Page MenuHomePhabricator
Create Task
Maniphest T222849

OATHAuth disable 2fa doesn't properly check getLoginSecurityLevel()
Closed, InvalidPublic
Actions

Description

Not super critical since you do have to input a 2FA code to disable.

getLoginSecurityLevel() in SpecialDisableOATHForUser is supposed to require users to re-enter their pass before disabling 2FA. This does not seem to work in practise.

Related Objects

Event Timeline

Bawolff created this task.May 8 2019, 10:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 8 2019, 10:42 PM
Tgr closed this task as Invalid.May 9 2019, 12:03 AM
Tgr subscribed.

SpecialDisableOATHForUser disables OAuth for other users. (Shame on someone for not documenting what the class does :) SpecialOATHDisable does not use getLoginSecurityLevel() (that would be bad, since it would require two tokens to disable).

Bawolff added a comment.May 10 2019, 4:56 AM

Ah, that's confusing. Thanks.

Still seems like it would be nice to require a pass and a token, in case e.g. someone has someone's phone for a limited window but does not know the password. But requiring multiple tokens would be silly.

Tgr added a comment.May 10 2019, 6:26 AM

That would require T197153: Make some providers optional for reauthentication; otherwise probably doable.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits