Page MenuHomePhabricator

2FA broken on mediawiki.org
Closed, ResolvedPublic

Description

Possibly other WMF wikis too, but every time I try to input the TOTP code in mediawiki.org, I get the error message that it failed to validate two-factor credentials. I was able to get in with a remembered account on a different browser and disable 2FA using a scratch code. Attempting to re-enable 2FA results in the same message on the screen that has me enter a code to validate.

I've verified using both my regular app as well as a separate library on a separate device that the codes I'm typing in are correct. Can you please investigate why the server-side is believing the codes are wrong? My initial guess is a badly-synced clock on the server.

Feel free to poke me in freenode IRC MediaWiki-General (nick: Skizzerz) and I can help troubleshoot things further on my end as well.

Related Objects

StatusSubtypeAssignedTask
ResolvedReleasethcipriani
ResolvedReedy

Event Timeline

@Skizzerz: Is the clock on your device accurate?

Krenair triaged this task as Unbreak Now! priority.Apr 17 2019, 4:07 PM

Oh, yeah, broken for me too.

I can log in just fine on enwiki but not mediawiki. Marking as possible deployment blocker for 1.34.0-wmf.1

I've tried two different devices and two different libraries. Checking my PC clock (one of the devices tested), it's about 1.5 seconds behind what the time.gov website lists as the current time.

Given that TOTP gives you at minimum 30 seconds, this seems like it shouldn't cause issues.

Can confirm, broken on mw.org.

Given other wikis don't have the same deployment out and still work we can probably login via the rest and have centralauth carry it over for now, but this seems kind of not good.

According to https://www.mediawiki.org/wiki/MediaWiki_1.34/wmf.1#OATHAuth there's 4 OATHAuth changes in this deployment, of which these two sound more likely to be involved:
https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OATHAuth/+/471217/
https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OATHAuth/+/502973/

Edit: @Skizzerz pointed out to me, probably not the latter as we're using TOTP not HOTP?

Change 504614 had a related patch set uploaded (by Jforrester; owner: Reedy):
[mediawiki/extensions/OATHAuth@wmf/1.34.0-wmf.1] Revert "Replace hotp.php with composer library"

https://gerrit.wikimedia.org/r/504614

Change 504614 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@wmf/1.34.0-wmf.1] Revert "Replace hotp.php with composer library"

https://gerrit.wikimedia.org/r/504614

Mentioned in SAL (#wikimedia-operations) [2019-04-17T17:18:30Z] <jforrester@deploy1001> Synchronized php-1.34.0-wmf.1/extensions/OATHAuth/: UBN T221257 train un-blocker (duration: 01m 02s)

Patch reverted in wmf.1 (but not master); this should unblock the train for now.

Change 504657 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OATHAuth@master] Update jakobo/hotp-php to v1.0.1

https://gerrit.wikimedia.org/r/504657

Change 504657 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Update jakobo/hotp-php to v1.0.1

https://gerrit.wikimedia.org/r/504657

Jdforrester-WMF assigned this task to Reedy.

OK, this should now be fixed. Hopefully.