Validating with a scratch code is probably a "giant trap that newbies
could fall into".
Bug: T150824
Change-Id: I5710b151d7682e4cdb0b6a692f7b2c108f051caf
Rename this key from failedtovalidateoauth to failedtovalidateoath
as it has nothing to do with OAuth
Bug: T151536
Change-Id: Ib34ef3dbdef8eda515748140960ef240e4990044
- add space char seperators and create groups of 4 chars
- use monospace font
- increase the size of the codes slightly
Bug: T150907
Change-Id: Idb99f48b2d9eae6acacca80be61203ca6404782c
It's not like people are going to do anything else here, so
autofocussing is allowed in this case (no accessibility problem)
and speeds up interaction.
Bug: T150861
Change-Id: I6b41cc763156b48d8e35fb6829f70f0eb01e5511
The issuer name is an optional but important feature that allows
the user to differentiate between different accounts used in the
same authenticator app. While we currently use a prefix in the
user account name, declaring an issuer makes it easier for the
user to differentiate.
Bug: T150596
Change-Id: I741dd671e79e0326dfe97bdaaf63b3997960d115
Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.
Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
Previously there was a race condition where the qrcode would
not show if the startup module finished loading prior to the
div that should contain the qrcode being loaded. This quite
commonly happened on wikipedia during a hit where js is cached
(But does not happen locally, my theory is that that is due to
how packets get split over the network but not from localhost).
Change it to use a normal RL module, as that seems best practise.
Also do not load the qrcode js on special pages that do not use it.
Finially, remove position:top as its not needed.
Bug: T136988
Change-Id: I5139f222207203d834bdc979b21c1fc94f242ac2
Add RFC 3986 URI encoding to the account label in accordance with the
Google Authenticator specification to ensure the QR code is properly
generated for usernames with special characters in them.
Bug: T136269
Change-Id: I18175c9a3c9a45346fa7a227a5209194385c6696
During the two-step login, users with OATH enabled need to have their
login details saved into their session while we prompt them for their
OATH code. This encrypts that data, so we don't write their user's
password into our session storage.
Change-Id: I9969871205ac5c438706df41ef1519cb4cd7a964
Rather than have an extraneous form on the login page,
move the token input to a separate page. The actual
logic for logging in is identical, the only difference
is that the token is added to the form data on a second
page request.
Bug: 53195
Change-Id: I39859cc59f1811de42b72f6167d332ea48812f97
Make new right oathauth-enable that the user must have to enable two
factor authentication (disabling and logging in, of course, are still
allowed).
Bug: T100376
Change-Id: I18d43f8b2cf2c2ce9c2309a43961686498b5c999
Add configuration variable for specifying what database the OATH
credentials are stored in, that way wikis that use CentralAuth can
centralize their two-factor authentication data as well.
Bug: T100374
Change-Id: I285e2fe29fee43ddc6c5a6e51823911d43c596f6
Made new class ProxySpecialPage, which acts as a
proxy object to another SpecialPage object that is
determined based on context information other than
the title.
Then Special:OATH has been split into two separate
special page classes (both FormSpecialPages using
HTMLForm) that are routed to by a ProxySpecialPage
object.
In addition, the form for enabling two-factor auth
has been refactored into vform style, with some
better instructions on how to enable two-factor
authentication.
Change-Id: Ib9117cbc9d7f044de9607db81a157e1b472b5ec0
This takes out the actual key information from
OATHUser and puts it into an OATHKey class, which OATHUser
depends on. This allows easily swapping keys in/out from
a user.
Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
* Removed use of deprecated core features
* Made code style fixes
* Made pass phpcs-strict
* Fixed special page aliases
Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6
SpecialOATH must verify the supplied OATH token before calling
OATHUser::disable(), as the latter method does not do it.
Change-Id: If5f6bc332fb29f7287d5d7ebf9849035e79ba79e
