The current implementation of OATHUserRepository::persist() causes every
key to get a new ID when it's saved. This, combined with ::removeKey()
which compares keys by ID, means that using recovery codes to disable
TOTP is broken since TOTPKey calls persist() to mark the code as saved
just before the key is deleted.
In this patch I've chosen to add a new ::updateKey() method instead of
fixing ::persist(). This is more in line with the other new APIs in
OATHUserRepository (namely ::createKey() and ::removeKey()), and is
something I've been planning to do eventually - this bug just made that
a bit more urgent. ::persist() should be dropped once WebAuthn has been
updated too.
Tests are also updated - OATHUserRepositoryTest now updates the key
before deleting it and there's a new TOTPDisableFormTest to test the
entire disabling process.
Bug: T363548
Change-Id: I86ddc8e5bfc9cf74c587ffdff523f559c5a3c08c
(cherry picked from commit 0dad2c7031)
It's useful to have the user central ID available in various places, for
example when caching used tokens to prevent replay attacks, and since
OATHUserRepository has to look it up anyway let's just store it from
there instead of looking it up again.
Change-Id: Ifb896feb7c70af638c14301511d067f24e35d6c2
We want to customize the message depending on the number of active
devices, for example "an authentication device was removed" vs
"two-factor has been disabled".
Bug: T353962
Change-Id: Iaeb119a7cc6c264c4e49edeb3a88453786547021
This means that when keys will be ID-aware, a key object can be
immutable (instead of creating it without an ID and adding it in
persist()).
Change-Id: Ie1286ed71871dcedb2bd7d8d373f944be6691064
* Don't use namespace on already imported Manager class
* Fix oauth mention to oathauth
Follows-Up: I6aa69c089340434737b55201b80398708a70c355
Change-Id: Id43fc3cffee589c6d04281edeb778c011dfecda4
To do the migration we need to ensure that a single user has rows in
either the old oathauth_users table, or the new oauthauth_devices table,
but not in both.
Also add a missing startAtomic/endAtomic.
Bug: T242031
Change-Id: Ib0d42370b7206ff031873182c3fd957449656de8
This adds new database tables to support storing multiple authentication
factors for a single user. The current approach taken is to use a single
database row per 2fa method and key. The current module/key abstraction
will have to be updated to support having multiple module types for a
single user (for example for having a separate module for recovery
codes), but this patch does not address that and instead keeps the
existing limitations, however the needed updates for that should be
doable with this database schema.
I've decided to add a new table instead of modifying the existing
oathauth_users table. This is mainly because adding an auto_increment
column to the existing table would be difficult, but also allows us to
update the table definition to follow MW conventions (namely the column
name prefixes). I've also used the opportunity to normalize the device
types onto a separate table.
The migration stage variable is set to SCHEMA_COMPAT_NEW so that
third-party wikis can use update.php normally and don't have to adjust
anything. This means that it needs to be manually set to _OLD on
wmf-config before merging this patch.
Since we're already working with the database schema, this add a new,
currently unused column for the creation data, so that T242847 will not
require a new schema change.
Bug: T242031
Bug: T242847
Change-Id: I6aa69c089340434737b55201b80398708a70c355
This new service is separated from the previous OATHAuth class to give
the service a more accurate name. Also removed unnecessary injected
services and do some other minor cleanup.
Change-Id: I8d5fbc7594b69168dc0c8bfade1ac172a5aeef6f
This reverts commit 6898d6ba93.
Reason for revert: the transition is apparently not completed yet
Bug: T305029
Change-Id: Ie5079b25bf4403da7bbe9aaa927f40190904bf20
Migration is handled by UpdateTables::switchTOTPToMultipleKeys()
The transition has been completed at WMF as well.
Bug: T304375
Change-Id: I0e6d30075dfbd66d692cd8a5e3f7c9ebf44bc065
The migration from `oathauth_users.secret` to `oathauth_users.module`
was added in I71286534d21d950834. It resides now in the UpdateTables
class, which runs from the LoadExtensionSchemaUpdates hook.
The transition has been completed at WMF as well.
Bug: T304375
Change-Id: I5fa88704c6da2ae2679a19e0c5a2cfe7f3bf5f50
This reverts commit 6f37618f4f.
We are later calling isLegacy and that is checking whether
'secret' is set, but due to the change in the select,
'secret' is never set, breaking the functionality of isLegacy().
Change-Id: Ic2c53dca6d1b1608192a5722408f157505187092
...instead of `SELECT *`, in anticipation of future schema changes.
Notably, we didn't need to select the `id` field, since we don't ever
use it (spotted by Thiemo!).
Change-Id: I1089199bdad70401684377d88877eccc689427f9
Notify users when 2FA is disabled on their account in case something was
fishy about it. This notification is a "system" notification that will
be displayed in the web UI and sent over email. It can't be opted out of
as a preference.
The notification links to Special:Preferences, where users can see their
2FA status and re-enable it if they want. A secondary help link goes to
[[mw:Help:Two-factor authentication]], but can be overridden by
adjusting the "oathauth-notifications-disable-helplink" message. The
notification text is different based on whether the user disabled 2FA on
their own, or an admin used the special page or a maint script to do it.
On Wikimedia wikis, we'll use the WikimediaMessages extension to
customize the messages.
The Echo (Notifications) extension is not required, this will gracefully
do nothing if it's not enabled.
Bug: T210075
Bug: T210963
Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
The following sniffs are failing and were disabled:
* MediaWiki.Commenting.FunctionComment.MissingDocumentationPrivate
* MediaWiki.Commenting.FunctionComment.MissingParamName
* MediaWiki.Commenting.FunctionComment.MissingParamTag
* MediaWiki.Commenting.FunctionComment.MissingReturn
Additional changes:
* Also sorted "composer fix" command to run phpcbf last.
Change-Id: Idb1b91244e653b2ba2e27bceb3eba769577124a9
