mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth
synced 2024-11-24 08:14:15 +00:00
36c523ab23
Add a new internal action=oathvalidate Action API module that can be used to validate an OATH token collected from a user. Using the module requires the 'oathauth-api-all' permission introduced in I4884f6e. Attempts to call the action for a given user are rate limited to only allow 10 failures per minute using the new 'badoath' key. The check is primarily useful as an internal network service in an environment where MediaWiki and other applications are sharing the same backing authentication store (e.g. LDAP) and the non-MediaWiki applications would like to respect the OATH protections enabled on the MediaWiki install. Complete usage in an LDAP shared auth environment would look something like: * Authenticate a user with the LDAP server via auth-bind * Call action=query&meta=oath as a privileged user to check for OATH protection. * If OATH is active for the account, prompt the user for their current OATH token. * Call action=oathvalidate as a privileged user to validate the token. * If validation succeeds, complete authentication. * If validation fails, do not authenticate the user. Bug: T144712 Change-Id: I1b18d9f3b99364fc47c760bdfc2047c1cbb5c04a
110 lines
2.4 KiB
JSON
110 lines
2.4 KiB
JSON
{
|
|
"name": "OATHAuth",
|
|
"version": "0.2.1",
|
|
"author": "Ryan Lane",
|
|
"url": "https://www.mediawiki.org/wiki/Extension:OATHAuth",
|
|
"descriptionmsg": "oathauth-desc",
|
|
"type": "other",
|
|
"license-name": "GPL-2.0+",
|
|
"AutoloadClasses": {
|
|
"ApiOATHValidate": "api/ApiOATHValidate.php",
|
|
"ApiQueryOATH": "api/ApiQueryOATH.php",
|
|
"OATHAuthHooks": "OATHAuth.hooks.php",
|
|
"OATHAuthLegacyHooks": "OATHAuth.hooks.legacy.php",
|
|
"OATHAuthKey": "OATHAuthKey.php",
|
|
"OATHAuthUtils": "OATHAuthUtils.php",
|
|
"OATHUserRepository": "OATHUserRepository.php",
|
|
"HOTP": "lib/hotp.php",
|
|
"HOTPResult": "lib/hotp.php",
|
|
"Base32": "lib/base32.php",
|
|
"OATHUser": "OATHUser.php",
|
|
"SpecialOATH": "special/SpecialOATH.php",
|
|
"SpecialOATHEnable": "special/SpecialOATHEnable.php",
|
|
"SpecialOATHDisable": "special/SpecialOATHDisable.php",
|
|
"SpecialOATHLogin": "special/SpecialOATHLogin.php",
|
|
"ProxySpecialPage": "special/ProxySpecialPage.php",
|
|
"TOTPAuthenticationRequest": "auth/TOTPAuthenticationRequest.php",
|
|
"TOTPSecondaryAuthenticationProvider": "auth/TOTPSecondaryAuthenticationProvider.php"
|
|
},
|
|
"ExtensionMessagesFiles": {
|
|
"OATHAuthAlias": "OATHAuth.alias.php"
|
|
},
|
|
"callback": "OATHAuthHooks::onRegistration",
|
|
"Hooks": {
|
|
"TwoFactorIsEnabled": [
|
|
"OATHAuthHooks::onTwoFactorIsEnabled"
|
|
],
|
|
"LoadExtensionSchemaUpdates": [
|
|
"OATHAuthHooks::onLoadExtensionSchemaUpdates"
|
|
],
|
|
"GetPreferences": [
|
|
"OATHAuthHooks::onGetPreferences"
|
|
]
|
|
},
|
|
"MessagesDirs": {
|
|
"OATHAuth": [
|
|
"i18n"
|
|
]
|
|
},
|
|
"config": {
|
|
"OATHAuthWindowRadius": 4,
|
|
"OATHAuthDatabase": false,
|
|
"OATHAuthSecret": false
|
|
},
|
|
"ResourceModules": {
|
|
"ext.oathauth": {
|
|
"scripts": [
|
|
"jquery.qrcode.js",
|
|
"qrcode.js"
|
|
]
|
|
},
|
|
"ext.oath.showqrcode": {
|
|
"scripts": [
|
|
"ext.oath.showqrcode.js"
|
|
],
|
|
"dependencies": [
|
|
"ext.oathauth"
|
|
]
|
|
}
|
|
},
|
|
"ResourceFileModulePaths": {
|
|
"localBasePath": "modules",
|
|
"remoteExtPath": "OATHAuth"
|
|
},
|
|
"SpecialPages": {
|
|
"OATH": "SpecialOATH"
|
|
},
|
|
"AvailableRights": [
|
|
"oathauth-enable",
|
|
"oathauth-api-all"
|
|
],
|
|
"GroupPermissions": {
|
|
"*": {
|
|
"oathauth-enable": true
|
|
}
|
|
},
|
|
"GrantPermissions": {
|
|
"oath": {
|
|
"oathauth-api-all": true
|
|
}
|
|
},
|
|
"GrantPermissionGroups": {
|
|
"oath": "authentication"
|
|
},
|
|
"APIModules": {
|
|
"oathvalidate": "ApiOATHValidate"
|
|
},
|
|
"APIMetaModules": {
|
|
"oath": "ApiQueryOATH"
|
|
},
|
|
"RateLimits": {
|
|
"badoath": {
|
|
"user": [
|
|
10,
|
|
60
|
|
]
|
|
}
|
|
},
|
|
"manifest_version": 1
|
|
}
|