Disabling the 2FA (either by the user or disableOATHAuthForUser.php) should trigger a flow and email notification to the user that his 2FA has been disabled, so that, in case there was anything fishy with this action, the legitimate account owner can notice.
|Resolved||Tgr||T189537 2FA reset should log the user out|
|Open||None||T125653 Create new types of notifications|
|Resolved||Release||dduvall||T300199 1.38.0-wmf.23 deployment blockers|
|Resolved||Legoktm||T210075 Send notification when 2FA is disabled|
|Resolved||Legoktm||T210963 Send an email when 2FA is disabled|
- Mentioned In
- T306184: OATHAuth's disableOATHAuthForUser.php script triggers a Notification that can't be sent as MW isn't initialised yet, so causes a production error
T303404: ArgumentCountError: Too few arguments to function MediaWiki\Extension\OATHAuth\OATHUserRepository::remove(), 2 passed in /srv/mediawiki/php-1.38.0-wmf.25/extensions/WebAuthn/src/HTMLForm/WebAuthnDisableForm.php on line 114 and exactly 3 expected
T300199: 1.38.0-wmf.23 deployment blockers
T131788: Users should be notified when only two scratch tokens are left
T301992: Insert CheckUser row events during certain 2FA actions
T301987: Notify user when 2FA has been enabled
T210963: Send an email when 2FA is disabled
T189537: 2FA reset should log the user out
- Mentioned Here
- T301987: Notify user when 2FA has been enabled
rEOAT851656bbdf74: Revert "OATHUserRepository: Stop handling legacy single-key"
rEOAT329c3133d6ee: Send a notification when 2FA is disabled
Seems easy enough. Dunno if this text is too scary, but there's not that much space, anything longer gets truncated. It currently links to Special:Preferences, but we could add a secondary link to a help page if someone writes one.
Do you plan to send a notification on self-service removals only? Or also when someone with super-high permissions uses https://meta.wikimedia.org/wiki/special:DisableOATHForUser? If the latter (which I feel is a good idea anyway), the "If you didn't do it" part will make no sense. FTR, the special page is how a lot of the forced 2FA removals are done by T&S (the remainder is the maintenance script, usually used at private wikis).
My patch sends notification for all 2FA removals, whether it's self-initiated, the special page or maint script...and I think that's the way it should be done.
If the latter (which I feel is a good idea anyway), the "If you didn't do it" part will make no sense.
Good point. Maybe for the non-self-initiated notification, "If you did not request this, you should contact an administrator." with a WikimediaMessages override to say "...contact WMF Trust & Safety."? And then the option to add a help link, which again, WikimediaMessages can point to Meta.
I tried :( but the problem is that Echo notifications have a length limit, and if it exceeds that it'll get truncated.
IIRC some other languages are typically longer and will likely be even worse.
It seems the message oathauth-notifications-disable-primary newly introduced in rEOAT329c3133d6eed8b8bc0b9c7a3cd6bfeebb05c915 is not defined, see https://www.mediawiki.org/wiki/Topic:Wsnjwprwq8rzsoo2.
Similarly, oathauth-notifications-enable-primary is needed from T301987: Notify user when 2FA has been enabled/rEOAT851656bbdf74: Revert "OATHUserRepository: Stop handling legacy single-key"