Page MenuHomePhabricator
Create Task
Maniphest T110293

Update MediaWikiAuth to use AuthManager
Closed, ResolvedPublic
Actions

Description

This should likely be redone as a PrimaryAuthenticationProvider, hopefully without the requirement of patching MediaWiki core.

The code for logging in to the remote wiki may also need updating, since API action=login is no longer guaranteed to continue working for the main account password under AuthManager.

Details

SubjectRepoBranchLines +/-
Update extension for AuthManagermediawiki/extensions/MediaWikiAuthmaster+456 -2 K
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Aug 26 2015, 6:45 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added projects: Reading-Infrastructure-Team-Old (Don't use), MediaWiki-Core-AuthManager, MediaWiki-extensions-MediaWikiAuth.
Tgr added subscribers: Aklapper, Tgr.
bd808 moved this task from Backlog to AuthManager Backlog on the MediaWiki-Core-AuthManager board.Aug 26 2015, 5:33 PM
Liuxinyu970226 set Security to None.Sep 19 2015, 2:37 AM
Liuxinyu970226 subscribed.
bd808 merged a task: T110454: Update MediaWikiAuth to use AuthManager.Mar 1 2016, 6:37 PM
bd808 added subscribers: ashley, Florian, Krenair.
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptMar 1 2016, 6:37 PM
Anomie removed a project: Reading-Infrastructure-Team-Old (Don't use).May 13 2016, 8:29 PM
Anomie updated the task description. (Show Details)
Isarra subscribed.Jul 13 2016, 12:34 AM

Yup, this definitely needs doing. And I don't know how.

As much as the remote wiki is unlikely to be up-to-date and use authmanager, it needs to still support it there, too.

Tgr added a comment.Jul 18 2016, 7:25 PM

See https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager/Updating_tips (especially #The AuthPlugin and AuthPluginUser classes and #Logging into the API using action=login).

Tgr added a comment.Jul 18 2016, 7:26 PM

Although personally I would suggest deprecating this extension in favor of OAuthAuthentication which has a much saner security model.

Isarra added a comment.Aug 1 2016, 10:23 PM
In T110293#2472337, @Tgr wrote:

Although personally I would suggest deprecating this extension in favor of OAuthAuthentication which has a much saner security model.

OAuthAuthentication serves a completely different use case, which doesn't really help here - if the users are in a position to get OAuthAuthentication installed, they are not going to be needing MWAuth in the first place. The whole point of MWAuth is that you install it on one wiki so you can get user data off of another that you have no access to or control over, generally because the host has somehow managed to thoroughly piss off your entire community for some reason, or has just proven itself generally incompetent to serve their needs. It is essentially a user-authorised man-in-the-middle attack on a target wiki that in all likelihood does not even have authmanager because they are very out of date, and in some extreme cases may also not have a public api or be very unstable to boot, all of which have led a community to decide to make the very drastic move to try to forcibly take their entire wiki off and move somewhere else.

What we need from MWAuth is for it to support everything:

  • Arbitrary mw versions on the target wiki, potentially as low as 1.12
  • No public api on the target wiki (screenscraping)
  • Authmanager on the target wiki (one can dream, right?)

We want authmanager support on the host wiki because that's what mw is using now, but we have NO idea what's going to be on the target.

Legoktm subscribed.Aug 1 2016, 11:46 PM

I think I've kind of figured out how to do most of this, but the replacement for initUser() is to use the LocalUserCreated hook.

How do I pass data from my PrimaryAuthenticationProvider to the hook?

Tgr added a comment.Aug 1 2016, 11:51 PM

Thanks for explaining the context.

Supporting AuthManager in the host is easy, just transform the AuthPlugin subclass into a PrimaryAuthenticationProvider implementation, and move the snippets from the core patch into it. (If you want to support old MW branches in the same version, keep the AuthPlugin as well and check whether the AuthManager class exists before deciding which one to register.) You'll probably want to do the revision history checks in the test* methods, and also query the existence of the remote user there; apart from that, just implement the two beginPrimary* methods. (Unless you want to allow users to register with a different username from the target wiki, in which case you need to do more.)

As for supporting AuthManager on the target:

  • for wikis which support the API and don't add new fields to the login form, the current code should continue to work
  • if they don't support the API, you might have to add a few static form fields, change field names, but nothing complicated.
  • if the target wiki allows bot passwords, you can ask the user to set one up and use that - that will mean you either have to ask for the bot login name (which is in the form of username@botname) in an extra login field, or have the users put username@botname in the username field but then log them in as username. Either way is easy.
  • beyond that, it's up to you how many extra fields you will try to support (2FA? captcha?). This is not really different from the old "no API" case, I suppose.
Tgr added a comment.Aug 1 2016, 11:57 PM
In T110293#2513715, @Legoktm wrote:

I think I've kind of figured out how to do most of this, but the replacement for initUser() is to use the LocalUserCreated hook.

How do I pass data from my PrimaryAuthenticationProvider to the hook?

Globals etc. But you probably want to use the provider's finishAccountCreation instead.

SamanthaNguyen moved this task from Backlog to Feedback & Suggestions on the MediaWiki-extensions-MediaWikiAuth board.Aug 6 2016, 8:16 AM
AntiTcb1 subscribed.Sep 4 2017, 10:03 PM

Has this issue been abandoned?

Prod subscribed.Oct 18 2017, 5:01 PM
Skizzerz closed this task as Resolved.Oct 25 2017, 6:44 PM
Skizzerz claimed this task.
Skizzerz subscribed.

Now uses AuthManager as of v0.9.0 (will be submitted to gerrit in the near future)

Liuxinyu970226 unsubscribed.Oct 26 2017, 3:13 AM
gerritbot subscribed.Oct 26 2017, 8:52 PM

Change 386711 had a related patch set uploaded (by Skizzerz; owner: Skizzerz):
[mediawiki/extensions/MediaWikiAuth@master] Update extension for AuthManager

https://gerrit.wikimedia.org/r/386711

gerritbot added a project: Patch-For-Review.Oct 26 2017, 8:52 PM
gerritbot added a comment.Oct 26 2017, 9:57 PM

Change 386711 merged by jenkins-bot:
[mediawiki/extensions/MediaWikiAuth@master] Update extension for AuthManager

https://gerrit.wikimedia.org/r/386711

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL