Page MenuHomePhabricator

Send notification when 2FA is disabled
Closed, ResolvedPublic

Description

Disabling the 2FA (either by the user or disableOATHAuthForUser.php) should trigger a flow and email notification to the user that his 2FA has been disabled, so that, in case there was anything fishy with this action, the legitimate account owner can notice.

Event Timeline

Legoktm added a subscriber: Legoktm.

Seems easy enough. Dunno if this text is too scary, but there's not that much space, anything longer gets truncated. It currently links to Special:Preferences, but we could add a secondary link to a help page if someone writes one.

Screenshot 2022-02-16 at 00-58-51 Trunk Test.png (294×649 px, 30 KB)

Change 763190 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/extensions/OATHAuth@master] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763190

Do you plan to send a notification on self-service removals only? Or also when someone with super-high permissions uses https://meta.wikimedia.org/wiki/special:DisableOATHForUser? If the latter (which I feel is a good idea anyway), the "If you didn't do it" part will make no sense. FTR, the special page is how a lot of the forced 2FA removals are done by T&S (the remainder is the maintenance script, usually used at private wikis).

Do you plan to send a notification on self-service removals only? Or also when someone with super-high permissions uses https://meta.wikimedia.org/wiki/special:DisableOATHForUser?

My patch sends notification for all 2FA removals, whether it's self-initiated, the special page or maint script...and I think that's the way it should be done.

If the latter (which I feel is a good idea anyway), the "If you didn't do it" part will make no sense.

Good point. Maybe for the non-self-initiated notification, "If you did not request this, you should contact an administrator." with a WikimediaMessages override to say "...contact WMF Trust & Safety."? And then the option to add a help link, which again, WikimediaMessages can point to Meta.

[...]

If the latter (which I feel is a good idea anyway), the "If you didn't do it" part will make no sense.

Good point. Maybe for the non-self-initiated notification, "If you did not request this, you should contact an administrator." with a WikimediaMessages override to say "...contact WMF Trust & Safety."? And then the option to add a help link, which again, WikimediaMessages can point to Meta.

Sounds good to me. Thanks!

with a WikimediaMessages override to say "...contact WMF Trust & Safety."

Tiny thing but this likely needs to be "Wikimedia Foundation", not "WMF". Otherwise I think I'm cool with that, since the Meta page for the team has contact info on it.

with a WikimediaMessages override to say "...contact WMF Trust & Safety."

Tiny thing but this likely needs to be "Wikimedia Foundation", not "WMF". Otherwise I think I'm cool with that, since the Meta page for the team has contact info on it.

I tried :( but the problem is that Echo notifications have a length limit, and if it exceeds that it'll get truncated.

Screenshot 2022-02-16 at 23-57-06 Trunk Test.png (418×717 px, 46 KB)

Screenshot 2022-02-16 at 23-57-25 Trunk Test.png (417×686 px, 44 KB)

IIRC some other languages are typically longer and will likely be even worse.

with a WikimediaMessages override to say "...contact WMF Trust & Safety."

Tiny thing but this likely needs to be "Wikimedia Foundation", not "WMF". Otherwise I think I'm cool with that, since the Meta page for the team has contact info on it.

I tried :( but the problem is that Echo notifications have a length limit, and if it exceeds that it'll get truncated.

Screenshot 2022-02-16 at 23-57-06 Trunk Test.png (418×717 px, 46 KB)

Screenshot 2022-02-16 at 23-57-25 Trunk Test.png (417×686 px, 44 KB)

IIRC some other languages are typically longer and will likely be even worse.

Curses! Fair enough. :)

Change 763190 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763190

Change 763299 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_37] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763299

Change 763300 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_36] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763300

Change 763301 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/OATHAuth@REL1_35] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763301

Change 763299 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_37] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763299

Change 763300 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_36] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763300

Change 763301 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_35] Send a notification when 2FA is disabled

https://gerrit.wikimedia.org/r/763301

Change 763699 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/extensions/WikimediaMessages@master] Add overrides for 2FA disabled notification

https://gerrit.wikimedia.org/r/763699

Change 763699 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@master] Add overrides for 2FA disabled notification

https://gerrit.wikimedia.org/r/763699

Change 764400 had a related patch set uploaded (by Bartosz Dziewoński; author: Legoktm):

[mediawiki/extensions/WikimediaMessages@wmf/1.38.0-wmf.23] Add overrides for 2FA disabled notification

https://gerrit.wikimedia.org/r/764400

Change 764400 merged by jenkins-bot:

[mediawiki/extensions/WikimediaMessages@wmf/1.38.0-wmf.23] Add overrides for 2FA disabled notification

https://gerrit.wikimedia.org/r/764400

matmarex added a subscriber: matmarex.

It seems the message oathauth-notifications-disable-primary newly introduced in rEOAT329c3133d6eed8b8bc0b9c7a3cd6bfeebb05c915 is not defined, see https://www.mediawiki.org/wiki/Topic:Wsnjwprwq8rzsoo2.

Change 776327 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Add missing oathauth-notifications-(dis|en)able-primary messages

https://gerrit.wikimedia.org/r/776327

Example of an email, here in French:

Disable OATHAuth email.png (203×639 px, 18 KB)