 +00:00
MarcoAurelio 40c119c172 Add missing 'oathauth-user-not-found' i18n key
Follow-up on Ibd2f5339.

Bug: T216415
Change-Id: Id3ac2a9d8f9f9275ab8d8bf0d408a11fbc070fec
2019-04-04 23:15:53 +00:00
mnavya 5ec38a027b Added missing disableoathforuser message
Bug: T216411
Change-Id: I86080005a0fbef6cd903989f4d2a0bf513c592a5
2019-03-03 14:37:13 +00:00
Amir Sarabadani a95802a14e Add SpecialDisableOATHForUser
Bug: T195207
Change-Id: I695a376e15e8a95a02849a6ec67b882228852ef8
2018-10-26 14:52:44 +00:00
Framawiki 54d9f77666 Oathauth-step1-test misses a final dot
Bug: T200021
Change-Id: I2fd1c34d38f6a01fd23046bfc54aec65493f7c68
2018-07-19 17:45:23 +02:00
Quiddity 3484f21dc3 Emphasize the warning that: These tokens will never be shown again
Change-Id: Idb25f3ccd5cb2e9ed2297b2f1bbbc9830397ff4c
2018-03-01 23:29:31 +00:00
Brad Jorsch 6bbd9a5e6a API: Split description messages into summary + additional text
See MediaWiki core patch I778bab2b

Change-Id: I690766f4d7ed27ff40f62b6ce0ab9dea38de3f69
2017-06-09 11:59:25 -04:00
Derk-Jan Hartman ac30151bcf Don't allow scratch tokens when enrolling for 2 auth.
Validating with a scratch code is probably a "giant trap that newbies
could fall into".

Bug: T150824
Change-Id: I5710b151d7682e4cdb0b6a692f7b2c108f051caf
2017-05-15 13:16:29 +02:00
jenkins-bot 099224abee Merge "OathAuth: rename failedtovalidateoauth" 2017-05-10 15:18:44 +00:00
jenkins-bot 2e3c32cf84 Merge "OathAuth: remove message Oathauth-displayoathinfo" 2017-05-10 15:18:13 +00:00
Derk-Jan Hartman eabcc820a5 OathAuth: rename failedtovalidateoauth
Rename this key from failedtovalidateoauth to failedtovalidateoath
as it has nothing to do with OAuth

Bug: T151536
Change-Id: Ib34ef3dbdef8eda515748140960ef240e4990044
2017-04-26 21:00:13 +02:00
Derk-Jan Hartman 18a0c0174b More unused oathauth message keys
More message keys that became unused during various rewrite stages

Bug: T151536
Change-Id: Ic261ba73207793f3223227227d93624676290d3d
2017-04-26 17:15:29 +00:00
Derk-Jan Hartman 10b3b6557c OathAuth: remove message Oathauth-displayoathinfo
This message key was unused since change
I17ac042f5a5093b2c0b2ce8d088f95213d1c0509

Bug: T151604
Change-Id: Ic6686f34cf5dd3161d4d3df200b336c4eb5a3f83
2017-04-22 13:40:39 +02:00
Reedy 0f5772e7bd Remove SpecialOATHLogin.php as more AuthManager related cleanup
Change-Id: I9d7fd0a2da0e3e54bb5031d7e70769a2a27703c8
2017-04-01 16:51:41 +01:00
Umherirrender f338a1489e Rename api example message of oathvalidate
To make clear from the message name which module it belongs to, two
example messages should be renamed.

Change-Id: Idd329e77d5c7082eb8097309fb89f82c7a37cf68
2017-01-01 16:25:19 +01:00
Brad Jorsch 47d7c04496 Update for API error i18n
See Iae0e2ce3.

Change-Id: Ie30549363b079ea23d6eab5959d10ada8f74acdf
2016-12-10 00:26:48 +00:00
MarcoAurelio 628af8fad4 Replace references to mobile apps to more generic 'authentication device'
Desktop programs for TOTP authentication also exist, so lets replace
'mobile app' to more generic 'authentication device' to cover all of
them. Improvements on the wording are welcome.

Change-Id: Id19ac30dc7ac36616b8e00b1b4c9e95eec8afc06
2016-12-07 14:28:28 +00:00
MarcoAurelio a7ee83ece6 Typo fix
Change-Id: Idb28f4d1963ba7fa75496444d864a9e199e9b86e
2016-12-03 17:27:26 +00:00
MarcoAurelio 0ac5c0fb71 Make OATHAuth messages use consistent "two-factor authentication" wording
Bug: T150597
Change-Id: I0fed5a9b3fd747b6f2f71834c0bfe9dc88bbefb8
2016-11-17 11:19:11 +01:00
Reedy 8e70c98ed7 Rename openstackmanager- to oathauth-
Change-Id: If0378e0c0a3fc08de410be0d0e39273df1002391
2016-11-16 22:49:31 +00:00
Bryan Davis a6b60d2465 Apply rate limits to all token verifications
Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.

Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
2016-10-07 17:24:32 -07:00
Bryan Davis 36c523ab23 Add an api action to validate an OATH token
Add a new internal action=oathvalidate Action API module that can be
used to validate an OATH token collected from a user. Using the module
requires the 'oathauth-api-all' permission introduced in I4884f6e.

Attempts to call the action for a given user are rate limited to only
allow 10 failures per minute using the new 'badoath' key.

The check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Complete usage in an LDAP shared auth environment would look something
like:
* Authenticate a user with the LDAP server via auth-bind
* Call action=query&meta=oath as a privileged user to check for OATH
  protection.
* If OATH is active for the account, prompt the user for their current
  OATH token.
* Call action=oathvalidate as a privileged user to validate the token.
* If validation succeeds, complete authentication.
* If validation fails, do not authenticate the user.

Bug: T144712
Change-Id: I1b18d9f3b99364fc47c760bdfc2047c1cbb5c04a
2016-10-07 16:55:50 -07:00
Bryan Davis 766e18bca1 Add a query meta api option to check for OATH
Add a new internal action=query&meta=oath Action API module that can be
used to check for OATH protection on a given user account. Using the
module requires a new 'oathauth-api-all' permission which is not granted
to any group by default. The permission is also added to the new
'oath' grant so that it can be used via OAuth and bot passwords.

Use of this API is security sensitive and should not be granted lightly.
Configuring a special 'oathauth' user group to grant the needed
'oathauth-api-all' permission is recommended.

This check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Bug: T144712
Change-Id: I4884f6efdfa42db82c25eadb70c7aefa98c370e9
2016-10-07 12:10:18 -07:00
Gergő Tisza 563796a98c Update for AuthManager
Handling enabling/disabling via AuthManager is left to a separate
patch.

Bug: T110457
Change-Id: Ic492b8f2477c475f8414b61505139e9a1df2ba5b
2016-05-31 19:38:41 +00:00
csteipp 07f99656dc Fix i18n merge errors
Address comments by Raimond Spekking on
I39859cc59f1811de42b72f6167d332ea48812f97

Change-Id: Ib17f1a2f0e70e5fd286d7ea441b13f79da3743c5
2016-03-31 07:51:26 -07:00
Tyler Anthony Romeo 1a8006317d Move token login to separate page
Rather than have an extraneous form on the login page,
move the token input to a separate page. The actual
logic for logging in is identical, the only difference
is that the token is added to the form data on a second
page request.

Bug: 53195
Change-Id: I39859cc59f1811de42b72f6167d332ea48812f97
2016-03-29 16:02:54 -07:00
Tyler Romeo 4e9ad22469 Add user right for enabling two-factor auth
Make new right oathauth-enable that the user must have to enable two
factor authentication (disabling and logging in, of course, are still
allowed).

Bug: T100376
Change-Id: I18d43f8b2cf2c2ce9c2309a43961686498b5c999
2016-03-24 12:45:41 -07:00