Page MenuHomePhabricator

Implement .well-known/change-password redirect on Wikimedia sites
Closed, ResolvedPublic

Description

spec, web.dev article. Password managers (such as the one built into Chrome) use this when they suggest the user to change their password because it is weak or was found in a leak. Implementing is straightforward, just redirect .well-known/change-password to the wiki's password change URL (/wiki/Special:ChangeCredentials/MediaWiki%5CAuth%5CPasswordAuthenticationRequest).

See also T263927: MediaWiki user and password fields should have the proper autocomplete value.

Event Timeline

Change 629853 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Implement .well-known/change-password redirect on Wikimedia sites

https://gerrit.wikimedia.org/r/629853

Change 629853 merged by Jbond:
[operations/puppet@production] Implement .well-known/change-password redirect on Wikimedia sites

https://gerrit.wikimedia.org/r/629853

Change 630899 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Fix .well-known/change-password URL

https://gerrit.wikimedia.org/r/630899

Change 630899 merged by Jbond:
[operations/puppet@production] Fix .well-known/change-password URL

https://gerrit.wikimedia.org/r/630899

Change 630902 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Fix .well-known/change-password URL some more

https://gerrit.wikimedia.org/r/630902

Change 630902 merged by Jbond:
[operations/puppet@production] Fix .well-known/change-password URL some more

https://gerrit.wikimedia.org/r/630902

Here is the description of the Chrome feature (which is very well done): https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html

After making sure I have a test account with a weak password, I went to https://passwords.google.com/ and started the password checkup. That gave me a password change link:

but the "change password" link just takes me to the Wikipedia main page. Maybe Google needs some time to crawl the redirect?

Urbanecm added a subscriber: Urbanecm.

The redirect works fine for me - closing as resolved.

The redirect works fine for me

Yeah but does the actual Chrome feature work? It doesn't seem to, for me. According to Platform Status it should be enabled in Chrome 86.

@Tgr I didn't try that to be honest, as it isn't in scope of this task (it says implement the redirect, which was done). If we want to track the Upstream bug, I'd say create a follow-up task.