Page MenuHomePhabricator
Create Task
Maniphest T402094

Require reauth for all visits to and actions on Special:OATHManage
Closed, ResolvedPublic
Actions

Description

To simplify reauth management, require reauthentication every time Special:OATHManage is viewed or any action is taken.

Currently, adding an auth method requires full reauthentication, but removing one requires reauthenticating only with the method that is being removed (but not with a password). When multiple methods are supported, we'll want to allow removing one method by authenticating with another -- this change will enable that.

T402037: Increase ReauthenticateTime to 1 hour should be done first, otherwise the user experience would be very annoying.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use standard reauth on Special:OATHManagemediawiki/extensions/OATHAuthREL1_43+7 -5
Use standard reauth on Special:OATHManagemediawiki/extensions/OATHAuthREL1_44+7 -5
Use standard reauth on Special:OATHManagemediawiki/extensions/OATHAuthREL1_39+7 -5
Remove ReauthenticateTime overridemediawiki/extensions/OATHAuthREL1_43+0 -3
Use standard reauth on Special:OATHManagemediawiki/extensions/OATHAuthREL1_42+7 -5
Use standard reauth on Special:OATHManagemediawiki/extensions/OATHAuthmaster+7 -5
Remove ReauthenticateTime overridemediawiki/extensions/OATHAuthREL1_44+0 -3
Remove ReauthenticateTime overridemediawiki/extensions/OATHAuthREL1_39+0 -3
Remove ReauthenticateTime overridemediawiki/extensions/OATHAuthmaster+0 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Catrope created this task.Aug 16 2025, 7:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 16 2025, 7:58 PM
Catrope added a project: FY2025-26 WE4.6.2 Multiple Authenticators.Aug 16 2025, 7:58 PM
Catrope added a subtask: T402037: Increase ReauthenticateTime to 1 hour.
Catrope mentioned this in T401862: CVE-2025-11173: Reauth for enabling 2FA can be bypassed by submitting a form.Aug 16 2025, 8:06 PM
ReaperDawn subscribed.Aug 19 2025, 8:32 AM
gerritbot added a comment.Aug 20 2025, 4:58 AM

Change #1180261 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/core@master] config: Change Reauthenticate Time Default

https://gerrit.wikimedia.org/r/1180261

gerritbot added a project: Patch-For-Review.Aug 20 2025, 4:58 AM
gerritbot added a comment.Aug 20 2025, 5:01 AM

Change #1180262 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] Remove ReauthenticateTime override

https://gerrit.wikimedia.org/r/1180262

gerritbot added a comment.Aug 20 2025, 5:16 PM

Change #1180262 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Remove ReauthenticateTime override

https://gerrit.wikimedia.org/r/1180262

Mstyles moved this task from Backlog to In Progress on the FY2025-26 WE4.6.2 Multiple Authenticators board.Aug 20 2025, 5:22 PM
Mstyles moved this task from In Progress to Backlog on the FY2025-26 WE4.6.2 Multiple Authenticators board.
Mstyles moved this task from Backlog to Needed for Beta Deployment on the FY2025-26 WE4.6.2 Multiple Authenticators board.
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.16; 2025-08-26).Aug 20 2025, 6:00 PM
Mstyles mentioned this in T402037: Increase ReauthenticateTime to 1 hour.Aug 20 2025, 6:27 PM
Catrope closed subtask T402037: Increase ReauthenticateTime to 1 hour as Resolved.Aug 20 2025, 6:48 PM
Mstyles moved this task from Needed for Beta Deployment to In Progress on the FY2025-26 WE4.6.2 Multiple Authenticators board.Aug 20 2025, 6:51 PM
gerritbot added a comment.Aug 20 2025, 9:57 PM

Change #1180664 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/extensions/OATHAuth@REL1_44] Remove ReauthenticateTime override

https://gerrit.wikimedia.org/r/1180664

gerritbot added a comment.Aug 20 2025, 9:57 PM

Change #1180665 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/extensions/OATHAuth@REL1_43] Remove ReauthenticateTime override

https://gerrit.wikimedia.org/r/1180665

gerritbot added a comment.Aug 20 2025, 9:57 PM

Change #1180666 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/extensions/OATHAuth@REL1_39] Remove ReauthenticateTime override

https://gerrit.wikimedia.org/r/1180666

gerritbot added a comment.Aug 20 2025, 10:28 PM

Change #1180666 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_39] Remove ReauthenticateTime override

https://gerrit.wikimedia.org/r/1180666

gerritbot added a comment.Aug 20 2025, 10:31 PM

Change #1180664 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_44] Remove ReauthenticateTime override

https://gerrit.wikimedia.org/r/1180664

gerritbot added a comment.Aug 21 2025, 10:41 PM

Change #1180998 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1180998

gerritbot added a comment.Aug 22 2025, 10:53 PM

Change #1180998 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1180998

Mstyles closed this task as Resolved.Aug 22 2025, 10:58 PM
Mstyles moved this task from In Progress to Done on the FY2025-26 WE4.6.2 Multiple Authenticators board.
gerritbot added a comment.Aug 25 2025, 9:18 PM

Change #1181783 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/extensions/OATHAuth@REL1_43] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1181783

gerritbot added a comment.Aug 25 2025, 9:19 PM

Change #1181784 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/extensions/OATHAuth@REL1_42] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1181784

gerritbot added a comment.Aug 25 2025, 9:19 PM

Change #1181785 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/extensions/OATHAuth@REL1_39] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1181785

gerritbot added a comment.Aug 25 2025, 9:19 PM

Change #1181784 abandoned by Reedy:

[mediawiki/extensions/OATHAuth@REL1_42] Use standard reauth on Special:OATHManage

Reason:

I keep doing this. It's EOL

https://gerrit.wikimedia.org/r/1181784

gerritbot added a comment.Aug 25 2025, 9:19 PM

Change #1181787 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/extensions/OATHAuth@REL1_44] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1181787

gerritbot added a comment.Aug 25 2025, 10:22 PM

Change #1180665 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_43] Remove ReauthenticateTime override

https://gerrit.wikimedia.org/r/1180665

gerritbot added a comment.Aug 26 2025, 11:50 AM

Change #1181785 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_39] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1181785

gerritbot added a comment.Aug 26 2025, 11:59 AM

Change #1181787 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_44] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1181787

gerritbot added a comment.Aug 26 2025, 12:06 PM

Change #1181783 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@REL1_43] Use standard reauth on Special:OATHManage

https://gerrit.wikimedia.org/r/1181783

Catrope mentioned this in T362715: Move credentials change to central domain.Aug 26 2025, 7:56 PM
Catrope mentioned this in T402989: Remove extra authentication step when disabling a 2FA method.Aug 26 2025, 10:28 PM
Reedy removed a project: Patch-For-Review.Oct 1 2025, 8:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits