Commit graph

13 commits

Author SHA1 Message Date
Taavi Väänänen 2832e97046 Fix disabling TOTP keys with scratch tokens
The current implementation of OATHUserRepository::persist() causes every
key to get a new ID when it's saved. This, combined with ::removeKey()
which compares keys by ID, means that using recovery codes to disable
TOTP is broken since TOTPKey calls persist() to mark the code as saved
just before the key is deleted.

In this patch I've chosen to add a new ::updateKey() method instead of
fixing ::persist(). This is more in line with the other new APIs in
OATHUserRepository (namely ::createKey() and ::removeKey()), and is
something I've been planning to do eventually - this bug just made that
a bit more urgent. ::persist() should be dropped once WebAuthn has been
updated too.

Tests are also updated - OATHUserRepositoryTest now updates the key
before deleting it and there's a new TOTPDisableFormTest to test the
entire disabling process.

Bug: T363548
Change-Id: I86ddc8e5bfc9cf74c587ffdff523f559c5a3c08c
(cherry picked from commit 0dad2c7031)
2024-04-26 18:11:56 +00:00
Taavi Väänänen c6a621d31c
Make the TOTP disable form only remove that single key
Bug: T242031
Change-Id: Iad07292cc96537e8ebd72da65e8f1e922cba3eca
2024-03-02 18:53:00 +02:00
Umherirrender 2222799fa4 Stop writing to tablesUsed in tests
Bug: T351733
Change-Id: I0cefa7108296cbf2cd6221d2457396ab30a320fa
2024-01-20 12:38:26 +01:00
Taavi Väänänen 370452d05b TOTPKey: Drop newFromString
Only used in tests.

Change-Id: I4eb020eb507d5342e4e5ab8f92bf1ee22db0056b
2024-01-11 16:19:14 +00:00
Taavi Väänänen c240ec5d7f
Add test for user repository
Change-Id: Iabd052ca2b6264254f6750b14e04df9923e732c0
2024-01-08 11:53:54 +02:00
Taavi Väänänen 033f9192ee
Migrate callers of Database::insert() to InsertQueryBuilder
Bug: T351905
Change-Id: I298f3807b68d042b2fa92bca789dd6a2b271d4c8
2023-12-06 07:40:53 -08:00
Taavi Väänänen 94782641cf
Convert to a virtual domain
Bug: T348484
Change-Id: I1ab23dfdf32e6965cac4e6c5736abbbf606c1c92
2023-12-06 07:08:10 -08:00
Umherirrender 6089abf1cb tests: Use static provider in TOTPAuthenticationRequestTest
Shows up a deprecation message

Follow-Up: I5ff35ad0e894f0a27beae00257dc1fc599ad518d
Change-Id: Ibd0184ab7f30898e9415400051413b3b7f9dde53
2023-05-19 22:27:12 +02:00
Taavi Väänänen 6ef3d2418a
Database-level support for multiple auth devices
This adds new database tables to support storing multiple authentication
factors for a single user. The current approach taken is to use a single
database row per 2fa method and key. The current module/key abstraction
will have to be updated to support having multiple module types for a
single user (for example for having a separate module for recovery
codes), but this patch does not address that and instead keeps the
existing limitations, however the needed updates for that should be
doable with this database schema.

I've decided to add a new table instead of modifying the existing
oathauth_users table. This is mainly because adding an auto_increment
column to the existing table would be difficult, but also allows us to
update the table definition to follow MW conventions (namely the column
name prefixes). I've also used the opportunity to normalize the device
types onto a separate table.

The migration stage variable is set to SCHEMA_COMPAT_NEW so that
third-party wikis can use update.php normally and don't have to adjust
anything. This means that it needs to be manually set to _OLD on
wmf-config before merging this patch.

Since we're already working with the database schema, this add a new,
currently unused column for the creation data, so that T242847 will not
require a new schema change.

Bug: T242031
Bug: T242847
Change-Id: I6aa69c089340434737b55201b80398708a70c355
2023-02-24 15:33:00 +02:00
libraryupgrader 7a07d22494 build: Updating dependencies
composer:
* mediawiki/mediawiki-phan-config: 0.11.1 → 0.12.0
* php-parallel-lint/php-console-highlighter: 0.5.0 → 1.0.0
* php-parallel-lint/php-parallel-lint: 1.3.1 → 1.3.2

npm:
* grunt: 1.4.0 → 1.5.3
* grunt-banana-checker: 0.9.0 → 0.10.0
* grunt-eslint: 23.0.0 → 24.0.0
* async: 3.2.0 → 3.2.4
  * https://github.com/advisories/GHSA-fwr7-v2mv-hh25
* minimatch: 3.0.4 → 3.0.8
  * https://github.com/advisories/GHSA-f8q6-p94x-37v3
* minimist: 1.2.5 → 1.2.7
  * https://github.com/advisories/GHSA-xvch-5gv4-984h
* nanoid: 3.1.25 → 3.3.4
  * https://github.com/advisories/GHSA-qrpm-p2h7-hrv2

Additional changes:
* Set `name` in package.json.

Change-Id: I76d70ca68b385b44e647cdbebd1a3e473f3fb566
2022-11-11 21:53:17 +00:00
Kunal Mehta ba39a4dfa8 Add basic tests for TOTPKey
Mostly I wanted to add tests for verifying serialization and
deserialization, since that's what I modify in my next commit.

Change-Id: I8223f2e3e1b3ce79afc8c5cd9ca4afe6d418abf9
2022-02-27 23:01:58 -08:00
rvogel b9f768e20a Refactor includes to src #2
Bug: T218210

Change-Id: I079e6e819c079b68bbfecdac0d873b26d4e16e86
2019-07-04 13:36:13 +00:00
Gergő Tisza 563796a98c Update for AuthManager
Handling enabling/disabling via AuthManager is left to a separate
patch.

Bug: T110457
Change-Id: Ic492b8f2477c475f8414b61505139e9a1df2ba5b
2016-05-31 19:38:41 +00:00