Page MenuHomePhabricator
Create Task
Maniphest T403819

[Android] Add support for selectable TOTP module when logging in with MFA.
Closed, ResolvedPublic
Actions

Description

As part of WE4.6.2, functionality is being added to allow users to enable multiple authentication factors, which includes WebAuthn and TOTP. When we log in through the API, and the user has multiple authenticators enabled, the login response will become slightly different, and will allow us to "select" the factor to be used. (Since we don't yet support WebAuthn, we will need to explicitly select TOTP.)

The logic for working with the new selection logic is laid out in this task.

(At the moment, there is some fallback compatibility logic that makes the API work as before with existing clients, but this will be removed once these tasks are complete and rolled out.)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
[WIP] Remove backward compatibility for Apps' login flow.mediawiki/extensions/OATHAuthmaster+2 -10
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dbrant created this task.Sep 5 2025, 1:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 5 2025, 1:11 PM
GitHubPRBot added a comment.Sep 5 2025, 1:22 PM

dbrant opened https://github.com/wikimedia/apps-android-wikipedia/pull/5906

Dbrant added a project: FY2025-26 WE4.6.2 Multiple Authenticators.Sep 5 2025, 4:00 PM
Dbrant moved this task from Backlog to Consider for future work on the FY2025-26 WE4.6.2 Multiple Authenticators board.
Reedy added a parent task: T399654: Ensure Mobile Apps are supported with 2FA changes.Sep 5 2025, 4:24 PM
GitHubPRBot added a comment.Sep 5 2025, 8:53 PM

cooltey closed https://github.com/wikimedia/apps-android-wikipedia/pull/5906

Dbrant claimed this task.Sep 8 2025, 2:16 PM
Dbrant triaged this task as Medium priority.
Dbrant moved this task from Needs Triage to Android Release - FY2025-26 on the Wikipedia-Android-App-Backlog board.
Dbrant edited projects, added Wikipedia-Android-App-Backlog (Android Release - FY2025-26); removed Wikipedia-Android-App-Backlog.
Dbrant moved this task from Incoming tasks from backlog to Merged and Waiting on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.
cooltey moved this task from Merged and Waiting to QA signoff on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.Sep 22 2025, 8:30 PM
ABorbaWMF moved this task from QA signoff to Ready for PM signoff on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.Sep 25 2025, 7:19 PM
ABorbaWMF subscribed.

Fixed on 2.7.50550-r-2025-09-22

Tested on Pixel 6 on Android 15 and OnePlus 8 on Android 13. Tested with 2FA and without.

gerritbot added a comment.Sep 26 2025, 5:58 PM

Change #1191740 had a related patch set uploaded (by Dbrant; author: Dbrant):

[mediawiki/extensions/OATHAuth@master] [WIP] Remove backward compatibility for Apps' login flow.

https://gerrit.wikimedia.org/r/1191740

gerritbot added a project: Patch-For-Review.Sep 26 2025, 5:58 PM
PatchDemoBot added a comment.Sep 26 2025, 6:11 PM

Test wiki created on Patch demo by Dmitry Brant using patch(es) linked to this task:
https://d22139cba6.catalyst.wmcloud.org/w/

HNordeenWMF subscribed.Sep 29 2025, 5:33 PM

hi @Dbrant - the patch was uploaded after @ABorbaWMF tested. Do we need to re-test?

Dbrant moved this task from Ready for PM signoff to Blocked/Waiting on the Wikipedia-Android-App-Backlog (Android Release - FY2025-26) board.Sep 29 2025, 8:02 PM
Dbrant added a comment.Sep 29 2025, 8:13 PM
In T403819#11225961, @HNordeenWMF wrote:

hi @Dbrant - the patch was uploaded after @ABorbaWMF tested. Do we need to re-test?

Whoops, I repurposed this task for completing our side of supporting MFA. The previous test by Anthony was merely to test if logins are working correctly since they made a server-side hack to exclude apps from MFA. The next step will be to remove the exclusion, and test again if everything works. (this is currently pending iOS finishing their integration.)

Catrope moved this task from Consider for future work to In Progress on the FY2025-26 WE4.6.2 Multiple Authenticators board.Oct 2 2025, 4:16 AM
sbassett subscribed.Oct 3 2025, 10:25 PM

Just FYI, the work from FY2025-26 WE4.6.2 Multiple Authenticators should now be available on the beta cluster to test as well.

Dbrant closed this task as Resolved.Nov 14 2025, 8:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits