Page MenuHomePhabricator
Create Task
Maniphest T210075

Send notification when 2FA is disabled
Closed, ResolvedPublic
Actions

Assigned To
Legoktm
Authored By
Platonides
Nov 21 2018, 11:55 AM
Tags
Referenced Files
F35527431: 2FA wikitech.png
Sep 21 2022, 6:36 PM
F35043934: Disable OATHAuth email.png
Apr 8 2022, 3:38 PM
F34954041: Screenshot 2022-02-16 at 23-57-06 Trunk Test.png
Feb 17 2022, 8:03 AM
F34954043: Screenshot 2022-02-16 at 23-57-25 Trunk Test.png
Feb 17 2022, 8:03 AM
F34953228: Screenshot 2022-02-16 at 00-58-51 Trunk Test.png
Feb 16 2022, 9:05 AM
Subscribers
AfroThundr3007730
Aklapper
Framawiki
gerritbot
Huji
JEumerus
jrbs
View All 16 Subscribers
Tokens
"Like" token, awarded by Pintoch."Like" token, awarded by Huji.

Description

Disabling the 2FA (either by the user or disableOATHAuthForUser.php) should trigger a flow and email notification to the user that his 2FA has been disabled, so that, in case there was anything fishy with this action, the legitimate account owner can notice.

Details

SubjectRepoBranchLines +/-
Add missing oathauth-notifications-(dis|en)able-primary messagesmediawiki/extensions/OATHAuthREL1_40+18 -14
Add missing oathauth-notifications-(dis|en)able-primary messagesmediawiki/extensions/OATHAuthREL1_41+18 -14
Add missing oathauth-notifications-(dis|en)able-primary messagesmediawiki/extensions/OATHAuthREL1_39+18 -14
Add missing oathauth-notifications-(dis|en)able-primary messagesmediawiki/extensions/OATHAuthmaster+18 -14
Send a notification when 2FA is disabledmediawiki/extensions/OATHAuthmaster+184 -6
Add overrides for 2FA disabled notificationmediawiki/extensions/WikimediaMessageswmf/1.38.0-wmf.23+8 -2
Add overrides for 2FA disabled notificationmediawiki/extensions/WikimediaMessagesmaster+8 -2
Send a notification when 2FA is disabledmediawiki/extensions/OATHAuthREL1_35+183 -6
Send a notification when 2FA is disabledmediawiki/extensions/OATHAuthREL1_36+183 -6
Send a notification when 2FA is disabledmediawiki/extensions/OATHAuthREL1_37+183 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

Platonides created this task.Nov 21 2018, 11:55 AM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptNov 21 2018, 11:55 AM
Platonides mentioned this in T189537: 2FA reset should log the user out.Nov 21 2018, 11:59 AM
AfroThundr3007730 subscribed.Nov 26 2018, 12:24 AM
jrbs moved this task from Backlog to Radar on the Trust-and-Safety board.Nov 28 2018, 11:45 PM
MarcoAurelio mentioned this in T210963: Send an email when 2FA is disabled.Dec 2 2018, 8:31 PM
Framawiki added a subtask: T210963: Send an email when 2FA is disabled.Dec 2 2018, 9:34 PM
Framawiki subscribed.
Huji awarded a token.Dec 2 2018, 10:18 PM
MR70 subscribed.Jan 3 2019, 12:25 PM
jrbs moved this task from Radar to 2FA (backlog) on the Trust-and-Safety board.Aug 20 2019, 8:36 AM
Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Oct 16 2019, 3:58 PM
Stang subscribed.Jan 1 2022, 1:49 AM
Legoktm claimed this task.Feb 16 2022, 9:05 AM
Legoktm subscribed.

Seems easy enough. Dunno if this text is too scary, but there's not that much space, anything longer gets truncated. It currently links to Special:Preferences, but we could add a secondary link to a help page if someone writes one.

Screenshot 2022-02-16 at 00-58-51 Trunk Test.png (294×649 px, 30 KB)

gerritbot added a comment.Feb 16 2022, 9:15 AM

Change 763190 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/extensions/OATHAuth@master] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763190

gerritbot added a project: Patch-For-Review.Feb 16 2022, 9:15 AM
Urbanecm subscribed.EditedFeb 16 2022, 3:28 PM

Do you plan to send a notification on self-service removals only? Or also when someone with super-high permissions uses https://meta.wikimedia.org/wiki/special:DisableOATHForUser? If the latter (which I feel is a good idea anyway), the "If you didn't do it" part will make no sense. FTR, the special page is how a lot of the forced 2FA removals are done by T&S (the remainder is the maintenance script, usually used at private wikis).

Legoktm added a comment.Feb 16 2022, 8:41 PM
In T210075#7715006, @Urbanecm wrote:

Do you plan to send a notification on self-service removals only? Or also when someone with super-high permissions uses https://meta.wikimedia.org/wiki/special:DisableOATHForUser?

My patch sends notification for all 2FA removals, whether it's self-initiated, the special page or maint script...and I think that's the way it should be done.

If the latter (which I feel is a good idea anyway), the "If you didn't do it" part will make no sense.

Good point. Maybe for the non-self-initiated notification, "If you did not request this, you should contact an administrator." with a WikimediaMessages override to say "...contact WMF Trust & Safety."? And then the option to add a help link, which again, WikimediaMessages can point to Meta.

Urbanecm added a comment.Feb 16 2022, 8:46 PM
In T210075#7716275, @Legoktm wrote:

[...]

If the latter (which I feel is a good idea anyway), the "If you didn't do it" part will make no sense.

Good point. Maybe for the non-self-initiated notification, "If you did not request this, you should contact an administrator." with a WikimediaMessages override to say "...contact WMF Trust & Safety."? And then the option to add a help link, which again, WikimediaMessages can point to Meta.

Sounds good to me. Thanks!

jrbs added a comment.Feb 16 2022, 9:16 PM
In T210075#7716275, @Legoktm wrote:

with a WikimediaMessages override to say "...contact WMF Trust & Safety."

Tiny thing but this likely needs to be "Wikimedia Foundation", not "WMF". Otherwise I think I'm cool with that, since the Meta page for the team has contact info on it.

Legoktm added a comment.Feb 17 2022, 8:03 AM
In T210075#7716373, @jrbs wrote:
In T210075#7716275, @Legoktm wrote:

with a WikimediaMessages override to say "...contact WMF Trust & Safety."

Tiny thing but this likely needs to be "Wikimedia Foundation", not "WMF". Otherwise I think I'm cool with that, since the Meta page for the team has contact info on it.

I tried :( but the problem is that Echo notifications have a length limit, and if it exceeds that it'll get truncated.

Screenshot 2022-02-16 at 23-57-06 Trunk Test.png (418×717 px, 46 KB)

Screenshot 2022-02-16 at 23-57-25 Trunk Test.png (417×686 px, 44 KB)

IIRC some other languages are typically longer and will likely be even worse.

jrbs added a comment.Feb 17 2022, 8:31 AM
In T210075#7717239, @Legoktm wrote:
In T210075#7716373, @jrbs wrote:
In T210075#7716275, @Legoktm wrote:

with a WikimediaMessages override to say "...contact WMF Trust & Safety."

Tiny thing but this likely needs to be "Wikimedia Foundation", not "WMF". Otherwise I think I'm cool with that, since the Meta page for the team has contact info on it.

I tried :( but the problem is that Echo notifications have a length limit, and if it exceeds that it'll get truncated.

Screenshot 2022-02-16 at 23-57-06 Trunk Test.png (418×717 px, 46 KB)

Screenshot 2022-02-16 at 23-57-25 Trunk Test.png (417×686 px, 44 KB)

IIRC some other languages are typically longer and will likely be even worse.

Curses! Fair enough. :)

Reedy closed subtask T210963: Send an email when 2FA is disabled as Resolved.Feb 17 2022, 2:15 PM
gerritbot added a comment.Feb 17 2022, 2:17 PM

Change 763190 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763190

Reedy mentioned this in T301987: Notify user when 2FA has been enabled.Feb 17 2022, 2:17 PM
gerritbot added a comment.Feb 17 2022, 2:19 PM

Change 763299 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_37] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763299

gerritbot added a comment.Feb 17 2022, 2:19 PM

Change 763300 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_36] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763300

gerritbot added a comment.Feb 17 2022, 2:20 PM

Change 763301 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_35] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763301

Reedy mentioned this in T301992: Insert CheckUser row events during certain 2FA actions.Feb 17 2022, 3:03 PM
Reedy mentioned this in T131788: Users should be notified when only two recovery codes are left.Feb 17 2022, 3:23 PM
Reedy added a parent task: T125653: Create new types of notifications.Feb 17 2022, 3:47 PM
gerritbot added a comment.Feb 17 2022, 4:52 PM

