mediawiki-extensions-OATHAuth/extension.json
Kunal Mehta 498dcfeb80 Require OATHAuth for membership in specified user groups
Users in groups listed in $wgOATHRequiredForGroups (default none) must
have two-factor authentication enabled otherwise their membership in
those groups will be disabled. This is done using the
UserEffectiveGroups hook, which allows dynamically adding or removing
user groups.

If a user doesn't have 2FA enabled, it will appear to them as if they
aren't a member of the group at all. Special:Preferences will show which
groups are disabled. In the future it would be good to have a hook into
PermissionsError to show this as well. The UserGetRights hook is used to
ensure the user still has the "oathauth-enable" user right in case it
was only granted to them as part of the user group they are disabled
from.

On the outside, Special:ListUsers will still show the user as a member
of the group. The API list=users&prop=groups|groupmemberships will show
inconsistent informaiton, groups will remove disabled groups while
groupmemberships will not.

This functionality was somewhat already available with
$wgOATHExclusiveRights, except that implementation has flaws outlined at
T150562#6078263 and haven't been resolved in I69af6a58e4 for over a year
now. If this works out, it's expected that will be deprecated/removed.

Bug: T150562
Change-Id: I07ebddafc6f2233ccec216fa8ac6e996553499fb
2022-02-14 00:47:20 -08:00

196 lines
4 KiB
JSON

{
"name": "OATHAuth",
"version": "0.5.0",
"author": [
"Ryan Lane",
"Robert Vogel <vogel@hallowelt.com>",
"Dejan Savuljesku <savuljesku@hallowelt.com>"
],
"url": "https://www.mediawiki.org/wiki/Extension:OATHAuth",
"descriptionmsg": "oathauth-desc",
"type": "other",
"requires": {
"MediaWiki": ">= 1.37.0"
},
"license-name": "GPL-2.0-or-later AND GPL-3.0-or-later",
"attributes": {
"OATHAuth": {
"Modules": {
"totp": "\\MediaWiki\\Extension\\OATHAuth\\Module\\TOTP::factory"
}
}
},
"AutoloadNamespaces": {
"MediaWiki\\Extension\\OATHAuth\\": "src/"
},
"TestAutoloadNamespaces": {
"MediaWiki\\Extension\\OATHAuth\\Tests\\": "tests/phpunit/"
},
"AuthManagerAutoConfig": {
"secondaryauth": {
"OATHSecondaryAuthenticationProvider": {
"class": "\\MediaWiki\\Extension\\OATHAuth\\Auth\\SecondaryAuthenticationProvider",
"sort": 50
}
}
},
"ServiceWiringFiles": [
"ServiceWiring.php"
],
"ExtensionMessagesFiles": {
"OATHAuthAlias": "OATHAuth.alias.php"
},
"Hooks": {
"AuthChangeFormFields": "main",
"LoadExtensionSchemaUpdates": "\\MediaWiki\\Extension\\OATHAuth\\Hook\\LoadExtensionSchemaUpdates\\UpdateTables::callback",
"GetPreferences": "main",
"getUserPermissionsErrors": "main",
"UserEffectiveGroups": "main",
"UserGetRights": "main"
},
"HookHandlers": {
"main": {
"class": "\\MediaWiki\\Extension\\OATHAuth\\Hook\\HookHandler",
"services": [
"OATHUserRepository",
"PermissionManager",
"MainConfig",
"UserGroupManager"
]
}
},
"MessagesDirs": {
"OATHAuth": [
"i18n",
"i18n/api"
]
},
"config": {
"OATHAuthWindowRadius": {
"value": 4
},
"OATHAuthDatabase": {
"value": false
},
"OATHAuthAccountPrefix": {
"value": false
},
"OATHExclusiveRights": {
"value": []
},
"OATHRequiredForGroups": {
"value": []
}
},
"ResourceModules": {
"ext.oath.totp.showqrcode": {
"scripts": [
"totp/jquery.qrcode.js",
"totp/qrcode.js",
"totp/ext.oath.showqrcode.js"
],
"targets": [
"desktop",
"mobile"
]
},
"ext.oath.totp.showqrcode.styles": {
"styles": [
"totp/ext.oath.showqrcode.styles.css"
],
"targets": [
"desktop",
"mobile"
]
}
},
"ResourceFileModulePaths": {
"localBasePath": "modules",
"remoteExtPath": "OATHAuth/modules"
},
"SpecialPages": {
"DisableOATHForUser": {
"class": "\\MediaWiki\\Extension\\OATHAuth\\Special\\DisableOATHForUser",
"services": [
"OATHUserRepository",
"UserFactory"
]
},
"OATHManage": {
"class": "\\MediaWiki\\Extension\\OATHAuth\\Special\\OATHManage",
"services": [
"OATHUserRepository",
"OATHAuth"
]
},
"VerifyOATHForUser": {
"class": "\\MediaWiki\\Extension\\OATHAuth\\Special\\VerifyOATHForUser",
"services": [
"OATHUserRepository",
"UserFactory"
]
}
},
"AvailableRights": [
"oathauth-enable",
"oathauth-api-all",
"oathauth-disable-for-user",
"oathauth-verify-user",
"oathauth-view-log"
],
"GroupPermissions": {
"*": {
"oathauth-disable-for-user": false,
"oathauth-view-log": false
},
"user": {
"oathauth-enable": true
},
"sysop": {
"oathauth-disable-for-user": true,
"oathauth-verify-user": true,
"oathauth-view-log": true
}
},
"GrantPermissions": {
"oath": {
"oathauth-api-all": true,
"oathauth-verify-user": true
}
},
"GrantPermissionGroups": {
"oath": "authentication"
},
"APIModules": {
"oathvalidate": "\\MediaWiki\\Extension\\OATHAuth\\Api\\Module\\ApiOATHValidate"
},
"APIMetaModules": {
"oath": "\\MediaWiki\\Extension\\OATHAuth\\Api\\Module\\ApiQueryOATH"
},
"RateLimits": {
"badoath": {
"&can-bypass": false,
"user": [ 10, 60 ],
"user-global": [ 10, 60 ]
}
},
"ReauthenticateTime": {
"oathauth-enable": 60
},
"load_composer_autoloader": true,
"LogTypes": [ "oath" ],
"LogNames": {
"oath": "oath-log-name"
},
"LogHeaders": {
"oath": "oath-log-header"
},
"LogActionsHandlers": {
"oath/*": "LogFormatter"
},
"LogRestrictions": {
"oath": "oathauth-view-log"
},
"manifest_version": 2
}