Investigation: What would be the best way to support loginwiki from LoginNotify
Closed, ResolvedPublic3 Story Points

Description

The LoginNotify extension requires Echo to be useful, but loginwiki doesn't have Echo installed. What would the the best way to support loginwiki from LoginNotify?

Some possible ideas:

  • Install Echo on loginwiki and rely on cross-wiki notifications. (This might be problematic since we don't want people to actually visit loginwiki.)
  • Modify LoginNotify to send notifications to a user's home wiki (as defined by CentralAuth) rather than the local wiki.
  • Modify LoginNotify to send notifications to a configured fall-back wiki (e.g. meta) if Echo isn't available on the local wiki.
  • Disable login at loginwiki

See T153335#2899401 for more discussion.

kaldari created this task.Dec 24 2016, 12:11 AM
kaldari moved this task from Untriaged to Epic backlog on the Community-Tech board.
Tgr added a subscriber: Tgr.Dec 24 2016, 12:56 AM

As far as AuthManager is concerned, the login happens on the wiki where you type in your password; on loginwiki a session is created, but that's a different thing from a login. An attacker going to loginwiki and logging in there is a concern, but that can probably be prevented by simply disabling login (that came up in the past but I don't remember the details; maybe @Bawolff does).

One thing to consider is that Echo uses a queue so emails are not sent instantly. An attacker can probably prevent them from being sent by immediately changing email address or Echo preferences.

T128351: RfC: Notifications in core might eventually make the issue of non-Echo wikis moot.

Problem with "home" wiki is that for many it is not. That may require the ability to set a "home" wiki

kaldari set the point value for this task to 3.Jan 3 2017, 5:41 PM
Niharika claimed this task.Jan 6 2017, 5:08 PM
Niharika moved this task from Ready to In Development on the Community-Tech-Sprint board.

@Legoktm Do you have any thoughts about disabling login on loginwiki altogether?

That seems like the best option out of the list IMO.

That seems like the best option out of the list IMO.

From my understanding, CentralAuth uses loginwiki to centrally login the user. If we disable login on loginwiki, will that be affected? Or is it able to disable the manual logins only?

Going off of what @Tgr said in T154064#2900070, loginwiki just handles the central login aspect, which is separate from the normal login (where you type in your username and password), so theoretically we could disable the normal login without affecting central login.

Change 333653 had a related patch set uploaded (by Niharika29):
Disable logins on loginwiki to support LoginNotify

https://gerrit.wikimedia.org/r/333653

From Brad's feedback at https://gerrit.wikimedia.org/r/#/c/333653/ it sounds like disabling login on loginwiki is a bit more complicated than we were expecting. Does that still seem like the best solution?

Tgr added a comment.Jan 26 2017, 7:56 PM

I don't know much about installing Echo on loginwiki; I don't really understand the other two alternatives (how would you send notifications from a wiki where Echo is not installed?). As for disabling login, it's cumbersome but not particularly hard: modify a few config settings ($wgEnableBotPasswords, $wgAPIModules, $wgSessionProviders), add a one-liner PreAuthenticationProvider class to $wgAuthManagerConfig which always fails (probably requires a WikimediaMessages patch as well so it can be translated, or maybe we can just put that provider in core), add a one-liner to $wgHooks['PersonalUrls'] to remove the login link. The PreAuthenticationProvider stops all login attempts (apart from bot passwords / OAuth - how to handle those is probably a wider issue that's problematic on other wikis as well), the rest is just UX polish, so it's reasonably robust. Maybe add a UserLoggedIn hook throwing exceptions for layered defense.

@Tgr: Thanks for the feedback. It sounds like disabling login is the best route, so I'll go ahead and create a new task for that.

kaldari closed this task as Resolved.Jan 26 2017, 9:42 PM

@Tgr: Thanks for the feedback. It sounds like disabling login is the best route, so I'll go ahead and create a new task for that.

Follow-up for people reading this ticket: T156421: Disable login on loginwiki was declined, so we're looking at T157105: Enable Echo on loginwiki instead.

Follow-up for people reading this ticket: T156421: Disable login on loginwiki was declined, so we're looking at T157105: Enable Echo on loginwiki instead.

That task gives me Access denied.

@Niharika: Added you as a subscriber.

Change 333653 abandoned by Niharika29:
Disable logins on loginwiki to support LoginNotify

Reason:
Now that loginwiki has echo, we don't need this.

https://gerrit.wikimedia.org/r/333653