Change 763299 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_37] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763299

gerritbot added a comment.Feb 17 2022, 4:53 PM

Change 763300 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_36] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763300

gerritbot added a comment.Feb 17 2022, 4:53 PM

Change 763301 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_35] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763301

gerritbot added a comment.Feb 18 2022, 9:35 AM

Change 763699 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/extensions/WikimediaMessages@master] Add overrides for 2FA disabled notification

https://gerrit.wikimedia.org/r/763699

Legoktm added a parent task: T300199: 1.38.0-wmf.23 deployment blockers.Feb 22 2022, 6:12 AM
Legoktm mentioned this in T300199: 1.38.0-wmf.23 deployment blockers.
gerritbot added a comment.Feb 22 2022, 8:32 AM

Change 763699 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Add overrides for 2FA disabled notification

https://gerrit.wikimedia.org/r/763699

gerritbot added a comment.Feb 22 2022, 8:42 AM

Change 764400 had a related patch set uploaded (by Bartosz Dziewoński; author: Legoktm):

[mediawiki/extensions/WikimediaMessages@wmf/1.38.0-wmf.23] Add overrides for 2FA disabled notification

https://gerrit.wikimedia.org/r/764400

gerritbot added a comment.Feb 22 2022, 9:00 AM

Change 764400 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@wmf/1.38.0-wmf.23] Add overrides for 2FA disabled notification

https://gerrit.wikimedia.org/r/764400

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.24; 2022-02-28).Feb 22 2022, 9:00 AM
ReleaseTaggerBot edited projects, added MW-1.38-notes (1.38.0-wmf.23; 2022-02-21); removed MW-1.38-notes (1.38.0-wmf.24; 2022-02-28).Feb 22 2022, 10:00 AM
matmarex closed this task as Resolved.Feb 22 2022, 1:40 PM
matmarex subscribed.
Krinkle mentioned this in T303404: ArgumentCountError: Too few arguments to function MediaWiki\Extension\OATHAuth\OATHUserRepository::remove(), 2 passed in /srv/mediawiki/php-1.38.0-wmf.25/extensions/WebAuthn/src/HTMLForm/WebAuthnDisableForm.php on line 114 and exactly 3 expected.Mar 9 2022, 4:47 PM
Stang unsubscribed.Mar 13 2022, 3:32 PM
Seb35 subscribed.Mar 31 2022, 2:00 PM

It seems the message oathauth-notifications-disable-primary newly introduced in rEOAT329c3133d6eed8b8bc0b9c7a3cd6bfeebb05c915 is not defined, see https://www.mediawiki.org/wiki/Topic:Wsnjwprwq8rzsoo2.

Reedy subscribed.Mar 31 2022, 8:44 PM

Similarly, oathauth-notifications-enable-primary is needed from T301987: Notify user when 2FA has been enabled/rEOAT851656bbdf74: Revert "OATHUserRepository: Stop handling legacy single-key"

gerritbot added a comment.Apr 2 2022, 9:34 PM

Change 776327 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/776327

Seb35 added a comment.Apr 8 2022, 3:38 PM

Example of an email, here in French:

Disable OATHAuth email.png (203×639 px, 18 KB)

Jdforrester-WMF mentioned this in T306184: OATHAuth's disableOATHAuthForUser.php script triggers a Notification that can't be sent as MW isn't initialised yet, so causes a production error.Apr 14 2022, 1:43 PM
Pintoch awarded a token.Aug 23 2022, 10:53 AM
xcollazo subscribed.Sep 21 2022, 6:36 PM

Hello folks, I just went thru the flow to disable 2FA on wikitech.wikimedia.org, and got an email similar to @Seb35's with a i18n template instead of the actual button text:

2FA wikitech.png (426×1 px, 53 KB)

So looks like we closed this task without a resolution to this issue? Happy to open a new ticket if necessary, LMK.

Reedy added a comment.Sep 21 2022, 6:56 PM
In T210075#7826494, @gerritbot wrote:

Change 776327 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/776327

^ This is the patch to attempt to fix it...

Reedy mentioned this in T326073: Missing oathauth-notifications-disable-primary message.Jan 2 2023, 3:06 PM
gerritbot added a comment.Nov 10 2023, 1:25 AM

Change 776327 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/776327

gerritbot added a comment.Nov 18 2023, 3:33 PM

Change 975368 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_41] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/975368

gerritbot added a comment.Nov 18 2023, 3:34 PM

Change 975369 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_40] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/975369

gerritbot added a comment.Nov 18 2023, 3:34 PM

Change 975370 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@REL1_39] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/975370

gerritbot added a comment.Nov 18 2023, 3:54 PM

Change 975370 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_39] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/975370

gerritbot added a comment.Nov 18 2023, 3:55 PM

Change 975368 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_41] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/975368

gerritbot added a comment.Nov 18 2023, 3:55 PM

Change 975369 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_40] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/975369

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL