Page MenuHomePhabricator
Create Task
Maniphest T263800

Implement .well-known/change-password redirect on Wikimedia sites
Closed, ResolvedPublic
Actions

Assigned To
Tgr
Authored By
Tgr
Sep 24 2020, 10:31 PM
Tags
Referenced Files
F32368449: google password checkup.png
Sep 30 2020, 6:33 AM
Subscribers
Aklapper
DannyS712
Tgr
Urbanecm
Tokens
"Orange Medal" token, awarded by Krinkle."Love" token, awarded by Bawolff.

Description

spec, web.dev article. Password managers (such as the one built into Chrome) use this when they suggest the user to change their password because it is weak or was found in a leak. Implementing is straightforward, just redirect .well-known/change-password to the wiki's password change URL (/wiki/Special:ChangeCredentials/MediaWiki%5CAuth%5CPasswordAuthenticationRequest).

See also T263927: MediaWiki user and password fields should have the proper autocomplete value.

Details

SubjectRepoBranchLines +/-
Fix .well-known/change-password URL some moreoperations/puppetproduction+1 -1
Fix .well-known/change-password URLoperations/puppetproduction+1 -1
Implement .well-known/change-password redirect on Wikimedia sitesoperations/puppetproduction+2 -0
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Sep 24 2020, 10:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 24 2020, 10:31 PM
Tgr mentioned this in T263801: Implement .well-known/change-password redirect in MediaWiki.Sep 24 2020, 10:34 PM
Tgr mentioned this in T229529: iOS13 [Feature] - Handle .well-known/change-password redirect.Sep 24 2020, 10:39 PM
gerritbot added a comment.Sep 24 2020, 10:44 PM

Change 629853 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Implement .well-known/change-password redirect on Wikimedia sites

https://gerrit.wikimedia.org/r/629853

gerritbot added a project: Patch-For-Review.Sep 24 2020, 10:44 PM
Tgr updated the task description. (Show Details)Sep 24 2020, 10:45 PM
DannyS712 subscribed.Sep 24 2020, 10:56 PM
Tgr claimed this task.Sep 24 2020, 11:00 PM
Tgr moved this task from Backlog to To deploy on the Wikimedia-Site-requests board.
Bawolff awarded a token.Sep 25 2020, 1:48 AM
Tgr mentioned this in T263927: MediaWiki user and password fields should have the proper autocomplete value.Sep 27 2020, 1:53 AM
Tgr updated the task description. (Show Details)
gerritbot added a comment.Sep 29 2020, 4:07 PM

Change 629853 merged by Jbond:
[operations/puppet@production] Implement .well-known/change-password redirect on Wikimedia sites

https://gerrit.wikimedia.org/r/629853

Maintenance_bot removed a project: Patch-For-Review.Sep 29 2020, 4:10 PM
gerritbot added a comment.Sep 29 2020, 4:16 PM

Change 630899 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Fix .well-known/change-password URL

https://gerrit.wikimedia.org/r/630899

gerritbot added a project: Patch-For-Review.Sep 29 2020, 4:16 PM

Change 630899 merged by Jbond:
[operations/puppet@production] Fix .well-known/change-password URL

https://gerrit.wikimedia.org/r/630899

gerritbot added a comment.Sep 29 2020, 4:36 PM

Change 630902 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/puppet@production] Fix .well-known/change-password URL some more

https://gerrit.wikimedia.org/r/630902

gerritbot added a comment.Sep 29 2020, 4:40 PM

Change 630902 merged by Jbond:
[operations/puppet@production] Fix .well-known/change-password URL some more

https://gerrit.wikimedia.org/r/630902

Maintenance_bot removed a project: Patch-For-Review.Sep 29 2020, 5:10 PM
Tgr added a comment.Sep 30 2020, 6:33 AM

Here is the description of the Chrome feature (which is very well done): https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html

After making sure I have a test account with a weak password, I went to https://passwords.google.com/ and started the password checkup. That gave me a password change link:

google password checkup.png (1×1 px, 111 KB)

but the "change password" link just takes me to the Wikipedia main page. Maybe Google needs some time to crawl the redirect?

Urbanecm closed this task as Resolved.Nov 12 2020, 2:14 PM
Urbanecm subscribed.

The redirect works fine for me - closing as resolved.

Tgr added a comment.EditedNov 12 2020, 7:04 PM
In T263800#6620504, @Urbanecm wrote:

The redirect works fine for me

Yeah but does the actual Chrome feature work? It doesn't seem to, for me. According to Platform Status it should be enabled in Chrome 86.

Tgr added a comment.Nov 12 2020, 7:27 PM

Filed upstream: Chromium #1148443

Urbanecm added a comment.Nov 12 2020, 7:52 PM

@Tgr I didn't try that to be honest, as it isn't in scope of this task (it says implement the redirect, which was done). If we want to track the Upstream bug, I'd say create a follow-up task.

Krinkle awarded a token.Mar 22 2021, 11:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL