Page MenuHomePhabricator

Allow authentication plugins to report error messages
Closed, ResolvedPublic

Description

Authentication plugins currently have no way to report custom error messages to the end user. There are some situations where something other than a password failure error should be reported.

I am willing to tackle this issue; should I submit patches here, or should I plan everything out here and then commit it?


Version: unspecified
Severity: enhancement

Details

Reference
bz16524

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 21 2014, 10:26 PM
bzimport set Reference to bz16524.
bzimport added a subscriber: Unknown Object (MLST).
RyanLane created this task.Dec 2 2008, 3:05 AM

Suggesting you do the latter, as for the past 30 months no one took the effort to comment.

In particular without something of this sort, CentralAuth has no choice but to report "wrong password" when accounts are locked.

Ages ago I said I'd try to get to this, but it's not a small core change, may be better if someone else took this.

sumanah wrote:

Victor, do you have some time to help with this? It's hurting more and more people regarding Wikimedia Labs login.

What kind of errors are we talking about, because for Special:Userlogin at least it's very easy to report custom error messages.

It's easy to pass them from the authentication extension to Special:Userlogin? I don't see a way with a quick pass through the code. It looks to me like there are constant values defined and a Status class is used with those hardcoded values.

If you mean when creating a new account, the AbortNewAccount hook in LoginForm::addNewAccountInternal allows you to pass a raw HTML message to be displayed to the user for errors. If you mean when just logging in, the AbortLogin hook in LoginForm::authenticateUserData, if passed LoginForm::ABORTED as the status, will show whatever custom message key is passed in the last parameter of the hook.

It's possible to workaround the lack of custom messages using these hooks, but it's a dirty hack. For instance, some password authentication plugins (like LDAP) should be able to send a custom error message when authentication occurs, such as "Your account is disabled". To do that using the hooks, it would be necessary to do authentication more than once, just to get a message.

Any call to wgAuth should allow a custom message.

Oh, I see what you mean. Well, the new authnz system I'm designing would fix this, but it'll be a little while before it's finished.

tchay wrote:

Just adding Brion and S Page to this old bug. :-)

Just to note that all account creation on wikitech seems to be failing with this error message. I tried creating one, which failed - and Coren tells me that everything is failing with this error message.

There's no other error message to display ;)

*** Bug 56535 has been marked as a duplicate of this bug. ***

Tgr added a subscriber: Tgr.Sep 2 2015, 8:50 PM

AuthManager (T91699) will replace AuthPlugin. Authentication providers plugging into AuthManager will be able to return arbitrary messages when authentication fails.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 2 2015, 8:50 PM
James set Security to Software security bug.Apr 28 2016, 9:39 AM
James added a project: Security.
James changed the visibility from "Public (No Login Required)" to "Custom Policy".
James added a subscriber: James.

Popsicle face

Krenair changed the visibility from "Custom Policy" to "Public (No Login Required)".
Krenair changed Security from Software security bug to None.
Tgr closed this task as Resolved.Sep 17 2016, 9:22 PM
Tgr claimed this task.

Instant shell account