Page MenuHomePhabricator
Create Task
Maniphest T404363

Set OATHSecretKey value within Wikimedia production and migrate older 2fa data within oathauth_devices
Closed, ResolvedPublic
Actions

Description

With the completion of T145915, we should properly enable this functionality within Wikimedia production:

  • Set OATHSecretKey on the beta cluster.
  • Wait for Jenkins to deploy this.
  • Run UpdateSecretsToEncryptedFormat.php to migrate older oathauth_devices data on the beta cluster.
  • Set OATHSecretKey within PrivateSettings.php within Wikimedia production.
  • Run UpdateSecretsToEncryptedFormat.php to migrate older oathauth_devices data within Wikimedia production.

Details

Other Assignee
sbassett

Related Objects
Search...

Event Timeline

sbassett created this task.Sep 11 2025, 2:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2025, 2:32 PM
sbassett updated the task description. (Show Details)Sep 11 2025, 2:32 PM
sbassett added a parent task: T399644: FY2025-26 WE4.6.2 Multiple Authenticators.
sbassett updated the task description. (Show Details)
sbassett renamed this task from Set OATHSecretKey value in production and migrate older 2fa data within oathauth_devices to Set OATHSecretKey value within Wikimedia production and migrate older 2fa data within oathauth_devices.Sep 11 2025, 2:34 PM
Reedy added projects: Wikimedia-Site-requests, Wikimedia-maintenance-script-run.Sep 11 2025, 5:27 PM
Reedy added a subtask: T145915: OATHAuth OTP shouldn't be stored in cleartext in the DB.Sep 11 2025, 5:30 PM
Reedy moved this task from Backlog to External on the MediaWiki-extensions-OATHAuth board.Sep 16 2025, 7:46 PM
Pppery moved this task from Backlog to WMF Prod on the Wikimedia-maintenance-script-run board.Oct 8 2025, 6:33 PM
A_smart_kitten moved this task from Backlog to External on the Wikimedia-Site-requests board.Oct 9 2025, 1:18 PM
Reedy added a subtask: T405235: Create MediaWiki maintenance script to migrate older TOTP devices to modern TOTP + Recovery Codes configuration.Oct 11 2025, 3:47 PM

I'm strongly feeling we should get T405235: Create MediaWiki maintenance script to migrate older TOTP devices to modern TOTP + Recovery Codes configuration done before we do this...

It reduces the edge cases that that script has to deal with, and would be more reflective of an upgrade path we would see with someone upgrading to MW 1.45.

Reedy added a subtask: T407057: Run MoveRecoveryCodesFromTOTP.php.Oct 11 2025, 3:49 PM
Reedy removed a subtask: T405235: Create MediaWiki maintenance script to migrate older TOTP devices to modern TOTP + Recovery Codes configuration.
sbassett added a comment.Oct 14 2025, 6:16 PM
In T404363#11266461, @Reedy wrote:

I'm strongly feeling we should get T405235: Create MediaWiki maintenance script to migrate older TOTP devices to modern TOTP + Recovery Codes configuration done before we do this...

That's fine, I can bump out the config meeting by a couple weeks.

Catrope edited projects, added FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support); removed FY2025-26 WE4.6.2 Multiple Authenticators.Oct 22 2025, 4:56 AM
Catrope moved this task from Inbox to Tech debt cleanup on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Oct 22 2025, 5:05 AM
Catrope moved this task from Tech debt cleanup to Production maintenance on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Oct 22 2025, 5:24 AM
Reedy closed subtask T407057: Run MoveRecoveryCodesFromTOTP.php as Resolved.Oct 22 2025, 10:54 PM
Reedy added subtasks: T408297: Recovery codes aren't consumed when encryption is enabled, T408305: Add/update maintenance script to encrypt existing recovery codes....Oct 25 2025, 6:16 PM
Reedy closed subtask T408305: Add/update maintenance script to encrypt existing recovery codes... as Resolved.Oct 29 2025, 8:36 AM
Reedy closed subtask T408297: Recovery codes aren't consumed when encryption is enabled as Resolved.Oct 31 2025, 8:08 PM
Reedy updated the task description. (Show Details)Nov 13 2025, 10:56 AM
Reedy updated the task description. (Show Details)Wed, Mar 18, 5:45 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptWed, Mar 18, 5:45 PM
Reedy claimed this task.Wed, Mar 18, 5:46 PM
Reedy updated the task description. (Show Details)Wed, Mar 18, 6:02 PM
Reedy added a project: Security.
Reedy updated the task description. (Show Details)Wed, Mar 18, 7:21 PM
Stashbot added a comment.Wed, Mar 18, 7:49 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-18T19:49:46Z] <reedy@deploy2002> Synchronized private/PrivateSettings.php: Set $wgOATHSecretKey T404363 (duration: 05m 51s)

Stashbot added a comment.Wed, Mar 18, 7:50 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-18T19:50:10Z] <Reedy> running mwscript extensions/OATHAuth/maintenance/UpdateSecretsToEncryptedFormat.php --wiki=metawiki T404363

Stashbot added a comment.Wed, Mar 18, 7:51 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-18T19:51:30Z] <Reedy> running foreachwikiindblist private.dblist extensions/OATHAuth/maintenance/UpdateSecretsToEncryptedFormat.php T404363

Stashbot added a comment.Wed, Mar 18, 7:51 PM

Mentioned in SAL (#wikimedia-operations) [2026-03-18T19:51:43Z] <Reedy> running foreachwikiindblist fishbowl.dblist extensions/OATHAuth/maintenance/UpdateSecretsToEncryptedFormat.php T404363

Reedy updated the task description. (Show Details)Wed, Mar 18, 7:52 PM
Reedy closed this task as Resolved.Wed, Mar 18, 7:56 PM
Reedy mentioned this in T420522: Hovering over long truncated strings may result in some vertical movement.Wed, Mar 18, 8:03 PM
sbassett awarded a token.Thu, Mar 19, 4:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits