Commit graph

74 commits

Author SHA1 Message Date
Reedy d4cc647595 oathauth-step1-test: Improve examples (and add links) of 2FA apps
Bug: T226059
Change-Id: I13ccf55016f6ca212142ce2a4290255f2890e023
2024-01-04 10:30:05 +00:00
Reedy ca3b49b86f TOTPEnableForm: Add message for step 2 before qr code image
Change-Id: Ifdacc045b5796c53061ab7b4f5ef44e4ade310a2
2024-01-03 17:07:24 +00:00
Reedy f773fa040c TOTPEnableForm: Reorder manual step and improve oathauth-step2alt
Bug: T226060
Change-Id: I332c3cd53d5ba3351c5316a1cf67485b513520bb
2023-12-26 22:40:23 +00:00
Derk-Jan Hartman 55b465c196 Provide an alt label to the SVG qr code
The raw svg was represented to a11y dom as 256x256 images (due to
the 'use'). Convert the raw SVG to a base64 encoded img data uri and
provide it with an alt attribute describing the function.

While the qr code is duplicate with the 'manual' code below it, it is
not decorative so should not suppress alt. It's a big image and if
you use touch interaction, it would create a big blank spot. It is
useful to know for users that the QR code is there.

The img wrapping should also make the SVG usage slightly safer. It
avoids any potential remote resource usage from inside the SVG. While
this is not a direct danger right now, compromised php packages can
happen, and this limits the impact in that case.

Bug: T151550
Change-Id: I568927ace95a1fdf9cd7990bc7de8461718aa1c1
2023-12-26 14:46:45 +00:00
Reedy 4484acf5eb Add missing oathauth-notifications-(dis|en)able-primary messages
Bug: T210075
Bug: T210963
Bug: T301987
Bug: T326073
Change-Id: If4fe85ebc5e7fdd1ec22ede14a9b88bbcda13228
Follows-Up: I99077ea082b8483cc4fd77573a0d00fa98201f15
Follows-Up: I0fe32b735e34753442ec9811ea41d15b76999d87
2023-11-08 17:45:15 +00:00
Translation updater bot 66dc5cc81a Localisation updates from https://translatewiki.net.
Change-Id: I21d1fbccddb55b46823feb61fb2ae4082f5dc724
2023-05-08 10:32:49 +02:00
Translation updater bot f6366908de Localisation updates from https://translatewiki.net.
Change-Id: Ic9610a53e8b87a8301d50df647f500907ae552c7
2022-06-16 09:25:08 +02:00
Kunal Mehta c896015a44 Allow filtering Special:Log/oath by action
Configure "ActionFilteredLogs" in extension.json to allow filtering
the oath log by its two actions, verify ("checking" in the UI) and
disable-other.

== Test plan ==
* Enable 2FA on your administrator account, use Special:VerifyOATHForUser
  and Special:VerifyOATHForUser to generate two log entries.
* Visit Special:Log/oath and use the new action selector, testing each
  state to verify the correct set of logs are shown.
* Screenshots showing this testing are posted at T310487#7999991.

Bug: T310487
Change-Id: I10632c86689e330b21b44a096b098436ebe47e3e
2022-06-13 14:28:22 -04:00
Translation updater bot 68846a28bd Localisation updates from https://translatewiki.net.
Change-Id: Iedf54e3a683de297ace950e8921ea47e8e18b278
2022-04-07 08:09:50 +02:00
Reedy b5a762d7fe Rename oauthauth-ui-no-module
Change-Id: I23a05cd04756b87d0a97db32ddedc1ea8af0c1b7
2022-04-02 21:39:07 +00:00
Reedy 16bc5d7168 Send a notification when 2FA is enabled
Bug: T301987
Change-Id: I0fe32b735e34753442ec9811ea41d15b76999d87
2022-02-24 00:39:37 +00:00
Translation updater bot 44831d0ecf Localisation updates from https://translatewiki.net.
Change-Id: Icbe945f1481cdc10980b68f04fad9bceb0b287f6
2022-02-18 08:40:54 +01:00
Kunal Mehta 329c3133d6 Send a notification when 2FA is disabled
Notify users when 2FA is disabled on their account in case something was
fishy about it. This notification is a "system" notification that will
be displayed in the web UI and sent over email. It can't be opted out of
as a preference.

The notification links to Special:Preferences, where users can see their
2FA status and re-enable it if they want. A secondary help link goes to
[[mw:Help:Two-factor authentication]], but can be overridden by
adjusting the "oathauth-notifications-disable-helplink" message. The
notification text is different based on whether the user disabled 2FA on
their own, or an admin used the special page or a maint script to do it.

On Wikimedia wikis, we'll use the WikimediaMessages extension to
customize the messages.

The Echo (Notifications) extension is not required, this will gracefully
do nothing if it's not enabled.

Bug: T210075
Bug: T210963
Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
2022-02-17 00:14:20 -08:00
Kunal Mehta 498dcfeb80 Require OATHAuth for membership in specified user groups
Users in groups listed in $wgOATHRequiredForGroups (default none) must
have two-factor authentication enabled otherwise their membership in
those groups will be disabled. This is done using the
UserEffectiveGroups hook, which allows dynamically adding or removing
user groups.

If a user doesn't have 2FA enabled, it will appear to them as if they
aren't a member of the group at all. Special:Preferences will show which
groups are disabled. In the future it would be good to have a hook into
PermissionsError to show this as well. The UserGetRights hook is used to
ensure the user still has the "oathauth-enable" user right in case it
was only granted to them as part of the user group they are disabled
from.

On the outside, Special:ListUsers will still show the user as a member
of the group. The API list=users&prop=groups|groupmemberships will show
inconsistent informaiton, groups will remove disabled groups while
groupmemberships will not.

This functionality was somewhat already available with
$wgOATHExclusiveRights, except that implementation has flaws outlined at
T150562#6078263 and haven't been resolved in I69af6a58e4 for over a year
now. If this works out, it's expected that will be deprecated/removed.

Bug: T150562
Change-Id: I07ebddafc6f2233ccec216fa8ac6e996553499fb
2022-02-14 00:47:20 -08:00
Translation updater bot ee4c2973b4 Localisation updates from https://translatewiki.net.
Change-Id: I43b847c2c8775c6a23d0ffe659ddbe2ffb8030f0
2021-01-20 08:27:11 +01:00
Translation updater bot 3ab77ffcb1 Localisation updates from https://translatewiki.net.
Change-Id: I305c4efd7423274592f58b3d78f40904419c8d02
2020-08-14 08:38:59 +02:00
DannyS712 635fba26b7 Add missing message verifyoathforuser
Bug: T209749
Change-Id: I0494dc670db9cd05fd0646b97a96618c84d6e1e2
2020-05-23 15:26:46 +00:00
Martin Urbanec b4b90b5bfa Partially revert b760540: Removed message documentation
This makes our CI to fail.

Bug: T250902
Change-Id: I2171f48b566e34986bec6b2ca0750a215dcbc046
2020-04-22 12:27:25 +02:00
Translation updater bot b760540033 Localisation updates from https://translatewiki.net.
Change-Id: Ie109e945cbb170e80eb3f0e41b555e0eccc0bb1b
2020-04-22 08:56:45 +02:00
DannyS712 130e649191 Add Special:VerifyOATHForUser to check if users have OATH enabled
Bug: T209749
Change-Id: Idbac3940b36ce21a0b40044482514a28c5fbd45f
2020-04-22 00:47:22 +00:00
Translation updater bot 389142e737 Localisation updates from https://translatewiki.net.
Change-Id: I7c28692608f053eb492b68f9ff90877720040e87
2020-04-07 08:45:54 +02:00
zoranzoki21 e1d6ac5053 Add missing oathauth-module-invalid message
Bug: T228269
Change-Id: I7f3ceaf27cb13bbf1acc0e7784f405fef35e3001
2019-11-09 18:17:43 +00:00
Dejan Savuljesku 920136e67b Do not store proper objects in session data
Bug: T233146
Change-Id: I2f75261b276993d27f6c96e066ea7769cf7fc082
2019-10-16 13:04:49 +02:00
Translation updater bot 9aba5ecabb Localisation updates from https://translatewiki.net.
Change-Id: Ic7582b04c502952efd786f9bd706b36fca3e3516
2019-10-02 09:22:27 +02:00
Translation updater bot f140524d98 Localisation updates from https://translatewiki.net.
Change-Id: I29e7ea347f00a2630942083236c9d35111f648f6
2019-09-30 09:20:15 +02:00
Dejan Savuljesku 8ca4dabd70 Add warning page before method gets disabled
- When explictly disabling a method
- When method is implicity disabled if user switches to another method

Bug: T232008
Change-Id: I97a96ca7c1935ecb3a81aea35f607b8ff9f8817d
2019-09-28 16:22:41 +00:00
Translation updater bot 169f594645 Localisation updates from https://translatewiki.net.
Change-Id: I16ab0262538257e198c4f1651c99cc741e076e79
2019-09-27 09:21:19 +02:00
Translation updater bot d8ea515507 Localisation updates from https://translatewiki.net.
Change-Id: Ie9a8c699d3e8de80b24946937b641a8b6d5052b8
2019-09-13 10:19:18 +02:00
Translation updater bot 4b06d3a66a Localisation updates from https://translatewiki.net.
Change-Id: Id58ccb6de5bece49e3956310d3924a3c0c1d129f
2019-09-02 10:20:04 +02:00
Reedy 3ab00ff4ef Re-add missing qqq for oathauth-ui-not-enabled-modules
Was clobbered by l10nupdate in I6daf23c4c166f08b332e9ae77a8e40e1ea91dcc8

Change-Id: I5d7d8dbb50e568f3684bbaba87a34fea3774df0a
2019-08-30 19:24:47 +00:00
Translation updater bot 88614fd8de Localisation updates from https://translatewiki.net.
Change-Id: I6daf23c4c166f08b332e9ae77a8e40e1ea91dcc8
2019-08-30 10:04:04 +02:00
Dejan Savuljesku 630a17da01 UI upgrade
Help messages for 2FA in general and for TOTP module are taken from Wikipedia.
Those could probably be improved, any suggestions are welcome

Bug: T218214
Bug: T226056
Change-Id: Ifc81a3c0e1adc9f6d0d49e7eee086714fc2c0f81
2019-08-29 10:38:10 +00:00
Translation updater bot 35a727be22 Localisation updates from https://translatewiki.net.
Change-Id: I41f0d334a9a938dfbb289893643e0833a7e02ee1
2019-08-20 10:24:44 +02:00
jenkins-bot cfe1f744e8 Merge "Remove orphaned oathauth-ui-error-page-no-module message" 2019-07-31 15:50:51 +00:00
Dejan Savuljesku 6c09ac0c53 Allow revocation of user rights if 2FA isn't enabled on an account
Bug: T199118
Bug: T218215

Change-Id: I7036dd0d95598b90654a1fcf3130c6bdc6b635b4
2019-07-31 13:36:33 +00:00
Reedy cbda0da987 Remove orphaned oathauth-ui-error-page-no-module message
Bug: T226058
Change-Id: I9c846ac57576b8d357d25cb7462ba27638c679c4
2019-07-31 14:29:38 +01:00
Amir Aharoni 53251f752c Split apihelp messages to a separate file
Bug: T189982
Change-Id: I04f84c10c99de9bdd5d7b9828e852615488328db
2019-07-04 20:09:00 +01:00
rvogel b04722a1eb Rework the way user interacts with 2FA settings
Bug: T218210

Change-Id: Iaa6f6ae1c25f47ef43a0e6467474284d89a7a213
2019-07-04 12:45:27 +00:00
Translation updater bot 7352a23f52 Localisation updates from https://translatewiki.net.
Change-Id: Ie620cdceaf4a00af87fd68cc32cdc997c7118166
2019-06-24 08:39:09 +02:00
Dejan Savuljesku ea984e5c2b Refactor the extension to support multiple auth modules
Please note, this patch requires a schema change before merging

Change-Id: I71286534d21d95083436d64d79811943c1a1d032
ERM: #14484
Bug: T218210
2019-06-18 10:45:21 +00:00
Reedy f7ab8e724e Add action-oathauth-disable-for-user
Bug: T220778
Change-Id: I5097d0c294e11502a6dbc8be25eee5c98138025f
2019-04-12 14:10:03 +01:00
Amir Sarabadani 808df6dc55 Add private logging when user disables 2fa for someone else
It's better that we add for when someone enables or disables for self too
But that can be done in a follow-up patch

Bug: T180896
Change-Id: Ic173ebb7e39d22e40fea23c2b906d246adef1e05
2019-04-12 12:10:43 +00:00
Translation updater bot 3f128dadab Localisation updates from https://translatewiki.net.
Change-Id: I730d35a7c58d5e1c052f6cf6a9df95ae7bce58ca
2019-04-05 22:27:33 +02:00
MarcoAurelio 40c119c172 Add missing 'oathauth-user-not-found' i18n key
Follow-up on Ibd2f5339.

Bug: T216415
Change-Id: Id3ac2a9d8f9f9275ab8d8bf0d408a11fbc070fec
2019-04-04 23:15:53 +00:00
mnavya 5ec38a027b Added missing disableoathforuser message
Bug: T216411
Change-Id: I86080005a0fbef6cd903989f4d2a0bf513c592a5
2019-03-03 14:37:13 +00:00
Translation updater bot ac46f5449c Localisation updates from https://translatewiki.net.
Change-Id: I168a2e8a89496a5a6c6e71536a3d932d050f6104
2018-10-26 22:24:11 +02:00
Amir Sarabadani a95802a14e Add SpecialDisableOATHForUser
Bug: T195207
Change-Id: I695a376e15e8a95a02849a6ec67b882228852ef8
2018-10-26 14:52:44 +00:00
Brad Jorsch 6bbd9a5e6a API: Split description messages into summary + additional text
See MediaWiki core patch I778bab2b

Change-Id: I690766f4d7ed27ff40f62b6ce0ab9dea38de3f69
2017-06-09 11:59:25 -04:00
Derk-Jan Hartman ac30151bcf Don't allow scratch tokens when enrolling for 2 auth.
Validating with a scratch code is probably a "giant trap that newbies
could fall into".

Bug: T150824
Change-Id: I5710b151d7682e4cdb0b6a692f7b2c108f051caf
2017-05-15 13:16:29 +02:00
jenkins-bot 099224abee Merge "OathAuth: rename failedtovalidateoauth" 2017-05-10 15:18:44 +00:00