Enable 2FA normal login
Open, HighPublic
Actions

Assigned To

None

Authored By

	Framawiki
	Nov 11 2017, 8:11 AM

Description

Per this blog post about Commons' mobile app, it should be possible to allow users that use 2FA to login normally (without BotPassword) by adding a field to the login form to enter the code.
https://addshore.com/2017/05/wikimedia-commons-android-app-pre-hackathon/
https://github.com/commons-app/apps-android-commons/blob/e3ef7002d5d77c1e8cd98c2a72bbc38c8959c276/app/src/main/java/fr/free/nrw/commons/auth/LoginTask.java#L117
https://github.com/commons-app/apps-android-commons/blob/b0e8175003a686789474238dd293aa89d1e925c7/app/src/main/java/fr/free/nrw/commons/mwapi/ApacheHttpClientMediaWikiApi.java#L93

api.action("clientlogin")
                .param("rememberMe", "1")
                .param("username", username)
                .param("password", password)
                .param("logintoken", getLoginToken())
                .param("logincontinue", "1")
                .param("OATHToken", twoFactorCode)
.post()

Diagram of how it should work

          +----------------------+                    +---------------------------+
          |Bot login is requested|                    |Classic login is requested |
          +-----------+----------+                    +--------------+------------+
                      |                                              |
                      |                                              |
                      |                                              |
        +-------------v-------------+                    +-----------v---------+
  Nope  |* Check if username conform|                    |ClientLogin API query+----------+
+-------+  (it has @suffix)         |                    |is requested         |          |
|       +-------------+-------------+                    +------+--------+-----+          |
|                     |                                         |        |           +----v-----------------------+
|                     | Yes                                     |        |           |Query fails with other error|
|                     |                                         |        |           +--------------------------+-+
|                     |                                         |        |                                      |
|       +-------------v------------------+                      |  +-----v----------+   +---------------------+ |
|       |* Login using standard API query|                      |  |Query fails with+--->2FA form is displayed| |
|       |  action=login                  |                      |  |"UI" error      |   |to user and ask for  | |
|       +-----+--------------------+-----+                      |  +----------------+   |their login token    | |
|             |                    |                            |                       +-----+---------------+ |
|             |                    |                            |                             |                 |
|      +------v-----+        +-----v-----------------------+    |                      +------v--------------+  |
|      |Query failed|        |Query is successfuly finished|    |              +-------+ClientLogin API query|  |
|      +------+-----+        +---------------------------+-+    |              |       |with token           |  |
|             |                                          |      |              |       +-----------+---------+  |
|             |                                          |      |              |                   |            |
|             |                                          |   +--v--------------v-+                 |            |
|             |                                          |   |Query is successful|          +------v----+       |
|             |                                          |   +--------------+----+          |Query fails|       |
|             |                                          |                  |               +------+----+       |
|             |                                          |                  |                      |            |
|      +------v----------------------------+             |   +--------------v--------+             |            |
+------>Show error to user with explanation|             +--->Login successful.      |             |            |
       |on what's wrong                    |                 |                       |             |            |
       +--------------------------^---^----+                 +--------------+--------+             |            |
                                  |   |                                     |                      |            |
                                  |   +-------------------------------------------------------------------------+
                                  |                                         |                      |
                                  +----------------------------------------------------------------+
                                                                            |
                                                                 +----------v-----------+
                                                                 |Continue login process|
                                                                 +----------------------+

Related Objects

Mentioned In: T186274: Enable 2FA normal login
Mentioned Here: T150900: [Android] Allow users to log in with 2FA in the app

Event Timeline

Framawiki created this task.Nov 11 2017, 8:11 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 11 2017, 8:11 AM

Petrb triaged this task as Low priority.Nov 11 2017, 10:28 AM

As I understand here T150900#2803838 action=login is depreciated, and we should instead use action=clientlogin, that support 2FA. See this implementation too.

PR: https://github.com/huggle/huggle3-qt-lx/pull/260

                 "Login" button
                        +
                        |
                        |
           +------------v------------+
           |                         |
           |meta=tokens&type=login   |
           |                         |
           +------------+------------+
                        |
                        |
                        |
           +------------v------------+
           |action=clientlogin       |
           |with token, user, pass   |
           |                         |
           +------------+------------+
                        |
                        |
                        |
Works ("PASS")    <-----+----->    Fail ("UI")
                                   -> 2fa is enabled
       +                                  +
       |                                  |
       |
       |                               ask 2fa
       |
       |                                  +
       |                                  |
       |                      +-----------v-------------+
       |                      |action=clientlogin       |
       |                      |with user, pass, token,  |
       |                      |totp(2fa)                |
       |                      +-----------+-------------+
       |                                  |
       |                                  |
       |                                  |
       |                                  |
       +------> user is logged in <-------+

Liuxinyu970226 subscribed.Nov 16 2017, 10:45 AM

Petrb updated the task description. (Show Details)Nov 16 2017, 12:31 PM

Petrb updated the task description. (Show Details)Nov 16 2017, 12:41 PM

Petrb updated the task description. (Show Details)Nov 17 2017, 9:20 AM

Framawiki mentioned this in T186274: Enable 2FA normal login.Feb 1 2018, 10:26 PM

Masti subscribed.Feb 2 2018, 12:02 AM

Petrb raised the priority of this task from Low to High.Jun 1 2018, 9:47 PM

Restricted Application added a subscriber: RichSmith. · View Herald TranscriptJun 1 2018, 9:47 PM

Petrb moved this task from Backlog to Code / Features on the Huggle board.Oct 10 2018, 6:16 PM