Commit graph

1481 commits

Author SHA1 Message Date
jenkins-bot 7c11b39942 Merge "Apply rate limits to all token verifications" 2016-10-12 00:07:35 +00:00
jenkins-bot 10ca80f08b Merge "Add an api action to validate an OATH token" 2016-10-12 00:02:19 +00:00
Translation updater bot 745d8a0179 Localisation updates from https://translatewiki.net.
Change-Id: If7eeee8717eb0bdd16d36622922797295e518f41
2016-10-10 22:27:58 +02:00
Translation updater bot 905045abc3 Localisation updates from https://translatewiki.net.
Change-Id: I9f44cc8750d00109d7a8d6a5f2e0999fde550ffd
2016-10-09 22:53:34 +02:00
jenkins-bot e4003d99d6 Merge "Add a query meta api option to check for OATH" 2016-10-08 00:44:39 +00:00
Bryan Davis a6b60d2465 Apply rate limits to all token verifications
Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.

Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
2016-10-07 17:24:32 -07:00
Bryan Davis 36c523ab23 Add an api action to validate an OATH token
Add a new internal action=oathvalidate Action API module that can be
used to validate an OATH token collected from a user. Using the module
requires the 'oathauth-api-all' permission introduced in I4884f6e.

Attempts to call the action for a given user are rate limited to only
allow 10 failures per minute using the new 'badoath' key.

The check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Complete usage in an LDAP shared auth environment would look something
like:
* Authenticate a user with the LDAP server via auth-bind
* Call action=query&meta=oath as a privileged user to check for OATH
  protection.
* If OATH is active for the account, prompt the user for their current
  OATH token.
* Call action=oathvalidate as a privileged user to validate the token.
* If validation succeeds, complete authentication.
* If validation fails, do not authenticate the user.

Bug: T144712
Change-Id: I1b18d9f3b99364fc47c760bdfc2047c1cbb5c04a
2016-10-07 16:55:50 -07:00
Bryan Davis 766e18bca1 Add a query meta api option to check for OATH
Add a new internal action=query&meta=oath Action API module that can be
used to check for OATH protection on a given user account. Using the
module requires a new 'oathauth-api-all' permission which is not granted
to any group by default. The permission is also added to the new
'oath' grant so that it can be used via OAuth and bot passwords.

Use of this API is security sensitive and should not be granted lightly.
Configuring a special 'oathauth' user group to grant the needed
'oathauth-api-all' permission is recommended.

This check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Bug: T144712
Change-Id: I4884f6efdfa42db82c25eadb70c7aefa98c370e9
2016-10-07 12:10:18 -07:00
Translation updater bot 00c8e5338c Localisation updates from https://translatewiki.net.
Change-Id: I60dd1befac5dc36205db2f5bc3574fa7c496ab16
2016-10-05 22:43:08 +02:00
Reedy 52686c04b7 Minor documentation updates
Update DatabaseBase type hint

Update some deprecated code usages

Change-Id: I86aa4507447040754d0c9f20171f7e22aed4a0cc
2016-10-02 12:25:59 +00:00
Reedy 9cceee17cc Clean up code style and docblocks
* array() -> []
* spacing fixes
* dirname( __FILE__ ) -> __DIR__
* Add phpcs style checks using latest mediawiki-codesniffer to keep
  things clean.

Co-Authored-By: Bryan Davis <bd808@wikimedia.org>
Change-Id: I95735f928d3e5d6ac9d2a10d92b40ed01cf2737c
2016-09-30 14:40:06 -06:00
jenkins-bot 624c7aca6a Merge "Suppress unserialize errors" 2016-09-30 20:13:42 +00:00
jenkins-bot 3391429b3d Merge "We need a master to do write actions..." 2016-09-30 20:04:58 +00:00
Bryan Davis 03d890f3da Fix some comments
* Spelling in OATHAuthHooks::onRegistration comment
* Remove incorrect comment for OATHAuth::__construct
* Spelling in TOTPAuthenticationRequest class phpdoc

Change-Id: Iaf670a1b86e82b4684489371c8152b8055bff90e
2016-09-28 21:25:45 -06:00
Bryan Davis 0e37c6ca1f Add composer.lock to .gitignore
Change-Id: If5b8459cd967bf4b056573f4223f5bc886960251
2016-09-28 21:25:40 -06:00
jenkins-bot 3dc8dc3b1e Merge "Show the first input as a warning, not as an error box" 2016-09-17 18:05:17 +00:00
Reedy d38cb8e87c Suppress unserialize errors
Bug: T130740
Change-Id: I20b076b7f3ce15d31a21f8935b74f9121f70c5a3
2016-09-17 00:05:25 +01:00
Reedy bfe362d059 We need a master to do write actions...
Change-Id: I618d371cdf76d96370c65975db702ed2fef0579c
2016-09-17 00:04:05 +01:00
Translation updater bot 69506832f0 Localisation updates from https://translatewiki.net.
Change-Id: I554f993eb9618e78f218991fc055c774c7052346
2016-08-17 22:40:18 +02:00
Translation updater bot 57e3f9dc24 Localisation updates from https://translatewiki.net.
Change-Id: Ica4440bb1aaa56ad3f03fe8f79c9b165b5b6bf1e
2016-08-08 22:33:45 +02:00
Florian 106497dc27 Show the first input as a warning, not as an error box
The first time the extension asks for the code of the mobile phone
isn't an error and shouldn't be styles as such (see the depends-on
change). Change all other UIs to errors.

Bug: T139179
Change-Id: I7cc3333c3e166295e85e91c7b377e53842bdb307
Depends-On: I9a27911613e62b5c4cb86bea40696cb37c4f49c2
2016-07-28 22:29:03 +02:00
Translation updater bot fc051bc05c Localisation updates from https://translatewiki.net.
Change-Id: I623e2a0557fd9fc0ff57085c47bda4fcb7eda6e3
2016-07-21 22:58:30 +02:00
Translation updater bot ea689f5d2a Localisation updates from https://translatewiki.net.
Change-Id: I77817bd893810391acb502fca85d33e7eb55ce40
2016-07-01 23:24:55 +02:00
Translation updater bot d2d3697633 Localisation updates from https://translatewiki.net.
Change-Id: Ic1be648a908693328f0273fefa67c0c95e8be3e5
2016-06-26 14:19:07 +02:00
Translation updater bot a5c444d64e Localisation updates from https://translatewiki.net.
Change-Id: I90c756dca597df34afb9d920490ec3135c3ee33a
2016-06-25 14:54:47 +02:00
Translation updater bot ebf96d3484 Localisation updates from https://translatewiki.net.
Change-Id: I8642cb55ddef7ecbb4fee677a68865d8fff8643a
2016-06-24 11:13:41 +02:00
Kunal Mehta 525f54186e Set license-name in extension.json
Change-Id: Ie2457a3e5ffee0377facd4a2f62df5aa0ee4559f
2016-06-23 11:23:18 +02:00
Translation updater bot 23700f0d28 Localisation updates from https://translatewiki.net.
Change-Id: Ib5c91bf3c441ae9c35cf034e3b22c4c0d606fc0c
2016-06-21 23:31:04 +02:00
Brian Wolff 185bce5859 Fixup qrcode-generating js, to stop race condition.
Previously there was a race condition where the qrcode would
not show if the startup module finished loading prior to the
div that should contain the qrcode being loaded. This quite
commonly happened on wikipedia during a hit where js is cached
(But does not happen locally, my theory is that that is due to
how packets get split over the network but not from localhost).

Change it to use a normal RL module, as that seems best practise.
Also do not load the qrcode js on special pages that do not use it.
Finially, remove position:top as its not needed.

Bug: T136988
Change-Id: I5139f222207203d834bdc979b21c1fc94f242ac2
2016-06-20 03:42:28 -04:00
Translation updater bot 04ba11bf3a Localisation updates from https://translatewiki.net.
Change-Id: I4215be1d92514c1c2c418e23dc00f15569c07cc8
2016-06-18 22:47:39 +02:00
Translation updater bot cdce14b143 Localisation updates from https://translatewiki.net.
Change-Id: I8d3c874594758bd784c386fc34ebc696862e46b8
2016-06-17 22:30:34 +02:00
Translation updater bot be61d58740 Localisation updates from https://translatewiki.net.
Change-Id: Ie7c37eafa53b7ad3d2f63df0c4a86e8e2c2e0dcf
2016-06-15 22:37:02 +02:00
Translation updater bot e90196325a Localisation updates from https://translatewiki.net.
Change-Id: I74da4777405f214fc38d086a1098b9016e8dba78
2016-06-10 22:18:39 +02:00
Translation updater bot 71a049cc64 Localisation updates from https://translatewiki.net.
Change-Id: I6dde00bcf1c7fd3777adc7796e108c871c8d0bc6
2016-06-09 22:39:34 +02:00
Translation updater bot cfcfe47081 Localisation updates from https://translatewiki.net.
Change-Id: I43bc4e6eaf0e913ceb6e2c5e454cc5a1b99b09cb
2016-06-07 22:45:10 +02:00
Translation updater bot 47b7dd8019 Localisation updates from https://translatewiki.net.
Change-Id: Ie8a83530c9435d7f3a829882065c69ab92ff9787
2016-06-06 22:59:19 +02:00
Translation updater bot 853bc6ca00 Localisation updates from https://translatewiki.net.
Change-Id: Id8b4cdc210412ae8001c6f1d03ef912cc5e93591
2016-06-05 22:21:54 +02:00
Translation updater bot 847a4b9209 Localisation updates from https://translatewiki.net.
Change-Id: I91f32000206bc70b62744f28343a9cc56fa87568
2016-06-04 22:24:01 +02:00
Translation updater bot 5c24b3b3df Localisation updates from https://translatewiki.net.
Change-Id: I4621c364ff464bb333f11dea846f8ed26c21bee3
2016-06-03 23:21:42 +02:00
Translation updater bot f3533feac3 Localisation updates from https://translatewiki.net.
Change-Id: I4414aa077fd438e77680911151ebf292a76d25de
2016-06-02 22:24:52 +02:00
Translation updater bot a4be5669a2 Localisation updates from https://translatewiki.net.
Change-Id: Ic9c994bf5ab7c0b4c4469dba2563cf4242aeb381
2016-06-01 23:12:11 +02:00
Aaron Schulz 28d625e6bc Avoid DB connections on OATHUserRepository construction
Bug: T136224
Change-Id: I405d2f544409d635e4fac1d5222c42e8036c6945
2016-05-31 13:24:18 -07:00
Gergő Tisza 563796a98c Update for AuthManager
Handling enabling/disabling via AuthManager is left to a separate
patch.

Bug: T110457
Change-Id: Ic492b8f2477c475f8414b61505139e9a1df2ba5b
2016-05-31 19:38:41 +00:00
Dpatrick 6f809fef27 Merge "Add URL encoding to TOTP QR code URL" 2016-05-26 18:19:22 +00:00
Tyler Romeo 7b8a68fd5a
Add URL encoding to TOTP QR code URL
Add RFC 3986 URI encoding to the account label in accordance with the
Google Authenticator specification to ensure the QR code is properly
generated for usernames with special characters in them.

Bug: T136269
Change-Id: I18175c9a3c9a45346fa7a227a5209194385c6696
2016-05-26 12:20:06 -04:00
Aaron Schulz 9b8edbb7c7 Define doesWrites() for special pages
Change-Id: Ie76189ad1c91150e4cef315dacbb845911f7477a
2016-05-25 12:25:10 -07:00
Translation updater bot 1b6780b8e7 Localisation updates from https://translatewiki.net.
Change-Id: Id04818d138b280580c7d643e8fb4d97df0a481ca
2016-05-10 22:28:41 +02:00
Translation updater bot 1432439b17 Localisation updates from https://translatewiki.net.
Change-Id: Ib94b65a67b164520eb8e97459ea5b6e3024abb0a
2016-04-18 22:21:26 +02:00
Dpatrick 0aab34ffdb Merge "Delete users who didn't complete setup on upgrade" 2016-04-11 17:50:02 +00:00
Translation updater bot 71a09d79fc Localisation updates from https://translatewiki.net.
Change-Id: I23da81e04fe56170ed748279acfc0fe3a5c9a2af
2016-04-10 20:05:02 +02:00