Page MenuHomePhabricator
Create Task
Maniphest T228588

2FA logon doesn’t work on the iOS app
Closed, ResolvedPublic
Actions

Description

The box to enter the 2FA code doesn’t seem to actually appear... just the error message (will attach a screenshot)

Version: 6.3.0 (1643) - TestFlight Beta

Related Objects

Event Timeline

Reedy created this task.Jul 21 2019, 1:09 PM
Restricted Application added a project: Wikipedia-iOS-App-Backlog. · View Herald TranscriptJul 21 2019, 1:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy updated the task description. (Show Details)Jul 21 2019, 1:09 PM
Reedy updated the task description. (Show Details)
Reedy added a comment.Jul 21 2019, 1:17 PM

A4DEA40F-BCD7-44EF-9D32-BD43A9CDFBA9.png (1×750 px, 181 KB)

JMinor triaged this task as High priority.Jul 22 2019, 6:35 PM
JMinor moved this task from Needs Triage to Bug Backlog on the Wikipedia-iOS-App-Backlog board.
JMinor added a project: iOS-app-v6.4-Seamonkey-On-A-Hoverboard.
Mhurd added a subscriber: Mhurd.Jul 23 2019, 6:17 PM

:(

JMinor moved this task from Tasks from Product Backlog to Needs Engineering Sync on the iOS-app-v6.4-Seamonkey-On-A-Hoverboard board.Jul 23 2019, 9:30 PM
Reedy added a comment.Jul 28 2019, 9:21 AM

It seems it's broken on Android too :/

T229167: Cannot log into Wikipedia app on Android when 2FA is set on my Wikimedia account

Reedy added a comment.Jul 28 2019, 9:22 AM

Is there something we can do to add (automated) testing for this, or making sure part of the QA of the releases, that this actually works in both versions?

LGoto moved this task from Needs Engineering Sync to Ready for Development on the iOS-app-v6.4-Seamonkey-On-A-Hoverboard board.Aug 1 2019, 8:20 PM
JoeWalsh added a subscriber: JoeWalsh.EditedAug 2 2019, 5:52 PM

@Reedy yes, we can add automated testing for this. Is there a way to create accounts with 2FA enabled on the beta cluster? nevermind, found out how to do this

JoeWalsh added a comment.Aug 2 2019, 6:30 PM

@Reedy it looks like the iOS and Android apps are both looking for a request with id equal to TOTPAuthenticationRequest in the response and that string changed to MediaWiki\Extension\OATHAuth\Auth\TOTPAuthenticationRequest - is this expected?

Mhurd added a comment.EditedAug 2 2019, 7:40 PM

For future reference, here's the original 2FA ticket:

T150699

JoeWalsh claimed this task.Aug 2 2019, 9:08 PM
JoeWalsh edited projects, added iOS-app-v6.3.1 Lobster-On-An-ORV; removed iOS-app-v6.4-Seamonkey-On-A-Hoverboard.
JoeWalsh moved this task from Tasks from Product Backlog to Waiting for Build on the iOS-app-v6.3.1 Lobster-On-An-ORV board.
Charlotte mentioned this in T227925: Unable to log in to Android app with two-factor authentication (2FA).Aug 2 2019, 9:23 PM
ItSpiderman added a subscriber: ItSpiderman.EditedAug 3 2019, 7:03 AM

@JoeWalsh Due to refactoring and moving towards namespaced classes

MediaWiki\Extension\OATHAuth\Auth\TOTPAuthenticationRequest

class name is expected.
No refactoring was done (from our side) on Wikipedia apps

Please let me know if i can help in any way

Reedy added a comment.Aug 3 2019, 7:59 AM
In T228588#5389351, @ItSpiderman wrote:

@JoeWalsh Due to refactoring and moving towards namespaced classes

MediaWiki\Extension\OATHAuth\Auth\TOTPAuthenticationRequest

class name is expected.
No refactoring was done (from our side) on Wikipedia apps

Please let me know if i can help in any way

Ugh. Partially my fault then too.

@ItSpiderman I think this is definitely worthy of a post to both wikitech-l and mediawiki-l to inform people of the breaking change in output for the extension

ItSpiderman added a comment.EditedAug 3 2019, 9:17 AM

Sent a mail to both lists
Edit: well I guess i cannot send mails right after subscribing to the lists. I will try again later, or someone else can send the mail

Osnard added a subscriber: Osnard.Aug 5 2019, 12:02 PM

Wikitech-l: https://markmail.org/message/jcntiluhm6icg7xw

JoeWalsh added a comment.Aug 5 2019, 2:39 PM

@Reedy in the future, should the apps rely on the fields in the response rather than the id? Could there be a separate field type (instead of string) for 2FA to allow for only numerical input?

Osnard added a comment.Aug 5 2019, 2:44 PM

I am wondering why the "id" is an actual PHP class name, rather than a "real" id, like totp, which chould just be provided by the PHP class and therefore would not change in such cases.

LGoto moved this task from Waiting for Build to Ready for PM Signoff on the iOS-app-v6.3.1 Lobster-On-An-ORV board.Aug 5 2019, 6:59 PM
kchapman mentioned this in T229643: Run API integration tests for all enabled extensions.Aug 5 2019, 9:08 PM
Reedy added a comment.Aug 7 2019, 2:05 PM
In T228588#5392898, @Osnard wrote:

I am wondering why the "id" is an actual PHP class name, rather than a "real" id, like totp, which chould just be provided by the PHP class and therefore would not change in such cases.

Does this code come from AuthManager rather than the OATHAuth extension?

Osnard added a comment.EditedAug 7 2019, 2:30 PM

As far as I can tell, yes. It is part of the response of a call to the clientlogin action API (https://github.com/wikimedia/apps-android-wikipedia/blob/91db452cd50960dc4b1146492dddf23d651bfdcb/app/src/main/java/org/wikipedia/login/LoginClient.java#L212). And that again just outputs stuff from AuthManager. I am not aware of any code inside Extension:OATHAuth that would publish this information directly.

Reedy added a comment.Aug 7 2019, 3:23 PM
[08:03:04] <Reedy> tgr: If you're bored... https://phabricator.wikimedia.org/T228588 class refactoring in OATHAuth broke 2FA in both our mobile apps
[08:03:31] <Reedy> Being questioned about whether the way/stuff we're exposing in clientlogin from authmanager is "right" or we could/should do soemthing else
[08:04:17] <tgr> you can provide a custom ID if you want
[08:04:47] <Reedy> which I guess is the answer to
[08:04:47] <Reedy> >I am wondering why the "id" is an actual PHP class name, rather than a "real" id, like totp, which chould just be provided by the PHP class and therefore would not change in such cases.
[08:05:01] <tgr> we haven't really though about clients wanting to depend on a specific ID, the vision was more about clients using the API to get the definitions for some form builder
[08:06:46] <tgr> there's AuthenticationRequest::getUniqueId(), although the original intent was to support use cases where you can have multiple instances of the same class (e.g. GoogleLogin where there are multiple Google accounts connected to the user) but there is no harm in using it to provide a fixed string
[08:06:54] <tgr> or fake the old value or whatever
Reedy mentioned this in T230043: Add WebAuthn support to Mobile apps.Aug 7 2019, 4:59 PM
JMinor closed this task as Resolved.Aug 27 2019, 8:42 PM
Reedy merged a task: T227925: Unable to log in to Android app with two-factor authentication (2FA).Oct 16 2019, 3:56 PM
Reedy added subscribers: Newslinger, Xiplus, Apap04 and 9 others.
Xaosflux added a subscriber: Xaosflux.Nov 1 2019, 3:24 PM

2 months in and this is still not released for Android - is this being tracked for release somewhere?

Charlotte added a comment.Nov 1 2019, 3:47 PM
In T228588#5626916, @Xaosflux wrote:

2 months in and this is still not released for Android - is this being tracked for release somewhere?

It has been released for Android. See T227925.

Apap04 added a comment.Nov 1 2019, 4:22 PM
In T228588#5626958, @Charlotte wrote:
In T228588#5626916, @Xaosflux wrote:

2 months in and this is still not released for Android - is this being tracked for release somewhere?

It has been released for Android. See T227925.

No, it's not :( It was there for a period of time before it got removed again.

Reedy added a comment.Nov 1 2019, 5:25 PM
In T228588#5626958, @Charlotte wrote:
In T228588#5626916, @Xaosflux wrote:

2 months in and this is still not released for Android - is this being tracked for release somewhere?

It has been released for Android. See T227925.

I think we're waiting for https://github.com/wikimedia/apps-android-wikipedia/commit/361e389dfd62cc65cf40e5e13b13289c6b51ed89 to appear in a public release

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL