disableOATHAuthForUser.php should call SessionManager::invalidateSessionsForUser. If the user is locked out, there is no harm in it, and in the case of an attacker achieving 2FA reset via social engineering, this ensures that the legitimate account owner will notice (whereas they might miss an email / have no email address).
Description
Description
Details
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Make disableOATHAuthForUser.php log out the affected user | mediawiki/extensions/OATHAuth | master | +7 -0 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Tgr | T189537 2FA reset should log the user out | |||
Resolved | Legoktm | T210075 Send notification when 2FA is disabled | |||
Resolved | Legoktm | T210963 Send an email when 2FA is disabled |
Event Timeline
Comment Actions
It should also trigger a flow and email notification to the user that his 2FA has been disabled.
Comment Actions
Change 475039 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/extensions/OATHAuth@master] Make disableOATHAuthForUser.php log out the affected user
Comment Actions
That should probably be a separate bug (and something that I would not try before T128351: Notifications should be in core is sorted out).
Comment Actions
I mentioned it here as the description said that the goal was that the legitimate account owner would notice, but you are right. Split to T210075
Comment Actions
Change 475039 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Make disableOATHAuthForUser.php log out the affected user