Page MenuHomePhabricator
Create Task
Maniphest T406501

OATHAuth Recovery Code code improvement suggestions
Open, Needs TriagePublic
Actions

Description

From the work in T232336: Separate recovery codes into a separate 2FA module and after the merge of https://gerrit.wikimedia.org/r/1182964, @Tgr made some suggestions for follow-up code improvements:

  • src/HTMLForm/KeySessionStorageTrait.php, line 27 : use set()/getSecret() instead of set/getSessionData()
  • src/Key/EncryptionHelper.php, line 105 : Instead of reusing the nonce, use random_nonce, random_nonce + 1, ... for the keys (that assumes key order is preserved, so e.g. no PHP -> JSON -> JS -> JSON -> PHP roundtrip) as the nonce doesn't have to be particularly random, just not reused. Or, preferably, just concatenate all recovery codes and encrypt as a single message.
  • src/Key/RecoveryCodeKeys.php, line 166 : use RequestContext::getMain()->getRequest()->getSecurityLogContext( $user->getUser() ) instead of manual IP logging.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
OATHAuth Recovery Code code improvementmediawiki/extensions/OATHAuthmaster+34 -18
OATHAuth Recovery Code code improvementmediawiki/extensions/OATHAuthwmf/1.45.0-wmf.22+34 -19
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT406501 OATHAuth Recovery Code code improvement suggestions
 ResolvedBUG REPORTReedyT407167 Only One Recovery codes given
 ResolvedBUG REPORTReedyT408294 Regeneration of Recovery Codes doesn't work properly

Event Timeline

sbassett created this task.Oct 6 2025, 3:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 6 2025, 3:37 PM
sbassett renamed this task from Recovery Code follow-up suggestions to OATHAuth Recovery Code code improvement suggestions.Oct 6 2025, 3:38 PM
gerritbot added a comment.Oct 6 2025, 4:39 PM

Change #1193902 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/OATHAuth@master] OATHAuth Recovery Code code improvement

https://gerrit.wikimedia.org/r/1193902

gerritbot added a project: Patch-For-Review.Oct 6 2025, 4:39 PM
gerritbot added a comment.Oct 7 2025, 10:30 AM

Change #1193902 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] OATHAuth Recovery Code code improvement

https://gerrit.wikimedia.org/r/1193902

Maintenance_bot removed a project: Patch-For-Review.Oct 7 2025, 10:30 AM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.23; 2025-10-14).Oct 7 2025, 11:00 AM
Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Oct 7 2025, 11:04 AM
sbassett updated the task description. (Show Details)Oct 7 2025, 1:22 PM
gerritbot added a comment.Oct 9 2025, 2:39 PM

Change #1194962 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.22] OATHAuth Recovery Code code improvement

https://gerrit.wikimedia.org/r/1194962

gerritbot added a project: Patch-For-Review.Oct 9 2025, 2:39 PM
gerritbot added a comment.Oct 9 2025, 8:11 PM

Change #1194962 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.22] OATHAuth Recovery Code code improvement

https://gerrit.wikimedia.org/r/1194962

Stashbot added a comment.Oct 9 2025, 8:18 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-09T20:18:30Z] <reedy@deploy2002> Started scap sync-world: Backport for [[gerrit:1194962|OATHAuth Recovery Code code improvement (T406501)]]

Stashbot added a comment.Oct 9 2025, 8:23 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-09T20:22:59Z] <reedy@deploy2002> sbassett, reedy: Backport for [[gerrit:1194962|OATHAuth Recovery Code code improvement (T406501)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Oct 9 2025, 8:28 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-09T20:28:49Z] <reedy@deploy2002> Finished scap sync-world: Backport for [[gerrit:1194962|OATHAuth Recovery Code code improvement (T406501)]] (duration: 10m 19s)

Maintenance_bot removed a project: Patch-For-Review.Oct 9 2025, 8:30 PM
ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.22; 2025-10-07); removed MW-1.45-notes (1.45.0-wmf.23; 2025-10-14).Oct 9 2025, 9:00 PM
T4NeGMp7P4en added a subtask: T407167: Only One Recovery codes given.Oct 17 2025, 2:52 PM
Catrope moved this task from Inbox to Tech debt cleanup on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Oct 22 2025, 5:05 AM
T4NeGMp7P4en closed subtask T407167: Only One Recovery codes given as Resolved.Oct 22 2025, 1:59 PM
Aklapper reopened subtask T407167: Only One Recovery codes given as Open.Oct 22 2025, 3:33 PM
matmarex closed subtask T407167: Only One Recovery codes given as Resolved.Oct 23 2025, 10:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits