Commit graph

611 commits

Author SHA1 Message Date
Derk-Jan Hartman 372ef401b6 Trim surrounding whitespace and seperators from tokens
Google authenticator uses a space character as a group seperator.
We can thus expect users to enter such a separator and we should not
fail on that. Might as well trim whitespace too, as that is another
oft occuring user input mistake, that should not affect functionality.

Bug: T150603
Change-Id: I7334ed5dfaf933e61831438e2f86aa979cf9f51b
2016-11-17 16:30:49 +01:00
MarcoAurelio 0ac5c0fb71 Make OATHAuth messages use consistent "two-factor authentication" wording
Bug: T150597
Change-Id: I0fed5a9b3fd747b6f2f71834c0bfe9dc88bbefb8
2016-11-17 11:19:11 +01:00
Reedy 8e70c98ed7 Rename openstackmanager- to oathauth-
Change-Id: If0378e0c0a3fc08de410be0d0e39273df1002391
2016-11-16 22:49:31 +00:00
Derk-Jan Hartman dbee859adc Put initial focus on token field
It's not like people are going to do anything else here, so
autofocussing is allowed in this case (no accessibility problem)
and speeds up interaction.

Bug: T150861
Change-Id: I6b41cc763156b48d8e35fb6829f70f0eb01e5511
2016-11-16 22:18:42 +00:00
Derk-Jan Hartman bb4a4c6c37 Rename Special:OATH to Special:Two-factor authentication
A link names OATH is based because:
1: It's an abbreviation
2: It's too technical
3: It looks too similar to the more well know abb. OAuth

Bug: T150602
Change-Id: Id687d4089d03135061de716231b84b83bd4c0d84
2016-11-16 22:16:19 +01:00
jenkins-bot f49444400f Merge "Provide a stable method for checking whether a user has enabled OATH" 2016-11-16 03:41:39 +00:00
jenkins-bot 29d13e4431 Merge "Hide empty square for QR code with CSS for no-JS users" 2016-11-16 00:27:01 +00:00
jenkins-bot bf60bcd3ae Merge "Get rid of separate ext.oathauth module" 2016-11-16 00:23:46 +00:00
Gergő Tisza 160daf2c05 Provide a stable method for checking whether a user has enabled OATH
This makes it possible to check from another extension whether the
user has strong login security, without depending on internals
which can change at any time.

(The TwoFactorEnabled hook was intended for something like this
but it operates on $wgUser which makes it useless for logins.)

Change-Id: Ie15c45c9b29de0a0f926c2467808ca144f05e866
2016-11-15 23:13:59 +00:00
Translation updater bot 49a7f75244 Localisation updates from https://translatewiki.net.
Change-Id: I5097d595eda9f16b5ee69d9377af1e50fd3263f7
2016-11-15 22:57:09 +01:00
Kunal Mehta a6810b041d Hide empty square for QR code with CSS for no-JS users
Change-Id: Id557bce14a623d894e0b23123c8ef037ddd3cc53
2016-11-14 18:23:53 -08:00
Kunal Mehta bf4637200a Get rid of separate ext.oathauth module
It's only used as a dependency for one module, so it doesn't really make
sense to have it as a separate module.

Change-Id: I0936073358e98d236ce9440d92873a2ea3851e60
2016-11-14 18:23:53 -08:00
Translation updater bot 044d469af2 Localisation updates from https://translatewiki.net.
Change-Id: I23b091e822c4a3b27383b4591b33626009e3f1eb
2016-11-14 22:57:29 +01:00
Translation updater bot 0e0a6c95d8 Localisation updates from https://translatewiki.net.
Change-Id: I5c8e5e443d8f12e8822b2f4c6d8b5816c718cc0e
2016-11-13 22:50:13 +01:00
Hydriz 0b460de458 Declare issuer name in QR code when setting up 2FA
The issuer name is an optional but important feature that allows
the user to differentiate between different accounts used in the
same authenticator app. While we currently use a prefix in the
user account name, declaring an issuer makes it easier for the
user to differentiate.

Bug: T150596
Change-Id: I741dd671e79e0326dfe97bdaaf63b3997960d115
2016-11-13 07:11:03 +00:00
Kunal Mehta e317bf4610 Show preferences link if user has a key set, but no userright
If the user has a key set but not the oathauth-enable userright, still
show the link to Special:OATH so they can manage it.

This can occur when only restricted groups are allowed to use OATHAuth,
but the user database is shared across multiple wikis.

Bug: T150584
Change-Id: I2db8b47051b0857538e668d233f5cb8586c328a1
2016-11-12 16:25:03 -08:00
Translation updater bot dffa6b689f Localisation updates from https://translatewiki.net.
Change-Id: Id51db40cfe516ca52e84ce9cdc655dafd36c8d82
2016-11-12 22:55:22 +01:00
jenkins-bot cd72757e4d Merge "Allow override of Site prefix without changing sitename" 2016-11-07 19:40:05 +00:00
Translation updater bot e785a0f891 Localisation updates from https://translatewiki.net.
Change-Id: I2cd8706e96f2c2bfc5b49380300f6a072c8424b1
2016-11-03 23:32:06 +01:00
Translation updater bot e4d6061cbf Localisation updates from https://translatewiki.net.
Change-Id: I49df9415bac6212938f90acb1ed8621f14a505ac
2016-11-01 22:47:09 +01:00
Tyler Anthony Romeo d2097fbcaf Add non-MySQL database support
Created patch files for other database types.
Note that some types, such as Oracle, are
not guaranteed to work, since not even MW
core works with them yet anyway.

Bug: T67658
Change-Id: Ie9ce8a4d1140d16017c1aa83865f79d8b0986528
2016-10-31 19:06:52 +00:00
Reedy 872a4768ff Allow override of Site prefix without changing sitename
Bug: T147901
Change-Id: Id5b565f9c05b591e3638dbf51dd784224203669c
2016-10-31 14:17:27 +00:00
Translation updater bot 56523b60cc Localisation updates from https://translatewiki.net.
Change-Id: I9c3aefda7209f4b01d3bc1ffcfb1fdf5336bd1bf
2016-10-25 23:15:42 +02:00
Chad Horohoe 63ba48fa8d Whoops, track not trace
Change-Id: I37e74fb90e45150e9155af81b99189ec4bfca5b5
2016-10-24 17:03:06 -07:00
Chad Horohoe baca4a727d Swapping defaultbranch for trace
The former is a maintenance nightmare when branching.

Bug:T146293
Change-Id: I8076f5e2b513457f43d2bb2e07a1ecab07f7a355
2016-10-24 16:38:00 -07:00
Translation updater bot 647b68c0fc Localisation updates from https://translatewiki.net.
Change-Id: Ibcb0a0657db806c066c11f0557a88dd36fba1a47
2016-10-22 22:46:35 +02:00
Translation updater bot a82d4aedd9 Localisation updates from https://translatewiki.net.
Change-Id: I465baf8d66a8b705366fd36d26eb5d8aa1eaa03d
2016-10-18 22:38:34 +02:00
Translation updater bot 1164ea58fc Localisation updates from https://translatewiki.net.
Change-Id: I50d84ab53301a197afd149a87baf93b1c93e99b5
2016-10-17 22:34:18 +02:00
Reedy e38c68c13e Remove pre authmanager MW support
Change-Id: I46712392e48c263bd30b849777caea8e22650d40
2016-10-15 21:56:40 +01:00
Translation updater bot 6cfec6bb04 Localisation updates from https://translatewiki.net.
Change-Id: I2c90c532207ef106e2c893e67d8cefd5334ed5bf
2016-10-13 22:51:40 +02:00
jenkins-bot 7c11b39942 Merge "Apply rate limits to all token verifications" 2016-10-12 00:07:35 +00:00
jenkins-bot 10ca80f08b Merge "Add an api action to validate an OATH token" 2016-10-12 00:02:19 +00:00
Translation updater bot 745d8a0179 Localisation updates from https://translatewiki.net.
Change-Id: If7eeee8717eb0bdd16d36622922797295e518f41
2016-10-10 22:27:58 +02:00
Translation updater bot 905045abc3 Localisation updates from https://translatewiki.net.
Change-Id: I9f44cc8750d00109d7a8d6a5f2e0999fde550ffd
2016-10-09 22:53:34 +02:00
jenkins-bot e4003d99d6 Merge "Add a query meta api option to check for OATH" 2016-10-08 00:44:39 +00:00
Bryan Davis a6b60d2465 Apply rate limits to all token verifications
Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.

Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
2016-10-07 17:24:32 -07:00
Bryan Davis 36c523ab23 Add an api action to validate an OATH token
Add a new internal action=oathvalidate Action API module that can be
used to validate an OATH token collected from a user. Using the module
requires the 'oathauth-api-all' permission introduced in I4884f6e.

Attempts to call the action for a given user are rate limited to only
allow 10 failures per minute using the new 'badoath' key.

The check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Complete usage in an LDAP shared auth environment would look something
like:
* Authenticate a user with the LDAP server via auth-bind
* Call action=query&meta=oath as a privileged user to check for OATH
  protection.
* If OATH is active for the account, prompt the user for their current
  OATH token.
* Call action=oathvalidate as a privileged user to validate the token.
* If validation succeeds, complete authentication.
* If validation fails, do not authenticate the user.

Bug: T144712
Change-Id: I1b18d9f3b99364fc47c760bdfc2047c1cbb5c04a
2016-10-07 16:55:50 -07:00
Bryan Davis 766e18bca1 Add a query meta api option to check for OATH
Add a new internal action=query&meta=oath Action API module that can be
used to check for OATH protection on a given user account. Using the
module requires a new 'oathauth-api-all' permission which is not granted
to any group by default. The permission is also added to the new
'oath' grant so that it can be used via OAuth and bot passwords.

Use of this API is security sensitive and should not be granted lightly.
Configuring a special 'oathauth' user group to grant the needed
'oathauth-api-all' permission is recommended.

This check is primarily useful as an internal network service in an
environment where MediaWiki and other applications are sharing the same
backing authentication store (e.g. LDAP) and the non-MediaWiki
applications would like to respect the OATH protections enabled on the
MediaWiki install.

Bug: T144712
Change-Id: I4884f6efdfa42db82c25eadb70c7aefa98c370e9
2016-10-07 12:10:18 -07:00
Translation updater bot 00c8e5338c Localisation updates from https://translatewiki.net.
Change-Id: I60dd1befac5dc36205db2f5bc3574fa7c496ab16
2016-10-05 22:43:08 +02:00
Reedy 52686c04b7 Minor documentation updates
Update DatabaseBase type hint

Update some deprecated code usages

Change-Id: I86aa4507447040754d0c9f20171f7e22aed4a0cc
2016-10-02 12:25:59 +00:00
Reedy 9cceee17cc Clean up code style and docblocks
* array() -> []
* spacing fixes
* dirname( __FILE__ ) -> __DIR__
* Add phpcs style checks using latest mediawiki-codesniffer to keep
  things clean.

Co-Authored-By: Bryan Davis <bd808@wikimedia.org>
Change-Id: I95735f928d3e5d6ac9d2a10d92b40ed01cf2737c
2016-09-30 14:40:06 -06:00
jenkins-bot 624c7aca6a Merge "Suppress unserialize errors" 2016-09-30 20:13:42 +00:00
jenkins-bot 3391429b3d Merge "We need a master to do write actions..." 2016-09-30 20:04:58 +00:00
Bryan Davis 03d890f3da Fix some comments
* Spelling in OATHAuthHooks::onRegistration comment
* Remove incorrect comment for OATHAuth::__construct
* Spelling in TOTPAuthenticationRequest class phpdoc

Change-Id: Iaf670a1b86e82b4684489371c8152b8055bff90e
2016-09-28 21:25:45 -06:00
Bryan Davis 0e37c6ca1f Add composer.lock to .gitignore
Change-Id: If5b8459cd967bf4b056573f4223f5bc886960251
2016-09-28 21:25:40 -06:00
jenkins-bot 3dc8dc3b1e Merge "Show the first input as a warning, not as an error box" 2016-09-17 18:05:17 +00:00
Reedy d38cb8e87c Suppress unserialize errors
Bug: T130740
Change-Id: I20b076b7f3ce15d31a21f8935b74f9121f70c5a3
2016-09-17 00:05:25 +01:00
Reedy bfe362d059 We need a master to do write actions...
Change-Id: I618d371cdf76d96370c65975db702ed2fef0579c
2016-09-17 00:04:05 +01:00
Translation updater bot 69506832f0 Localisation updates from https://translatewiki.net.
Change-Id: I554f993eb9618e78f218991fc055c774c7052346
2016-08-17 22:40:18 +02:00
Translation updater bot 57e3f9dc24 Localisation updates from https://translatewiki.net.
Change-Id: Ica4440bb1aaa56ad3f03fe8f79c9b165b5b6bf1e
2016-08-08 22:33:45 +02:00