Commit graph

25 commits

Author SHA1 Message Date
Kunal Mehta a6810b041d Hide empty square for QR code with CSS for no-JS users
Change-Id: Id557bce14a623d894e0b23123c8ef037ddd3cc53
2016-11-14 18:23:53 -08:00
Hydriz 0b460de458 Declare issuer name in QR code when setting up 2FA
The issuer name is an optional but important feature that allows
the user to differentiate between different accounts used in the
same authenticator app. While we currently use a prefix in the
user account name, declaring an issuer makes it easier for the
user to differentiate.

Bug: T150596
Change-Id: I741dd671e79e0326dfe97bdaaf63b3997960d115
2016-11-13 07:11:03 +00:00
Bryan Davis a6b60d2465 Apply rate limits to all token verifications
Extend the token validation failure checks introduced in I4884f6e to the
other interactions where OATHAuthKey::verifyToken is used.

Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04
Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
2016-10-07 17:24:32 -07:00
Reedy 52686c04b7 Minor documentation updates
Update DatabaseBase type hint

Update some deprecated code usages

Change-Id: I86aa4507447040754d0c9f20171f7e22aed4a0cc
2016-10-02 12:25:59 +00:00
Reedy 9cceee17cc Clean up code style and docblocks
* array() -> []
* spacing fixes
* dirname( __FILE__ ) -> __DIR__
* Add phpcs style checks using latest mediawiki-codesniffer to keep
  things clean.

Co-Authored-By: Bryan Davis <bd808@wikimedia.org>
Change-Id: I95735f928d3e5d6ac9d2a10d92b40ed01cf2737c
2016-09-30 14:40:06 -06:00
Brian Wolff 185bce5859 Fixup qrcode-generating js, to stop race condition.
Previously there was a race condition where the qrcode would
not show if the startup module finished loading prior to the
div that should contain the qrcode being loaded. This quite
commonly happened on wikipedia during a hit where js is cached
(But does not happen locally, my theory is that that is due to
how packets get split over the network but not from localhost).

Change it to use a normal RL module, as that seems best practise.
Also do not load the qrcode js on special pages that do not use it.
Finially, remove position:top as its not needed.

Bug: T136988
Change-Id: I5139f222207203d834bdc979b21c1fc94f242ac2
2016-06-20 03:42:28 -04:00
Dpatrick 6f809fef27 Merge "Add URL encoding to TOTP QR code URL" 2016-05-26 18:19:22 +00:00
Tyler Romeo 7b8a68fd5a
Add URL encoding to TOTP QR code URL
Add RFC 3986 URI encoding to the account label in accordance with the
Google Authenticator specification to ensure the QR code is properly
generated for usernames with special characters in them.

Bug: T136269
Change-Id: I18175c9a3c9a45346fa7a227a5209194385c6696
2016-05-26 12:20:06 -04:00
Aaron Schulz 9b8edbb7c7 Define doesWrites() for special pages
Change-Id: Ie76189ad1c91150e4cef315dacbb845911f7477a
2016-05-25 12:25:10 -07:00
csteipp a24d6adfbf Encrypt password when stored in user session
During the two-step login, users with OATH enabled need to have their
login details saved into their session while we prompt them for their
OATH code. This encrypts that data, so we don't write their user's
password into our session storage.

Change-Id: I9969871205ac5c438706df41ef1519cb4cd7a964
2016-03-30 21:23:48 -07:00
Tyler Anthony Romeo 1a8006317d Move token login to separate page
Rather than have an extraneous form on the login page,
move the token input to a separate page. The actual
logic for logging in is identical, the only difference
is that the token is added to the form data on a second
page request.

Bug: 53195
Change-Id: I39859cc59f1811de42b72f6167d332ea48812f97
2016-03-29 16:02:54 -07:00
Tyler Romeo 4e9ad22469 Add user right for enabling two-factor auth
Make new right oathauth-enable that the user must have to enable two
factor authentication (disabling and logging in, of course, are still
allowed).

Bug: T100376
Change-Id: I18d43f8b2cf2c2ce9c2309a43961686498b5c999
2016-03-24 12:45:41 -07:00
Tyler Romeo 67c7dd10e7 Allow for using separate database for OATH creds
Add configuration variable for specifying what database the OATH
credentials are stored in, that way wikis that use CentralAuth can
centralize their two-factor authentication data as well.

Bug: T100374
Change-Id: I285e2fe29fee43ddc6c5a6e51823911d43c596f6
2016-03-24 12:03:23 -07:00
Tyler Anthony Romeo 0c389f5025 Refactored special pages into HTMLForm and proxy
Made new class ProxySpecialPage, which acts as a
proxy object to another SpecialPage object that is
determined based on context information other than
the title.

Then Special:OATH has been split into two separate
special page classes (both FormSpecialPages using
HTMLForm) that are routed to by a ProxySpecialPage
object.

In addition, the form for enabling two-factor auth
has been refactored into vform style, with some
better instructions on how to enable two-factor
authentication.

Change-Id: Ib9117cbc9d7f044de9607db81a157e1b472b5ec0
2016-03-23 11:26:04 -07:00
Tyler Anthony Romeo 89455cdfb2 Refactor extension key storage
This takes out the actual key information from
OATHUser and puts it into an OATHKey class, which OATHUser
depends on. This allows easily swapping keys in/out from
a user.

Change-Id: Ife5f1bae4ad65b66c5e20017cc43c0576b4aba19
2016-03-22 18:08:45 -07:00
Gergő Tisza 3bb7cd6440 Fix QR code generation module dependency
Bug: T118511
Change-Id: Idf11e9a469f9e9faa342d82843cf06f7e47406c6
2015-11-16 00:40:29 -08:00
Kunal Mehta e743f45af7 Fix QR code generation by using ResourceLoader::makeInlineScript()
Untested, but a similar patch unbroke CodeReview (ad038c0625490be55).

Bug: T118511
Change-Id: I522e51ea77abdf88bd71bd24ecb7be570675c1e8
2015-11-12 15:34:21 -08:00
umherirrender 633472edf8 Replace deprecated $wgSpecialPageGroups
$wgSpecialPageGroups is deprecated since 1.21
override SpecialPage::getGroupName instead

Change-Id: I131cc6af6dd4a668426d47132a5fd1d3331766a2
2015-06-24 20:46:24 +02:00
Tyler Anthony Romeo 5f70fed5dc Code-base cleanup
* Removed use of deprecated core features
* Made code style fixes
* Made pass phpcs-strict
* Fixed special page aliases

Change-Id: Iae2a0a7d6f0fb2ea5080795a06ae257af96dfaf6
2014-05-11 10:34:58 +02:00
Siebrand Mazeland 6661dbfa18 Pass context to HTMLForm, don't use HTMLForm::setTitle
Change-Id: I5325d1b9db2db9ea6fa0006cd9c4a2e10db05d75
2014-01-07 16:29:17 +01:00
Reedy 99cf0d85e1 Bug 40091 - OATHAuth should have relevant links in preferences
Change-Id: I17ac042f5a5093b2c0b2ce8d088f95213d1c0509
2013-03-11 19:02:20 -07:00
Mormegil 08a9846b92 (bug 42334) Verify OATH token prior to disabling two-factor
SpecialOATH must verify the supplied OATH token before calling
OATHUser::disable(), as the latter method does not do it.

Change-Id: If5f6bc332fb29f7287d5d7ebf9849035e79ba79e
2012-11-21 21:37:16 +01:00
Ryan Lane d5d0faeeea Ensure Special:OATH doesn't 500 for anons
Change-Id: I7f575d0154208a9b8e92eb84ebb2c57a3b464ddf
2012-06-13 17:48:37 +02:00
Reedy 1eea41eb1c Couple of fixme comments
Tidy up parameter documentation

Change-Id: I1a615d44e9092cf080ef1aed9dba50c3b5416392
2012-05-11 19:05:43 +01:00
Ryan Lane ac7f7b5a78 Initial check-in of OATHAuth
OATHAuth is an HMAC HOTP two factor authentication plugin.

Change-Id: Icc75edda755f0a86402524a1a2aa8899351adcc4
2012-05-09 10:16:41 -07:00