addDescription( 'Remove OATHAuth from a specific user' ); $this->addArg( 'user', 'The username to remove OATHAuth from.' ); $this->requireExtension( 'OATHAuth' ); } public function execute() { $username = $this->getArg( 0 ); $user = MediaWikiServices::getInstance()->getUserFactory() ->newFromName( $username ); if ( $user === null || $user->getId() === 0 ) { $this->fatalError( "User $username doesn't exist!" ); } $repo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' ); $oathUser = $repo->findByUser( $user ); $module = $oathUser->getModule(); if ( !( $module instanceof IModule ) || $module->isEnabled( $oathUser ) === false ) { $this->fatalError( "User $username doesn't have OATHAuth enabled!" ); } $repo->remove( $oathUser, 'Maintenance script', false ); // Kill all existing sessions. // If this request to disable 2FA was social-engineered by an attacker, // the legitimate user will hopefully log in again to the wiki, and notice that the second factor // is missing or different, and alert the operators. SessionManager::singleton()->invalidateSessionsForUser( $user ); $this->output( "OATHAuth disabled for $username.\n" ); } } $maintClass = DisableOATHAuthForUser::class; require_once RUN_MAINTENANCE_IF_MAIN;