Are you trying to say that the OAuth extension should use AuthManager::securitySensitiveOperationStatus() when someone creates an owner-only consumer?

Yes. Possibly when doing a consumer proposal/approval in general maybe (?) Not sure. But definitely for the auto-approved consumer only oauth apps

In T208008#4697608, @Bawolff wrote:

Yes. Possibly when doing a consumer proposal/approval in general maybe (?) Not sure.

From a security perspective, probably. Note a proposed-but-not-approved consumer can be used by the owner's account without approval for testing.

Although you might get complaints from people (Stewards?) actually doing the approvals.

(Same as T197156: Creating OAuth owner-only consumers should require elevated security)

We should probably have a reauth time significantly larger than 5 min, though, filling out the form can take a while, especially if you do it the first time and need to read documentation.

In T208008#4697806, @Anomie wrote:

Note a proposed-but-not-approved consumer can be used by the owner's account without approval for testing.

Non-owner-only consumers send an Echo ping to OAuth admins so that would be an exploitable but very conspicuous attack vector. (On wikis which have Echo installed, anyway.)

Although you might get complaints from people (Stewards?) actually doing the approvals.

I'm probably doing most of the approvals these days, there's about one non-owner-only request per day. Requiring reauth for that would be annoying but not the end of the world.

I'm not 100% sure who should be claiming this task. Could one of you please claim it in support of this recent security incident?

In T208008#4697995, @Tgr wrote:

(Same as T197156: Creating OAuth owner-only consumers should require elevated security)

We should probably have a reauth time significantly larger than 5 min, though, filling out the form can take a while, especially if you do it the first time and need to read documentation.

Sounds reasonable. I think we'd still want it under 2 hours

In T208008#4697806, @Anomie wrote:

Note a proposed-but-not-approved consumer can be used by the owner's account without approval for testing.

Non-owner-only consumers send an Echo ping to OAuth admins so that would be an exploitable but very conspicuous attack vector. (On wikis which have Echo installed, anyway.)

Although you might get complaints from people (Stewards?) actually doing the approvals.

I'm probably doing most of the approvals these days, there's about one non-owner-only request per day. Requiring reauth for that would be annoying but not the end of the world.

Yeah, I'm less worried about that vector. Maybe something like reauth in the last 48 hours makes sense for approving non-owner only consumers.

Note that different reauth time for owner-only and normal consumers would only be possible if they used a separate form; while that might be preferable (per T142279), it is not the case currently.

As with T208007#4706897, I can't seem to apply Patch-For-Review here.

In T208008#4707007, @Anomie wrote:

Obsolete: 0001-Require-reauthentication-for-proposing-or-managing-c.patch5 KBDownload

Only skimmed it.

+		// TODO: Maybe make it possible to put this in extension.json
+		$wgReauthenticateTime += [
+			'OAuthManage' => 172800,
+			'OAuthProposeOwnerOnly' => 60,
+		];

Adding support for that in extension.json seems like a good idea.

As with T208007#4706897, I can't seem to apply Patch-For-Review here.

Added. Not sure why you can't...??

In T208008#4723541, @Legoktm wrote:

Added. Not sure why you can't...??

I guess @chasemp is looking into it?

On IRC, @chasemp wrote:

Nov 02 15:22:49 <chasemp> if anyone else is having issues changing state on some of hte new security tasks tag me in and I'm going to look at why when I have a sec, something something layered phab permissions insanity

It should be fixed now so members of Security have full edit and view.

In T208008#4725398, @chasemp wrote:

It should be fixed now so members of Security have full edit and view.

I still can't edit the projects on this task. Is there a Phab task for the permissions issue so we can leave this one to the OAuth feature request?

In T208008#4725444, @Anomie wrote:

In T208008#4725398, @chasemp wrote:

It should be fixed now so members of Security have full edit and view.

I still can't edit the projects on this task. Is there a Phab task for the permissions issue so we can leave this one to the OAuth feature request?

Yep, understood. I'm re-opening the original task to create the task subtype used here so we can sort things out

Any objections to making this task public? There is no vulnerability here, and private patches tend to linger forever without getting review / getting deployed.

In T208008#4723541, @Legoktm wrote:

Adding support for that in extension.json seems like a good idea.

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/473951

In T208008#4707007, @Anomie wrote:

Obsolete: 0001-Require-reauthentication-for-proposing-or-managing-c.patch5 KBDownload

60 seconds are way too short for filling out this form. Also, the management form dies on reauth-during-submission with

[05ef31b4ae43033ca4927166] /w/index.php?title=Special:OAuthManageConsumers/156f882c478400553c5f44994770224b&postUniqueId=20107b TypeError from line 340 of /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthConsumer.php: Argument 2 passed to MediaWiki\Extensions\OAuth\MWOAuthConsumer::userCanSee() must be an instance of RequestContext, instance of DerivativeContext given, called in /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthDAO.php on line 408

Backtrace:

#0 /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthDAO.php(408): MediaWiki\Extensions\OAuth\MWOAuthConsumer->userCanSee(string, DerivativeContext)
#1 /vagrant/mediawiki/extensions/OAuth/control/MWOAuthDAOAccessControl.php(104): MediaWiki\Extensions\OAuth\MWOAuthDAO->userCanAccess(string, DerivativeContext)
#2 /vagrant/mediawiki/extensions/OAuth/frontend/specialpages/SpecialMWOAuthManageConsumers.php(258): MediaWiki\Extensions\OAuth\MWOAuthDAOAccessControl->get(string, Closure)
#3 /vagrant/mediawiki/extensions/OAuth/frontend/specialpages/SpecialMWOAuthManageConsumers.php(115): MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers->handleConsumerForm(string)
#4 /vagrant/mediawiki/includes/specialpage/SpecialPage.php(569): MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers->execute(string)
#5 /vagrant/mediawiki/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(string)
#6 /vagrant/mediawiki/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#7 /vagrant/mediawiki/includes/MediaWiki.php(862): MediaWiki->performRequest()
#8 /vagrant/mediawiki/includes/MediaWiki.php(517): MediaWiki->main()
#9 /vagrant/mediawiki/index.php(42): MediaWiki->run()
#10 /var/www/w/index.php(5): require(string)
#11 {main}

In T208008#4752642, @Tgr wrote:

60 seconds are way too short for filling out this form.

Hmm, how'd I get 60 seconds in there? I wonder if I forgot to change it back after testing.

Also, the management form dies on reauth-during-submission with

[05ef31b4ae43033ca4927166] /w/index.php?title=Special:OAuthManageConsumers/156f882c478400553c5f44994770224b&postUniqueId=20107b TypeError from line 340 of /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthConsumer.php: Argument 2 passed to MediaWiki\Extensions\OAuth\MWOAuthConsumer::userCanSee() must be an instance of RequestContext, instance of DerivativeContext given, called in /vagrant/mediawiki/extensions/OAuth/backend/MWOAuthDAO.php on line 408

Why is that typehinting RequestContext instead of IContextSource?

In T208008#5547972, @sbassett wrote:

@Tgr and @Anomie - I'm fine with treating this as a code-hardening measure (as opposed to a standard security issue with all the protections) and making this task public.

Thanks @sbassett! Would you be able to make it public? I don't think I have the rights to do that.

In T208008#6295146, @Tgr wrote:

Would you be able to make it public? I don't think I have the rights to do that.

Done. Also removed a certain tag. I assume we just need to rewrite/rebase the (old) patch from T208008#4754351 and get that into gerrit?

Yeah, will do that in a few days.

Change 611342 had a related patch set uploaded (by Gergő Tisza; owner: Anomie):
[mediawiki/extensions/OAuth@master] Require reauthentication for proposing or managing consumers

https://gerrit.wikimedia.org/r/611342