Commit graph

38 commits

Author SHA1 Message Date
Dejan Savuljesku 017d8c8126 Support for multiple keys, improved module form logic #2
Removed unused classes, missed in previous commits

Bug: T218210

Change-Id: Iaf9facb54cd9693f20ed2f48d22b076c4b626705
2019-07-05 20:23:26 +00:00
Amir Aharoni 53251f752c Split apihelp messages to a separate file
Bug: T189982
Change-Id: I04f84c10c99de9bdd5d7b9828e852615488328db
2019-07-04 20:09:00 +01:00
rvogel b9f768e20a Refactor includes to src #2
Bug: T218210

Change-Id: I079e6e819c079b68bbfecdac0d873b26d4e16e86
2019-07-04 13:36:13 +00:00
rvogel b04722a1eb Rework the way user interacts with 2FA settings
Bug: T218210

Change-Id: Iaa6f6ae1c25f47ef43a0e6467474284d89a7a213
2019-07-04 12:45:27 +00:00
Reedy 62d83ab1e6 Bump version to 0.3.0
Change-Id: If1dd738cba260a4270f943b1b98610d47f2023bd
2019-06-19 13:28:43 +01:00
rvogel d1475452a6 Fix remoteExtPath in RL module definition
Change-Id: Ie2a1af68f498d551da77df907a965d4fec0ece65
2019-06-18 22:22:03 +00:00
Dejan Savuljesku ea984e5c2b Refactor the extension to support multiple auth modules
Please note, this patch requires a schema change before merging

Change-Id: I71286534d21d95083436d64d79811943c1a1d032
ERM: #14484
Bug: T218210
2019-06-18 10:45:21 +00:00
Amir Sarabadani 808df6dc55 Add private logging when user disables 2fa for someone else
It's better that we add for when someone enables or disables for self too
But that can be done in a follow-up patch

Bug: T180896
Change-Id: Ic173ebb7e39d22e40fea23c2b906d246adef1e05
2019-04-12 12:10:43 +00:00
Reedy bac94daedb Replace hotp.php with composer library
Adds jakobo/hotp-php 1.0.0

Change-Id: Ifeb43a5e20cd868b35182d4233cdcab154354f84
Depends-On: I6e34c6dcc79fb46496fe63b16064500a5ef3bc43
2019-04-11 17:05:16 +00:00
Reedy 24e4510cf3 Replace base32.php with composer library
Add christian-riesen/base32 1.3.1

Change-Id: I6c8c62bde48ac5793c09d9f0ee7dabf3f4c485ee
Depends-On: If549500ba8aa8c4dbf7bfa43b5f4165e0a39d1f0
2019-04-11 11:45:39 +00:00
Amir Sarabadani a95802a14e Add SpecialDisableOATHForUser
Bug: T195207
Change-Id: I695a376e15e8a95a02849a6ec67b882228852ef8
2018-10-26 14:52:44 +00:00
James D. Forrester 3546c62f19 Drop pre-MW1.32 Special:Preferences (non-OOUI) compatability
Depends-On: I65b89385c3ec28ef01b86dd933dae3801e503631
Change-Id: Id9c840e979b723806883bb3e63d7f2f691fea629
2018-10-04 00:52:06 +00:00
Kunal Mehta 146b26349a Make licensing explicit, add missing GPL file headers
Since this repository has multi-licensed code, add GPL v2+ file headers
to code that had no licensing blocks to make it obvious which files
carry which license.

And add "AND GPL-3.0-or-later" to extension.json's license-name property
to make it clear that this extension does have code that isn't
redistributable under GPL v2.

Change-Id: Id3059fb9596527ef054bec9d89a28f1ccbe2113d
2018-04-10 18:29:26 -07:00
Kunal Mehta 7451a5df33 Move classes to includes/
Change-Id: I2d2a917e5a22f88dc644eb3c33f775642728e1f4
2018-04-09 00:51:39 -07:00
Kunal Mehta e3fc6fdd94 Use SPDX 3.0 license identifier
SPDX released version 3 of their license list (<https://spdx.org/licenses/>),
which changed the FSF licenses to explicitly end in -only or -or-later
instead of relying on an easy to miss + symbol.

Bug: T183858
Change-Id: Ia282470aefef930bd867de521f9c45ded8349193
2018-03-02 15:27:50 -08:00
Jayprakash12345 d7bdefda31 Update at-ease calls in extensions
Bug: T187037
Change-Id: Iae9b24abf3751740bd77e4ab10e01d154a0ea161
2018-02-12 18:24:47 +00:00
Umherirrender 5f8c22e9cd Rename file OATHAuth.hooks.php to match class
Change-Id: Iac3d687f20d6d1805ece0d1c83f3f5e722353a16
2017-12-10 00:24:36 +01:00
Reedy 0f5772e7bd Remove SpecialOATHLogin.php as more AuthManager related cleanup
Change-Id: I9d7fd0a2da0e3e54bb5031d7e70769a2a27703c8
2017-04-01 16:51:41 +01:00
Kunal Mehta a6810b041d Hide empty square for QR code with CSS for no-JS users
Change-Id: Id557bce14a623d894e0b23123c8ef037ddd3cc53
2016-11-14 18:23:53 -08:00
Kunal Mehta bf4637200a Get rid of separate ext.oathauth module
It's only used as a dependency for one module, so it doesn't really make
sense to have it as a separate module.

Change-Id: I0936073358e98d236ce9440d92873a2ea3851e60
2016-11-14 18:23:53 -08:00
Reedy 872a4768ff Allow override of Site prefix without changing sitename
Bug: T147901
Change-Id: Id5b565f9c05b591e3638dbf51dd784224203669c
2016-10-31 14:17:27 +00:00
Reedy e38c68c13e Remove pre authmanager MW support
Change-Id: I46712392e48c263bd30b849777caea8e22650d40
2016-10-15 21:56:40 +01:00
Bryan Davis a6b60d2465 Apply rate limits to all token verifications
Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.

Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
2016-10-07 17:24:32 -07:00
Bryan Davis 36c523ab23 Add an api action to validate an OATH token
Add a new internal action=oathvalidate Action API module that can be
used to validate an OATH token collected from a user. Using the module
requires the 'oathauth-api-all' permission introduced in I4884f6e.

Attempts to call the action for a given user are rate limited to only
allow 10 failures per minute using the new 'badoath' key.

The check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Complete usage in an LDAP shared auth environment would look something
like:
* Authenticate a user with the LDAP server via auth-bind
* Call action=query&meta=oath as a privileged user to check for OATH
  protection.
* If OATH is active for the account, prompt the user for their current
  OATH token.
* Call action=oathvalidate as a privileged user to validate the token.
* If validation succeeds, complete authentication.
* If validation fails, do not authenticate the user.

Bug: T144712
Change-Id: I1b18d9f3b99364fc47c760bdfc2047c1cbb5c04a
2016-10-07 16:55:50 -07:00
Bryan Davis 766e18bca1 Add a query meta api option to check for OATH
Add a new internal action=query&meta=oath Action API module that can be
used to check for OATH protection on a given user account. Using the
module requires a new 'oathauth-api-all' permission which is not granted
to any group by default. The permission is also added to the new
'oath' grant so that it can be used via OAuth and bot passwords.

Use of this API is security sensitive and should not be granted lightly.
Configuring a special 'oathauth' user group to grant the needed
'oathauth-api-all' permission is recommended.

This check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Bug: T144712
Change-Id: I4884f6efdfa42db82c25eadb70c7aefa98c370e9
2016-10-07 12:10:18 -07:00
Kunal Mehta 525f54186e Set license-name in extension.json
Change-Id: Ie2457a3e5ffee0377facd4a2f62df5aa0ee4559f
2016-06-23 11:23:18 +02:00
Brian Wolff 185bce5859 Fixup qrcode-generating js, to stop race condition.
Previously there was a race condition where the qrcode would
not show if the startup module finished loading prior to the
div that should contain the qrcode being loaded. This quite
commonly happened on wikipedia during a hit where js is cached
(But does not happen locally, my theory is that that is due to
how packets get split over the network but not from localhost).

Change it to use a normal RL module, as that seems best practise.
Also do not load the qrcode js on special pages that do not use it.
Finially, remove position:top as its not needed.

Bug: T136988
Change-Id: I5139f222207203d834bdc979b21c1fc94f242ac2
2016-06-20 03:42:28 -04:00
Gergő Tisza 563796a98c Update for AuthManager
Handling enabling/disabling via AuthManager is left to a separate
patch.

Bug: T110457
Change-Id: Ic492b8f2477c475f8414b61505139e9a1df2ba5b
2016-05-31 19:38:41 +00:00
Darian Anthony Patrick ff233b3e97 Reintroduce TwoFactorIsEnabled hook
Production code in another extension depends on the existence of this
hook.

Bug: T131445
Change-Id: I3844150801f724f3eb217dc16c26cb76a58aedd8
2016-04-02 10:33:18 +00:00
csteipp a24d6adfbf Encrypt password when stored in user session
During the two-step login, users with OATH enabled need to have their
login details saved into their session while we prompt them for their
OATH code. This encrypts that data, so we don't write their user's
password into our session storage.

Change-Id: I9969871205ac5c438706df41ef1519cb4cd7a964
2016-03-30 21:23:48 -07:00
Tyler Anthony Romeo 1a8006317d Move token login to separate page
Rather than have an extraneous form on the login page,
move the token input to a separate page. The actual
logic for logging in is identical, the only difference
is that the token is added to the form data on a second
page request.

Bug: 53195
Change-Id: I39859cc59f1811de42b72f6167d332ea48812f97
2016-03-29 16:02:54 -07:00
Tyler Romeo 4e9ad22469 Add user right for enabling two-factor auth
Make new right oathauth-enable that the user must have to enable two
factor authentication (disabling and logging in, of course, are still
allowed).

Bug: T100376
Change-Id: I18d43f8b2cf2c2ce9c2309a43961686498b5c999
2016-03-24 12:45:41 -07:00
Tyler Romeo 67c7dd10e7 Allow for using separate database for OATH creds
Add configuration variable for specifying what database the OATH
credentials are stored in, that way wikis that use CentralAuth can
centralize their two-factor authentication data as well.

Bug: T100374
Change-Id: I285e2fe29fee43ddc6c5a6e51823911d43c596f6
2016-03-24 12:03:23 -07:00
Tyler Anthony Romeo 0c389f5025 Refactored special pages into HTMLForm and proxy
Made new class ProxySpecialPage, which acts as a
proxy object to another SpecialPage object that is
determined based on context information other than
the title.

Then Special:OATH has been split into two separate
special page classes (both FormSpecialPages using
HTMLForm) that are routed to by a ProxySpecialPage
object.

In addition, the form for enabling two-factor auth
has been refactored into vform style, with some
better instructions on how to enable two-factor
authentication.

Change-Id: Ib9117cbc9d7f044de9607db81a157e1b472b5ec0
2016-03-23 11:26:04 -07:00
jenkins-bot fc54f3cd6e Merge "Refactor extension key storage" 2016-03-23 04:20:37 +00:00
Tyler Anthony Romeo 89455cdfb2 Refactor extension key storage
This takes out the actual key information from
OATHUser and puts it into an OATHKey class, which OATHUser
depends on. This allows easily swapping keys in/out from
a user.

Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2016-03-22 18:08:45 -07:00
Paladox eba51a1f28 Use HTTPS for the url
Change-Id: I3e70181ff28e45466d2559d884486183856a5c40
2016-01-19 22:15:23 +00:00
victorbarbu 961dd687b9 Upgrade Extension:OATHAuth to the registration system
Bug: T87949
Change-Id: Id6217249c11922ab7d25b31375789c40d737600c
2015-12-20 22:30:58 +02:00