Page MenuHomePhabricator
Create Task
Maniphest T390315

LoginNotify: Provide configuration to deny login if attempt is made from new IP
Closed, ResolvedPublic
Actions

Description

Summary

LoginNotify provides a notification if an attempt is made to login to an account from an IP not recently seen with that account. This task will introduce a configuration that also prevents the login from occurring.

Background

As an emergency measure, we made need to deny login to an account if it's from an unfamiliar IP.

Technical notes

  • TBD
  • There should be a configuration so that this is easily toggleable. The default is "off"

Acceptance criteria

  • When config is enabled, a login from an unfamiliar IP for a given account is denied
  • A log message with IP and user agent is generated, noting that the login was denied

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Introduce configuration to deny logins from unknown systemsmediawiki/extensions/LoginNotifywmf/1.44.0-wmf.22+212 -1
Configure LoginNotify deny functionalityoperations/mediawiki-configmaster+5 -0
Introduce configuration to deny logins from unknown systemsmediawiki/extensions/LoginNotifymaster+212 -1
Customize query in gerrit

Related Objects

Event Timeline

kostajh created this task.Mar 28 2025, 5:48 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptMar 28 2025, 5:48 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Mar 28 2025, 7:00 PM

Change #1132015 had a related patch set uploaded (by Máté Szabó; author: Máté Szabó):

[mediawiki/extensions/LoginNotify@master] Introduce configuration to deny logins from unknown systems

https://gerrit.wikimedia.org/r/1132015

gerritbot added a project: Patch-For-Review.Mar 28 2025, 7:00 PM
gerritbot added a comment.Mar 28 2025, 8:20 PM

Change #1132025 had a related patch set uploaded (by Kosta Harlan; author: Máté Szabó):

[mediawiki/extensions/LoginNotify@wmf/1.44.0-wmf.22] Introduce configuration to deny logins from unknown systems

https://gerrit.wikimedia.org/r/1132025

gerritbot added a comment.Mar 28 2025, 8:30 PM

Change #1132027 had a related patch set uploaded (by Máté Szabó; author: Máté Szabó):

[operations/mediawiki-config@master] Configure LoginNotify deny functionality

https://gerrit.wikimedia.org/r/1132027

gerritbot added a comment.Mar 28 2025, 8:35 PM

Change #1132015 merged by jenkins-bot:

[mediawiki/extensions/LoginNotify@master] Introduce configuration to deny logins from unknown systems

https://gerrit.wikimedia.org/r/1132015

mszabo mentioned this in rELGN4fc82b64eaa1: Introduce configuration to deny logins from unknown systems.Mar 28 2025, 8:35 PM
ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.23; 2025-04-01).Mar 28 2025, 9:00 PM
gerritbot added a comment.Mar 28 2025, 9:18 PM

Change #1132027 merged by jenkins-bot:

[operations/mediawiki-config@master] Configure LoginNotify deny functionality

https://gerrit.wikimedia.org/r/1132027

gerritbot added a comment.Mar 28 2025, 9:54 PM

Change #1132025 merged by jenkins-bot:

[mediawiki/extensions/LoginNotify@wmf/1.44.0-wmf.22] Introduce configuration to deny logins from unknown systems

https://gerrit.wikimedia.org/r/1132025

kostajh mentioned this in rELGNd7d6a87427cb: Introduce configuration to deny logins from unknown systems.Mar 28 2025, 9:55 PM
Stashbot added a comment.Mar 28 2025, 9:55 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-28T21:55:51Z] <sbassett@deploy1003> Started scap sync-world: Backport for [[gerrit:1132029|Add LoginNotify to disallowed local providers]], [[gerrit:1132025|Introduce configuration to deny logins from unknown systems (T390315)]], [[gerrit:1132027|Configure LoginNotify deny functionality (T390315)]]

ReleaseTaggerBot edited projects, added MW-1.44-notes (1.44.0-wmf.22; 2025-03-25); removed MW-1.44-notes (1.44.0-wmf.23; 2025-04-01).Mar 28 2025, 10:00 PM
Stashbot mentioned this in T143162: Reduce task notification noise/frequency of changes to associated open patchsets.Mar 28 2025, 10:01 PM

Mentioned in SAL (#wikimedia-releng) [2025-03-28T22:01:54Z] <Krinkle> Disable duplicate publishing noise from extension-LoginNotify, ref T143162, T390315

Stashbot added a comment.Mar 28 2025, 10:10 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-28T22:10:29Z] <sbassett@deploy1003> sbassett, tgr, mszabo, kharlan: Backport for [[gerrit:1132029|Add LoginNotify to disallowed local providers]], [[gerrit:1132025|Introduce configuration to deny logins from unknown systems (T390315)]], [[gerrit:1132027|Configure LoginNotify deny functionality (T390315)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Mar 28 2025, 10:23 PM

Mentioned in SAL (#wikimedia-operations) [2025-03-28T22:23:23Z] <sbassett@deploy1003> Finished scap sync-world: Backport for [[gerrit:1132029|Add LoginNotify to disallowed local providers]], [[gerrit:1132025|Introduce configuration to deny logins from unknown systems (T390315)]], [[gerrit:1132027|Configure LoginNotify deny functionality (T390315)]] (duration: 27m 32s)

Maintenance_bot removed a project: Patch-For-Review.Mar 28 2025, 10:30 PM
Reedy moved this task from Backlog to Features on the MediaWiki-extensions-LoginNotify board.Mar 30 2025, 11:21 AM
kostajh mentioned this in T390428: LoginNotify: Create a mechanism to adaptively enable the deny-login mode.Mar 30 2025, 11:32 AM
Johannnes89 subscribed.Mar 30 2025, 12:00 PM
kostajh assigned this task to mszabo.Mar 30 2025, 12:47 PM
kostajh added a project: Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)).
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.
kostajh mentioned this in T390436: LoginNotify: Exempt users with 2FA enabled from the login-deny mechanism.Mar 30 2025, 12:50 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Chocolate Cake (March 24 - April 11)) board.Apr 3 2025, 9:35 AM
dom_walden subscribed.

I am blocked from logging in when using a new IP and I don't have a loginnotify_prevlogins cookie set on my browser. Where the user I am trying to login has an email, I see an email sent with subject Failed attempt to log in to {wiki} as {user}. It does not seem to matter if the password is correct or not.

With various different LoginNotify configs I used the API to login with many different users and inspect what is recorded in debug logs by LoginNotify. Logins are rejected when the user is not known or if there is no info. In the case of no info, a job is created to lookup the information for a user but we still reject the login before the job has completed. This seems like a safe response.

It does not appear to affect creating accounts, re-entering your password (e.g. when changing password) or sending password resets.

Test environment: local docker LoginNotify 0.1 (79ad68a) 07:20, 1 April 2025.

kostajh closed this task as Resolved.Apr 3 2025, 9:57 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits