Page MenuHomePhabricator
Create Task
Maniphest T317495

Allow resetting password from blocked IP ranges by sending emails
Open, Needs TriagePublic
Actions

Description

As is discussed in T240203 and other issues, Wikipedia and other projects currently prevent users from resetting passwords or even seeing the "Forget password" button when they access via a blocked IP address. It troubles and/or confuses innocent users, especially in zhwiki where many users living in mainland China rely on open proxies or VPNs to circumvent Internet censorship every day.

I propose to allow resetting passwords via emails as fallbacks. We just need a separate service processing incoming emails and triggering the reset "button". If an email is received by the service, the service could check if its sender address matches a registered account on any projects under Wikimedia. If it does, the service then manages to get a password reset link sent to that address. This way bears no security compromise at all and takes few efforts to maintain.

Related Objects

Event Timeline

Hoi created this task.Sep 11 2022, 11:33 AM
Restricted Application added subscribers: Ericliu1912, Stang, Aklapper. · View Herald TranscriptSep 11 2022, 11:33 AM
Peachey88 subscribed.Sep 12 2022, 8:03 AM
Jdlrobson moved this task from Backlog to Workflow on the MediaWiki-User-login-and-signup board.Jul 13 2023, 4:03 PM
Hoi added a comment.Dec 13 2023, 7:09 AM

Demo tool: https://resetpass.toolforge.org/~.

It depends on Cloudflare Workers to automate the email processing and password reset triggering, with a few lines of code.

I am just reminded that it might have privacy issues as technically I am collecting personal email addresses even though it is not associated with any other info. So I want to seek the community's input on whether this is acceptable or not. Would you mind taking a peek at the tool and dropping me a quick note with your thoughts? Any suggestions or concerns are totally welcome.

SCP-2000 subscribed.Dec 13 2023, 7:11 AM
SCP-2000 added a comment.EditedDec 13 2023, 5:33 PM
In T317495#9401955, @Hoi wrote:

Demo tool: https://resetpass.toolforge.org/~.

It depends on Cloudflare Workers to automate the email processing and password reset triggering, with a few lines of code.

I am just reminded that it might have privacy issues as technically I am collecting personal email addresses even though it is not associated with any other info. So I want to seek the community's input on whether this is acceptable or not. Would you mind taking a peek at the tool and dropping me a quick note with your thoughts? Any suggestions or concerns are totally welcome.

According to the Privacy Policy, email address is belong to Personal Information. Unless you have NDA and there is an appropriate privacy policy of your service (or you have specific valid reasons), otherwise collecting personal information is not accepted. It is also strongly discouraged to use third party email service to collect personal information. Thanks.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits