Page MenuHomePhabricator

Wikimedia login plugin for Discourse should accept only one Wikimedia account per email address
Closed, ResolvedPublic

Description

Currently the Wikimedia login plugin for Discourse "merges" multiple Wikimedia accounts sharing the same email address. While Discourse requires a unique email address for each user, Wikimedia SUL doesn't.

In order to avoid user confusion and potential security weaknesses, it seems a good idea to add a username/email check to the Wikimedia login plugin for Discourse.

  • The plugin should check whether the incoming Wikimedia username/email already exists in the Discourse database.
  • If none of them exists, a new account would be created.
  • If the email already exists but the username doesn't, then an error message would be displayed to the user, like: "There is already an account using this email address. If you want to use more than one account in $SITENAME, then you need to use unique email addresses for each Wikimedia account."

There is the possibility that the username exists but the email address has changed. What should we do in these situations?

Event Timeline

Qgil created this task.Sep 3 2019, 1:41 PM
Samat added a comment.Sep 3 2019, 2:23 PM

There is the possibility that the username exists but the email address has changed. What should we do in these situations?

It is a normal situation, that somebody changes their email address. Discourse should follow this change, I believe. (I don't see if it was a security risk, but maybe I am wrong.)
Is it possible in a way, that the user doesn't realize anything about it? (Keeping all settings, history, badges etc.)

Samat added a comment.Sep 3 2019, 2:49 PM

an error message would be displayed to the user, like: "There is already an account using this email address. If you want to use more than one account in $SITENAME, then you need to use unique email addresses for each Wikimedia account."

Or automatically offer the log in surface to the user to log in with the already existing account? (Without any prefilled field to keep the security and privacy.)

It is a typical use case, that somebody log in with different users: X and X (WMF), Y and YBot, Z1 and Z2 because of many legal reasons, and switches between them frequently. It would be more comfortable to offer a smooth way to change the log in in this case.

Tgr added a comment.Sep 3 2019, 7:51 PM

The plugin should check whether the incoming Wikimedia username/email already exists in the Discourse database.

Both of those can change; it should check for central user ID.
(On non-Wikimedia installations central user ID might change as well, e.g. if the site switches authentication methods. The documentation of the Discourse plugin should warn about that but does not need to address it.)

If the email already exists but the username doesn't, then an error message would be displayed to the user, like: "There is already an account using this email address. If you want to use more than one account in $SITENAME, then you need to use unique email addresses for each Wikimedia account."

s/username/central user ID/. What should the user do if they accidentally created the account from the "wrong" Wikimedia user account? Probably the MVP answer is "find a Discourse sysadmin who can change it in the database" but it would be nice to have a plan at least for how to handle it longer term.

There is the possibility that the username exists but the email address has changed. What should we do in these situations?

s/username/central user ID/. From a security perspective it is safe to merge the email addresses (add the new address as a secondary one, or even better set it as primary and add the old one as secondary); not sure how hard that is on the Discourse side.

There's also the possibility that the central user ID exists but the *username* has changed (via Wikimedia global user rename). That causes the Discourse username to mismatch the MediaWiki one; updating the Discourse username would break existing mentions. Not sure what can be done about that. It ties into the wider topic of how flexible Discourse usernames should be (e.g. what if the auto-sanitized version of my MediaWiki username is really useless, or non-unique?).

Samat added a comment.EditedSep 3 2019, 7:58 PM

Is it in impossible, that discourse uses a user ID as a unique identifier, and our case it is the same as it is in the Wikimedia database? That would solve most of the the problems above (username and email address changes, non-uniqueness).

Two questions from the Discourse developer pertaining to this:

Are we 100% sure that usernames are unique and will remain unique? What if the Wikimedia server against which we are authenticating changes? (i.e. the site setting wikimedia auth site changes). If not, is there a user property that’s guaranteed to be unique? What about the user’s Central ID?

Is it possible to have two or more emails associated with the same account?

Tgr added a comment.Sep 3 2019, 10:06 PM

Usernames are unique but not permanent. We have seen attacks in the past where User:Foo is renamed to User:Bar and User:Evil social-engineers renaming themselves to User:Foo and gets access to stuff they shouldn't.

Central ID is unique and permanent. Theoretically it can change when users get merged into one or the site switches auth methods; none of that should happen in the Wikimedia cluster. (Also user merge means the merged account won't be used anymore so no issue there. Site auth switch means everything storing central IDs gets messed up so you'd have far bigger problems than Discourse; such a site would probably have to come up with a method of providing stable legacy IDs anyway.)
Slightly less theoretically, it's possible for a user to not have a central ID. It's fine to just prevent those users from logging in.

Is it possible to have two or more emails associated with the same account?

No, although there have been proposals along those lines (T129747: Proposal: allow a second email address (wikimail, password reset, notifications)). Do we need to care? The OAuth identity check is still going to provide one email address.

elappen-WMF added a comment.EditedSep 3 2019, 10:13 PM

Thanks. In terms of making usernames uniform, even for those who used the Phabricator login method (and were allowed to create whatever username they'd like), would a good approach be to change the user's Discourse username to their Wikimedia username upon their first login with OAuth? (Sorry just dropped this here, may have been better for another related discussion but I figured I had your attention!)

Tgr added a comment.Sep 3 2019, 11:19 PM

I don't have a good understanding of that changing a Doscourse username entails. Presumably it will break all the @-mentions; can it cause any problems on the Discourse site beyond that?

Qgil triaged this task as Normal priority.Sep 4 2019, 9:55 AM
Qgil moved this task from Backlog to Started on the Space (Jul-Sep-2019) board.

would a good approach be to change the user's Discourse username to their Wikimedia username upon their first login with OAuth?

Here is the bug: My Wikimedia name contains a space, Discourse doesn't allow a space in the user name.

elappen-WMF closed this task as Resolved.EditedMon, Sep 16, 11:58 PM

The plugin has been modified so that if a user attempts to login with a Wikimedia account that has the same email, but a different username, as a Wikimedia account a user has previously used to login with, the login will fail, showing the user an error message that reads "Your Wikimedia email is associated with an existing account". The developer has also updated the check that looks at whether a Wikimedia email is associated with an existing account to use the user’s Central ID instead of their username, which prevents issues arising from usernames changing.

https://github.com/paviliondev/discourse-wikimedia-auth/commit/2b6910f89538fe977b5d629f96c1760e9ad3dd31

Qgil moved this task from Started to Evaluated on the Space (Jul-Sep-2019) board.Tue, Sep 17, 7:06 AM
Qgil awarded a token.