wikimedia/mediawiki-extensions-OATHAuth

Fork 0

mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth synced 2024-11-13 18:16:56 +00:00

Commit graph

Author	SHA1	Message	Date
Bryan Davis	a6b60d2465	Apply rate limits to all token verifications Extend the token validation failure checks introduced in I4884f6e to the other interactions where OATHAuthKey::verifyToken is used. Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04 Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43	2016-10-07 17:24:32 -07:00
Bryan Davis	36c523ab23	Add an api action to validate an OATH token Add a new internal action=oathvalidate Action API module that can be used to validate an OATH token collected from a user. Using the module requires the 'oathauth-api-all' permission introduced in I4884f6e. Attempts to call the action for a given user are rate limited to only allow 10 failures per minute using the new 'badoath' key. The check is primarily useful as an internal network service in an environment where MediaWiki and other applications are sharing the same backing authentication store (e.g. LDAP) and the non-MediaWiki applications would like to respect the OATH protections enabled on the MediaWiki install. Complete usage in an LDAP shared auth environment would look something like: * Authenticate a user with the LDAP server via auth-bind * Call action=query&meta=oath as a privileged user to check for OATH protection. * If OATH is active for the account, prompt the user for their current OATH token. * Call action=oathvalidate as a privileged user to validate the token. * If validation succeeds, complete authentication. * If validation fails, do not authenticate the user. Bug: T144712 Change-Id: I1b18d9f3b99364fc47c760bdfc2047c1cbb5c04a	2016-10-07 16:55:50 -07:00
Bryan Davis	766e18bca1	Add a query meta api option to check for OATH Add a new internal action=query&meta=oath Action API module that can be used to check for OATH protection on a given user account. Using the module requires a new 'oathauth-api-all' permission which is not granted to any group by default. The permission is also added to the new 'oath' grant so that it can be used via OAuth and bot passwords. Use of this API is security sensitive and should not be granted lightly. Configuring a special 'oathauth' user group to grant the needed 'oathauth-api-all' permission is recommended. This check is primarily useful as an internal network service in an environment where MediaWiki and other applications are sharing the same backing authentication store (e.g. LDAP) and the non-MediaWiki applications would like to respect the OATH protections enabled on the MediaWiki install. Bug: T144712 Change-Id: I4884f6efdfa42db82c25eadb70c7aefa98c370e9	2016-10-07 12:10:18 -07:00

Author

SHA1

Message

Date

Bryan Davis

a6b60d2465

Apply rate limits to all token verifications

Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.

Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43

2016-10-07 17:24:32 -07:00

Bryan Davis

36c523ab23

Add an api action to validate an OATH token

Add a new internal action=oathvalidate Action API module that can be
used to validate an OATH token collected from a user. Using the module
requires the 'oathauth-api-all' permission introduced in I4884f6e.

Attempts to call the action for a given user are rate limited to only
allow 10 failures per minute using the new 'badoath' key.

The check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Complete usage in an LDAP shared auth environment would look something
like:
* Authenticate a user with the LDAP server via auth-bind
* Call action=query&meta=oath as a privileged user to check for OATH
  protection.
* If OATH is active for the account, prompt the user for their current
  OATH token.
* Call action=oathvalidate as a privileged user to validate the token.
* If validation succeeds, complete authentication.
* If validation fails, do not authenticate the user.

Bug: T144712
Change-Id: I1b18d9f3b99364fc47c760bdfc2047c1cbb5c04a

2016-10-07 16:55:50 -07:00

Bryan Davis

766e18bca1

Add a query meta api option to check for OATH

Add a new internal action=query&meta=oath Action API module that can be
used to check for OATH protection on a given user account. Using the
module requires a new 'oathauth-api-all' permission which is not granted
to any group by default. The permission is also added to the new
'oath' grant so that it can be used via OAuth and bot passwords.

Use of this API is security sensitive and should not be granted lightly.
Configuring a special 'oathauth' user group to grant the needed
'oathauth-api-all' permission is recommended.

This check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Bug: T144712
Change-Id: I4884f6efdfa42db82c25eadb70c7aefa98c370e9

2016-10-07 12:10:18 -07:00

3 commits