@Tgr and @Anomie I would like to hear your opinion about (generally spoken) matching a user based on their e-mail address instead of their user account ID. Is there something which comes to your mind why this could be a bad thing? :)

What exactly is the request here? Something like this?

1. User registers an account on the wiki, using some non-GoogleLogin authentication mechanism (e.g. normal passwords)
2. User sets the email address on the account to a Google address, and confirms it.
3. User attempts to use GoogleLogin, with that Google email address.

The user expects that they will be logged in to their account based on the confirmed email address having been set.

(feel free to copy that into the task description if it's accurate)

I can't think of any major problems with making that work, although you might ask @Bawolff or someone else on Wikimedia's Security-Team for their input.

It seems reasonable to assume that if someone can successfully use GoogleLogin, then they could as well log in to gmail and use Special:PasswordReset to gain access to the wiki account. I suppose if you wanted to be safe you could disable the feature if entering an email address into Special:PasswordReset is disabled or the feature is explicitly enabled.

Some other notes:

• With GoogleLogin, there's no way to get to the point where this would happen without first having Google confirm the authentication from their end, so we know the person controls the email address.
• On the MediaWiki side, the email address should already be confirmed. Matching unconfirmed email addresses seems potentially more problematic.
  • e.g. an attacker could do step 1 and set the email, then trick the person into using the wiki account without knowing the attacker has the non-GoogleLogin password or something else as a "backdoor".
• Note that there might be more than one MediaWiki account with the same email address. Your code would have to be prepared for this situation.
  • It might be that one of those is already linked.
• It's possible that a user might, despite Special:PasswordReset, still not want to be able to use GoogleLogin to access their wiki account for some reason.

BTW, it's not exactly related but I note that T30085: RFC: Allow user login with email address in addition to username exists as a more general case involving login based on email address. At the least the mention can serve as a pointer to that if someone looking for that ends up here by mistake.

My main concerns are:

• What if two people use the same email address
• Would there be any way of leaking that an email address is in use (e.g. By looking for "user does not exist error"). In particular, if attacker is trying to guess what another user is using as email, would he be able to somehow figure it out by setting his email to be the same as the victim (I guess email confirmation would prevent that. Ideally though I'd like to see that attack stopped even if the malicious user somehow manages to confirm his email).

Both of these concerns could probably be eliminated in a careful implementation.

T200000!!!!!!!!! Congrats!!

First of all: I kind of thought, that you can already set an e-mail address only to one user, so that there's a one-to-one-relation from one user to one e-mail-address and vice versa. However, this turns out to be a wrong assumption. I'll cover the obligations resulting from that in the following answers to the comments :)

And second first of all: Big thanks to @Anomie as well as @Bawolff for the very fast, informative and constructive feedback, which I (personally) value a lot :)

• With GoogleLogin, there's no way to get to the point where this would happen without first having Google confirm the authentication from their end, so we know the person controls the email address.

Exactly, the user needs to prove to Google that he's able to login (and possibly solve a 2FA challenge, too) to the specific Google user account, otherwise we'll get an abort or error from the Google authentication process and don't get any information.

• On the MediaWiki side, the email address should already be confirmed. Matching unconfirmed email addresses seems potentially more problematic.
  • e.g. an attacker could do step 1 and set the email, then trick the person into using the wiki account without knowing the attacker has the non-GoogleLogin password or something else as a "backdoor".

Completely agreeing on that, I'll add this to the description of the task, too, additionally to the summary of what the user expects from your comment (thanks for that and sorry that this wasn't that clear before :)).

• Note that there might be more than one MediaWiki account with the same email address. Your code would have to be prepared for this situation.
  • It might be that one of those is already linked.

If the google user account is already linked to a specific MediaWiki user account (by user ID in this case), this would always taken precedence over matching the e-mail address. To the second one, if one e-mail-address is added to multiple accounts, I think the best thing for now would be to FAIL the authentication request, as we can't find out what the account to login is. However, when thinking the other way: If the e-mail-address is confirmed for both accounts, we could probably assume, that the one user owns both accounts and could add an intermediate UI step where the user can select which account he wants to use. However, this would be something we could discuss later on and which I would rate as out-of-scope for this task :)

• It's possible that a user might, despite Special:PasswordReset, still not want to be able to use GoogleLogin to access their wiki account for some reason.

So, he doesn't need to, however, he wouldn't be able to prevent it, though. Is this something you would require?

• What if two people use the same email address

See my comment before, what I currently have in mind: FAIL the authentication request. That would be the safest way, I think :)

• Would there be any way of leaking that an email address is in use (e.g. By looking for "user does not exist error"). In particular, if attacker is trying to guess what another user is using as email, would he be able to somehow figure it out by setting his email to be the same as the victim (I guess email confirmation would prevent that. Ideally though I'd like to see that attack stopped even if the malicious user somehow manages to confirm his email).

Basically, there's no way to leak that. GoogleLogin wouldn't store the e-mail-address in a separate table or whatever. The e-mail-address is also only transferred to MediaWiki as part of the authentication response from Google during the MediaWiki login process (where a user explicitly, or implicitly when already agreed, needs to agree to do so). As GoogleLogin wouldn't prevent to add the same e-mail-address to multiple accounts, there's also no way to check, if an address is already taken by typing it there (GoogleLogin would "just" stop matching the user by e-mail-address).

Change 447143 had a related patch set uploaded (by Florianschmidtwelzow; owner: Florianschmidtwelzow):
[mediawiki/extensions/GoogleLogin@master] Match users by their emial-address, too

https://gerrit.wikimedia.org/r/447143

Change 447143 merged by jenkins-bot:
[mediawiki/extensions/GoogleLogin@master] Match users by their emial-address, too

https://gerrit.wikimedia.org/r/447143