Page MenuHomePhabricator
Create Task
Maniphest T345818

Store client hint mapping rows for login events
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

We should collect Client Hints data when users log in. This will allows CheckUsers to match this data against other accounts as part of a CheckUser investigation.

We currently send client hint header data when a POST request is made to login. We should remove the headers sent on this page, as the data that is sent is not collected. This will be replaced with a use of the JavaScript API.

Acceptance criteria
  • When a user fails to log in, CheckUser creates rows in cu_useragent_clienthints_map if the browser supports Client Hints
  • When a user logs in, CheckUser creates rows in cu_useragent_clienthints_map if the browser supports Client Hints

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
client hints: Add selenium test for loginsmediawiki/extensions/CheckUsermaster+18 -0
Collect client hints data for successful loginsmediawiki/extensions/CheckUsermaster+388 -97
Collect Client Hints data on failed login attemptsmediawiki/extensions/CheckUsermaster+158 -36
Support private log events in Client Hints REST API endpointmediawiki/extensions/CheckUsermaster+298 -52
Customize query in gerrit

Related Objects
Search...

Event Timeline

kostajh created this task.Sep 7 2023, 11:26 AM
kostajh mentioned this in T341094: Create client hint mapping rows for CheckUser-worthy events.Sep 7 2023, 11:31 AM
kostajh moved this task from Backlog to Release 2 (iteration, increase data collection coverage) on the http-client-hints board.Sep 26 2023, 11:10 AM
kostajh edited projects, added http-client-hints (Release 2 (iteration, increase data collection coverage)); removed http-client-hints.
Dreamy_Jazz added a parent task: T341829: Enable read new for the event table migration.Oct 22 2023, 1:11 PM
Dreamy_Jazz edited parent tasks, added: T328992: Add read new support to Special:CheckUser for event table migration; removed: T341829: Enable read new for the event table migration.
Dreamy_Jazz removed a parent task: T328992: Add read new support to Special:CheckUser for event table migration.Oct 22 2023, 1:20 PM
Dreamy_Jazz added a subtask: T328992: Add read new support to Special:CheckUser for event table migration.
Dreamy_Jazz closed subtask T328992: Add read new support to Special:CheckUser for event table migration as Resolved.Dec 11 2023, 5:21 PM
TAdeleye_WMF edited projects, added Trust and Safety Product Team; removed Anti-Harassment-Team.May 14 2024, 4:15 PM
kostajh mentioned this in T374763: checkuser reports wrong device for login events.Sep 17 2024, 7:39 AM
kostajh added a project: Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15).Nov 4 2024, 12:18 PM
Dreamy_Jazz claimed this task.Nov 4 2024, 5:15 PM
Dreamy_Jazz moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.
Dreamy_Jazz set the point value for this task to 3.
Dreamy_Jazz moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.
Dreamy_Jazz updated the task description. (Show Details)Nov 4 2024, 5:21 PM
gerritbot added a comment.Nov 5 2024, 5:27 PM

Change #1087526 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [Very WIP] Collect Client Hints data on login attempts

https://gerrit.wikimedia.org/r/1087526

gerritbot added a project: Patch-For-Review.Nov 5 2024, 5:27 PM
gerritbot added a comment.Nov 6 2024, 3:52 PM

Change #1087934 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Support private log events in Client Hints REST API endpoint

https://gerrit.wikimedia.org/r/1087934

gerritbot added a comment.Nov 7 2024, 8:00 AM

Change #1087934 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Support private log events in Client Hints REST API endpoint

https://gerrit.wikimedia.org/r/1087934

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.3; 2024-11-12).Nov 7 2024, 9:00 AM
kostajh updated the task description. (Show Details)Nov 7 2024, 11:31 AM
gerritbot added a comment.Nov 7 2024, 11:48 AM

Change #1087526 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Collect Client Hints data on failed login attempts

https://gerrit.wikimedia.org/r/1087526

Maintenance_bot removed a project: Patch-For-Review.Nov 7 2024, 12:30 PM
Dreamy_Jazz added a comment.Nov 8 2024, 3:09 PM

There is some additional complication for logins that are successful, as we need to call the API on the page loaded after the login has occurred. In most cases, that is the page specified in the 'return to' part of the URL. Plus, for MediaWiki-extensions-CentralAuth installations there may be some level of redirecting around to sign-in to other wiki farms.

Maybe putting the ID somewhere in the session variables could work, so that it's persisted through redirects and can be sent once the user is finished with the login process.

kostajh added a comment.Nov 13 2024, 2:01 PM
In T345818#10304197, @Dreamy_Jazz wrote:

There is some additional complication for logins that are successful, as we need to call the API on the page loaded after the login has occurred. In most cases, that is the page specified in the 'return to' part of the URL. Plus, for MediaWiki-extensions-CentralAuth installations there may be some level of redirecting around to sign-in to other wiki farms.

Maybe putting the ID somewhere in the session variables could work, so that it's persisted through redirects and can be sent once the user is finished with the login process.

My suggesion is that we rework CheckUserClientHintsSpecialPages to allow for a list of enabled methods, and change "Userlogin": "js" to "Userlogin": [ "js", "header" ]. That would prompt the user's browser to send client hints data on POST requests when it visits Special:Userlogin. Then, we need to work out how to get the private event ID recorded in the client hints table:

  • We could implement the onUserLoginComplete hook or the onAuthManagerLoginAuthenticateAudit hook, and list the clienthints handler after the CheckUserPrivateEvents handler. That would ensure that the row is created before our handler runs.
  • We could subscribe to the onCheckUserInsertPrivateEventRow hook in CheckUser in the clienthints handler

While mixing header and JS API usage is not ideal in some regards, using the header for obtaining client hints seems like the much simpler and more robust option here.

If we really want to use the JS API, then we need to probably do something like set a property on the user's session (e.g. wgCheckUserPrivateEventLoginId), and in BeforePageDisplay check if this property is set and export it to the client side, and then have our client hints JS code make a POST request using the ID. The REST handler would then also be responsible for clearing the wgCheckUserPrivateEventLoginId in the user's session.

Dreamy_Jazz added a comment.Nov 13 2024, 2:16 PM
In T345818#10316721, @kostajh wrote:
In T345818#10304197, @Dreamy_Jazz wrote:

There is some additional complication for logins that are successful, as we need to call the API on the page loaded after the login has occurred. In most cases, that is the page specified in the 'return to' part of the URL. Plus, for MediaWiki-extensions-CentralAuth installations there may be some level of redirecting around to sign-in to other wiki farms.

Maybe putting the ID somewhere in the session variables could work, so that it's persisted through redirects and can be sent once the user is finished with the login process.

My suggesion is that we rework CheckUserClientHintsSpecialPages to allow for a list of enabled methods, and change "Userlogin": "js" to "Userlogin": [ "js", "header" ]. That would prompt the user's browser to send client hints data on POST requests when it visits Special:Userlogin. Then, we need to work out how to get the private event ID recorded in the client hints table:

  • We could implement the onUserLoginComplete hook or the onAuthManagerLoginAuthenticateAudit hook, and list the clienthints handler after the CheckUserPrivateEvents handler. That would ensure that the row is created before our handler runs.
  • We could subscribe to the onCheckUserInsertPrivateEventRow hook in CheckUser in the clienthints handler

While mixing header and JS API usage is not ideal in some regards, using the header for obtaining client hints seems like the much simpler and more robust option here.

If we really want to use the JS API, then we need to probably do something like set a property on the user's session (e.g. wgCheckUserPrivateEventLoginId), and in BeforePageDisplay check if this property is set and export it to the client side, and then have our client hints JS code make a POST request using the ID. The REST handler would then also be responsible for clearing the wgCheckUserPrivateEventLoginId in the user's session.

Thanks for the thoughts. I'll proceed with the header idea for just a successful login. I think I can place the code in CheckUserInsert like we have for setting the private event ID for the failed login attempts.

gerritbot added a comment.Nov 13 2024, 4:46 PM

Change #1090902 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] [Very WIP] Collect client hints data for successful logins

https://gerrit.wikimedia.org/r/1090902

gerritbot added a project: Patch-For-Review.Nov 13 2024, 4:46 PM
gerritbot added a comment.Nov 15 2024, 7:57 AM

Change #1091587 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/CheckUser@master] client hints: Add selenium test for logins

https://gerrit.wikimedia.org/r/1091587

kostajh added a project: WE4.2 Anti-abuse.Nov 15 2024, 8:09 AM
kostajh moved this task from In Progress to Needs QA on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.

This is ready for QA. Please see the acceptance criteria for what to review.

gerritbot added a comment.Nov 15 2024, 8:18 AM

Change #1090902 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Collect client hints data for successful logins

https://gerrit.wikimedia.org/r/1090902

kostajh mentioned this in T345819: Store client hint mapping rows for logout events.Nov 15 2024, 8:21 AM
ReleaseTaggerBot edited projects, added MW-1.44-notes (1.44.0-wmf.4; 2024-11-19); removed MW-1.44-notes (1.44.0-wmf.3; 2024-11-12).Nov 15 2024, 9:00 AM
gerritbot added a comment.Nov 15 2024, 11:39 AM

Change #1091587 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] client hints: Add selenium test for logins

https://gerrit.wikimedia.org/r/1091587

Maintenance_bot removed a project: Patch-For-Review.Nov 15 2024, 12:30 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Accordion October 28 - November 15) board.Nov 18 2024, 9:16 AM
dom_walden subscribed.

I see client hints being stored for both failed and successfully logins.

Test environment: local docker CheckUser 2.5 (1d4e003) 07:23, 18 November 2024.

kostajh closed this task as Resolved.Nov 18 2024, 9:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits