Page MenuHomePhabricator

Make some authentication APIs unavailable to temporary users
Closed, ResolvedPublic

Description

The following throw a notloggedin error for anonymous users, and should do the same for temporary users:

  • ApiChangeAuthenticationData
  • ApiRemoveAuthenticationData
  • ApiLinkAccount
  • TemporaryPasswordPrimaryAuthenticationProvider No update needed; anons are identified by having an IP for a name, and a custom message is used that assumes the name is an IP address.
  • ApiValidatePassword This is just for checking generic password/username validity and is available to anons

Event Timeline

Tchanders added a subscriber: tstarling.

@tstarling Before we pick this up, is there any reason why a temporary account should have access to any of these?

Change 928869 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] Prevent temporary users from accessing APIs for changing passwords

https://gerrit.wikimedia.org/r/928869

Change 928871 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] Prevent temporary users from accessing ApiLinkAccount

https://gerrit.wikimedia.org/r/928871

Change 928871 merged by jenkins-bot:

[mediawiki/core@master] Prevent temporary users from accessing ApiLinkAccount

https://gerrit.wikimedia.org/r/928871

Change 928869 merged by jenkins-bot:

[mediawiki/core@master] Prevent temporary users from accessing APIs for changing passwords

https://gerrit.wikimedia.org/r/928869

Testing notes

ApiChangeAuthenticationData:

  • On Special:ApiSandbox, fill in the fields:
    • action=changeauthenticationdata
    • changeauthrequest=MediaWiki\\Auth\\PasswordAuthenticationRequest
  • Click on auto-fill token if necessary
  • Results should contain "code": "notloggedin"
  • Before these patches were merged, results contained "code": "reauthenticate"

ApiRemoveAuthenticationData:

  • As for ApiChangeAuthenticationData, but fill in the fields:
    • action=removeauthenticationdata
    • request=MediaWiki\\Auth\\TemporaryPasswordAuthenticationRequest

(Note: This shouldn't be needed since the above should just work, but to find out what to enter for changeauthrequest, use the action=query&meta=authmanagerinfo API and enter amirequestsfor=change. To find out what to enter for request, do the same but enter amirequestsfor=remove.)

ApiLinkAccount:
This is tricky to test as it's for 3rd-party authentication. It's small enough and similar enough to the others that I'm happy to bypass QA on this one.

@Tchanders I'm getting a different request as seen in my screenshots. It may be something with. my own local config?

changeauthenticationdata

T332411_IPMasking_API_ChangeAuthData1.png (1ร—3 px, 349 KB)

T332411_IPMasking_API_ChangeAuthData2.png (1ร—3 px, 368 KB)

removeauthenticationdata

T332411_IPMasking_API_RemoveAuthData1.png (977ร—3 px, 343 KB)

T332411_IPMasking_API_RemoveAuthData2.png (1ร—3 px, 371 KB)

@GMikesell-WMF What happens if you do this?

(Note: This shouldn't be needed since the above should just work, but to find out what to enter for changeauthrequest, use the action=query&meta=authmanagerinfo API and enter amirequestsfor=change. To find out what to enter for request, do the same but enter amirequestsfor=remove.)

@Tchanders After the git stash to get rid of the updates and update again, it works fine as seen in the screenshots below. I will move this to Done, thanks!

Accountchangeauthenticationdataremoveauthenticationdata
Temp User
T332411_IPMasking_Temp_ChangeAuth.png (856ร—3 px, 281 KB)
T332411_IPMasking_Temp_RemoveAuth.png (850ร—3 px, 276 KB)
Not Logged In
T332411_IPMasking_NotLogged_ChangeAuth.png (615ร—1 px, 169 KB)
T332411_IPMasking_NotLogged_RemoveAuth.png (624ร—1 px, 169 KB)