We need a way, for certain wikis to force certain users to use OATHAuth.
There are two (somewhat complimentary) possible approaches:
- Refactor OATHAuth to use AuthManager for enabling/disabling (T137471), then write a SecondaryAuthenticationProvider that asks for 2FA to be set up after a successful login. (ResetPasswordSecondaryAuthenticationProvider is an example.) This is good when we want to completely lock users out of the wiki until they have set up 2FA but is less effective for already logged-in users who get promoted into a new user group (although the system could log them out when the promotion happens if they do not have 2FA set up).
- Use the UserGetRights hook to disable sensitive permissions until 2FA is set up, and find some way to communicate to the user what is going on. This is good when we only want to require users with access to a certain permission to use 2FA, but the communication part seems messy (see T180888: All permission checks should be able to return a custom error message).