Page MenuHomePhabricator

OATHAuth requesting re-auth during the middle (or mostly just before the end) of the process
Closed, ResolvedPublic

Description

Following up on T218211 and T232008

So testing the whole thing again…

This seems to have resulted in a weird workflow, that causes it to request a username and password (ie login again) after entering the OTP onto the enabling form... When really it should be asking *before* you try and enable 2FA...

Otherwise we're getting a workflow where you enable 2FA, but then are kicked out of your account. Which doesn't seem very UX friendly... Note, it only asks for username and password, it doesn't then give the 2FA box for you to fill in

(will flesh this out a bit when I've poked around a bit more)

Details

Related Gerrit Patches:
mediawiki/extensions/OATHAuth : masterAsk for user re-auth only on initial requests
mediawiki/extensions/OATHAuth : REL1_34Ask for user re-auth only on initial requests

Event Timeline

Reedy created this task.Oct 16 2019, 1:24 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 16 2019, 1:24 PM
Reedy changed the task status from Open to Stalled.Oct 16 2019, 2:52 PM

And this time it requested re-auth after I clicked "enable"...

Change 545452 had a related patch set uploaded (by ItSpiderman; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@master] Ask for user re-auth only on initial requests

https://gerrit.wikimedia.org/r/545452

This was set up to ask for re-auth only on "enable" action, but the action remains the same even after the form has been submitted, and if it happens that re-auth period expires between starting the enabling process and submitting it, then is when this issue will occur.

With the patch above, re-auth will only be checked on initial request, not on submit

Reedy closed this task as Resolved.Oct 23 2019, 2:45 PM
Reedy assigned this task to ItSpiderman.

This was set up to ask for re-auth only on "enable" action, but the action remains the same even after the form has been submitted, and if it happens that re-auth period expires between starting the enabling process and submitting it, then is when this issue will occur.
With the patch above, re-auth will only be checked on initial request, not on submit

Thanks! Workflow is as I'd expect now :)

Change 545577 had a related patch set uploaded (by Reedy; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@REL1_34] Ask for user re-auth only on initial requests

https://gerrit.wikimedia.org/r/545577

Change 545577 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@REL1_34] Ask for user re-auth only on initial requests

https://gerrit.wikimedia.org/r/545577

Change 545452 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Ask for user re-auth only on initial requests

https://gerrit.wikimedia.org/r/545452