mediawiki-extensions-OATHAuth/maintenance/disableOATHAuthForUser.php
Kunal Mehta 329c3133d6 Send a notification when 2FA is disabled
Notify users when 2FA is disabled on their account in case something was
fishy about it. This notification is a "system" notification that will
be displayed in the web UI and sent over email. It can't be opted out of
as a preference.

The notification links to Special:Preferences, where users can see their
2FA status and re-enable it if they want. A secondary help link goes to
[[mw:Help:Two-factor authentication]], but can be overridden by
adjusting the "oathauth-notifications-disable-helplink" message. The
notification text is different based on whether the user disabled 2FA on
their own, or an admin used the special page or a maint script to do it.

On Wikimedia wikis, we'll use the WikimediaMessages extension to
customize the messages.

The Echo (Notifications) extension is not required, this will gracefully
do nothing if it's not enabled.

Bug: T210075
Bug: T210963
Change-Id: I99077ea082b8483cc4fd77573a0d00fa98201f15
2022-02-17 00:14:20 -08:00

49 lines
1.6 KiB
PHP

<?php
use MediaWiki\Extension\OATHAuth\IModule;
use MediaWiki\MediaWikiServices;
use MediaWiki\Session\SessionManager;
if ( getenv( 'MW_INSTALL_PATH' ) ) {
$IP = getenv( 'MW_INSTALL_PATH' );
} else {
$IP = __DIR__ . '/../../..';
}
require_once "$IP/maintenance/Maintenance.php";
class DisableOATHAuthForUser extends Maintenance {
public function __construct() {
parent::__construct();
$this->addDescription( 'Remove OATHAuth from a specific user' );
$this->addArg( 'user', 'The username to remove OATHAuth from.' );
$this->requireExtension( 'OATHAuth' );
}
public function execute() {
$username = $this->getArg( 0 );
$user = User::newFromName( $username );
if ( $user && $user->getId() === 0 ) {
$this->fatalError( "User $username doesn't exist!" );
}
$repo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' );
$oathUser = $repo->findByUser( $user );
$module = $oathUser->getModule();
if ( !( $module instanceof IModule ) || $module->isEnabled( $oathUser ) === false ) {
$this->fatalError( "User $username doesn't have OATHAuth enabled!" );
}
$repo->remove( $oathUser, 'Maintenance script', false );
// Kill all existing sessions. If this disable was social-engineered by an attacker,
// the legitimate user will hopefully login again and notice that the second factor
// is missing or different, and alert the operators.
SessionManager::singleton()->invalidateSessionsForUser( $user );
$this->output( "OATHAuth disabled for $username.\n" );
}
}
$maintClass = DisableOATHAuthForUser::class;
require_once RUN_MAINTENANCE_IF_MAIN;