Page MenuHomePhabricator

Enable 2FA normal login
Open, HighPublic

Description

Per this blog post about Commons' mobile app, it should be possible to allow users that use 2FA to login normally (without BotPassword) by adding a field to the login form to enter the code.
https://addshore.com/2017/05/wikimedia-commons-android-app-pre-hackathon/
https://github.com/commons-app/apps-android-commons/blob/e3ef7002d5d77c1e8cd98c2a72bbc38c8959c276/app/src/main/java/fr/free/nrw/commons/auth/LoginTask.java#L117
https://github.com/commons-app/apps-android-commons/blob/b0e8175003a686789474238dd293aa89d1e925c7/app/src/main/java/fr/free/nrw/commons/mwapi/ApacheHttpClientMediaWikiApi.java#L93

api.action("clientlogin")
                .param("rememberMe", "1")
                .param("username", username)
                .param("password", password)
                .param("logintoken", getLoginToken())
                .param("logincontinue", "1")
                .param("OATHToken", twoFactorCode)
.post()

Diagram of how it should work

          +----------------------+                    +---------------------------+
          |Bot login is requested|                    |Classic login is requested |
          +-----------+----------+                    +--------------+------------+
                      |                                              |
                      |                                              |
                      |                                              |
        +-------------v-------------+                    +-----------v---------+
  Nope  |* Check if username conform|                    |ClientLogin API query+----------+
+-------+  (it has @suffix)         |                    |is requested         |          |
|       +-------------+-------------+                    +------+--------+-----+          |
|                     |                                         |        |           +----v-----------------------+
|                     | Yes                                     |        |           |Query fails with other error|
|                     |                                         |        |           +--------------------------+-+
|                     |                                         |        |                                      |
|       +-------------v------------------+                      |  +-----v----------+   +---------------------+ |
|       |* Login using standard API query|                      |  |Query fails with+--->2FA form is displayed| |
|       |  action=login                  |                      |  |"UI" error      |   |to user and ask for  | |
|       +-----+--------------------+-----+                      |  +----------------+   |their login token    | |
|             |                    |                            |                       +-----+---------------+ |
|             |                    |                            |                             |                 |
|      +------v-----+        +-----v-----------------------+    |                      +------v--------------+  |
|      |Query failed|        |Query is successfuly finished|    |              +-------+ClientLogin API query|  |
|      +------+-----+        +---------------------------+-+    |              |       |with token           |  |
|             |                                          |      |              |       +-----------+---------+  |
|             |                                          |      |              |                   |            |
|             |                                          |   +--v--------------v-+                 |            |
|             |                                          |   |Query is successful|          +------v----+       |
|             |                                          |   +--------------+----+          |Query fails|       |
|             |                                          |                  |               +------+----+       |
|             |                                          |                  |                      |            |
|      +------v----------------------------+             |   +--------------v--------+             |            |
+------>Show error to user with explanation|             +--->Login successful.      |             |            |
       |on what's wrong                    |                 |                       |             |            |
       +--------------------------^---^----+                 +--------------+--------+             |            |
                                  |   |                                     |                      |            |
                                  |   +-------------------------------------------------------------------------+
                                  |                                         |                      |
                                  +----------------------------------------------------------------+
                                                                            |
                                                                 +----------v-----------+
                                                                 |Continue login process|
                                                                 +----------------------+

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 11 2017, 8:11 AM
Petrb triaged this task as Low priority.Nov 11 2017, 10:28 AM

As I understand here T150900#2803838 action=login is depreciated, and we should instead use action=clientlogin, that support 2FA. See this implementation too.

PR: https://github.com/huggle/huggle3-qt-lx/pull/260

Framawiki added a comment.EditedNov 12 2017, 12:59 PM
                 "Login" button
                        +
                        |
                        |
           +------------v------------+
           |                         |
           |meta=tokens&type=login   |
           |                         |
           +------------+------------+
                        |
                        |
                        |
           +------------v------------+
           |action=clientlogin       |
           |with token, user, pass   |
           |                         |
           +------------+------------+
                        |
                        |
                        |
Works ("PASS")    <-----+----->    Fail ("UI")
                                   -> 2fa is enabled
       +                                  +
       |                                  |
       |
       |                               ask 2fa
       |
       |                                  +
       |                                  |
       |                      +-----------v-------------+
       |                      |action=clientlogin       |
       |                      |with user, pass, token,  |
       |                      |totp(2fa)                |
       |                      +-----------+-------------+
       |                                  |
       |                                  |
       |                                  |
       |                                  |
       +------> user is logged in <-------+
Petrb updated the task description. (Show Details)Nov 16 2017, 12:31 PM
Petrb updated the task description. (Show Details)Nov 16 2017, 12:41 PM
Petrb updated the task description. (Show Details)Nov 17 2017, 9:20 AM
Masti added a subscriber: Masti.Feb 2 2018, 12:02 AM
Petrb raised the priority of this task from Low to High.Jun 1 2018, 9:47 PM
Restricted Application added a subscriber: RichSmith. · View Herald TranscriptJun 1 2018, 9:47 PM
Petrb moved this task from Backlog to Code / Features on the Huggle board.Oct 10 2018, 6:16 PM