Page MenuHomePhabricator
Create Task
Maniphest T406603

Use role=alert for TOTP and recovery code error messages
Open, Needs TriagePublicBUG REPORT
Actions

Description

What is the problem?

On authenticating, the error messages for TOTP and recovery codes don't have role=alert. This is recommended to let screen readers know to notify the user.

We do use role=alert for errors authenticating with WebAuthn.

Steps to reproduce problem
  1. Setup TOTP for an user on https://en.wikipedia.beta.wmcloud.org
  2. Logout and login again
  3. After entering your username and password
  4. Click "Use authenticator app" (if you are not already there)
  5. Turn on screen reader
  6. Enter an invalid TOTP value

Expected behaviour: Screen reader reads the errors message.
Observed behaviour: Screen reader does not.

Environment

Platform: MacOS Sequoia Safari using VoiceOver. Debian 12 Firefox using Orca.
Wiki(s): https://en.wikipedia.beta.wmcloud.org OATHAuth – (c702fa8) 10:45, 7 October 2025. WebAuthn – (1957699) 20:10, 3 October 2025.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add role=alert to TOTP and recovery-code error messagesmediawiki/extensions/OATHAuthmaster+19 -6
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.Oct 7 2025, 2:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 7 2025, 2:54 PM
Adarsh2406 subscribed.Oct 10 2025, 7:02 PM
Adarsh2406 added a comment.Oct 11 2025, 9:45 AM

Hey i am claiming this task hope my changes will be helpful !

Bawolff assigned this task to Adarsh2406.Oct 11 2025, 3:09 PM
Adarsh2406 added a comment.Oct 11 2025, 3:20 PM

Hi — Verified +2 is green. Could someone with Code-Review/Submit rights please give Code-Review +2 and submit this change?
Bug: T406603 Thanks!

taavi subscribed.Oct 11 2025, 3:48 PM

There's no patch attached to this task so potential reviewers following this project will not see it. Double check your commit follows https://www.mediawiki.org/wiki/Gerrit/Commit_message_guidelines.

Reedy moved this task from Backlog to User Experience on the MediaWiki-extensions-OATHAuth board.Oct 11 2025, 3:50 PM
Reedy subscribed.Oct 11 2025, 4:08 PM
In T406603#11266451, @Adarsh2406 wrote:

Hi — Verified +2 is green. Could someone with Code-Review/Submit rights please give Code-Review +2 and submit this change?

Also, just because CI gives a V+2, doesn't mean the patch is ready for merging.

Adarsh2406 added a comment.Oct 11 2025, 4:51 PM

@Reedy i know that thats why i ask for review to know my mistakes and all thanks for highlighting my mistakes I'll do the changes according to your comment !

gerritbot added a comment.Oct 11 2025, 5:37 PM

Change #1195361 had a related patch set uploaded (by Adarsh2406; author: Adarsh2406):

[mediawiki/extensions/OATHAuth@master] Add role=alert to TOTP and recovery-code error messages

https://gerrit.wikimedia.org/r/1195361

gerritbot added a project: Patch-For-Review.Oct 11 2025, 5:37 PM
gerritbot added a comment.Oct 11 2025, 5:41 PM

Change #1195361 abandoned by Adarsh2406:

[mediawiki/extensions/OATHAuth@master] Add role=alert to TOTP and recovery-code error messages

https://gerrit.wikimedia.org/r/1195361

Maintenance_bot removed a project: Patch-For-Review.Oct 11 2025, 6:30 PM
gerritbot added a comment.Oct 12 2025, 6:56 AM

Change #1195361 restored by Adarsh2406:

[mediawiki/extensions/OATHAuth@master] Add role=alert to TOTP and recovery-code error messages

https://gerrit.wikimedia.org/r/1195361

gerritbot added a project: Patch-For-Review.Oct 12 2025, 6:56 AM

Change #1195361 abandoned by Adarsh2406:

[mediawiki/extensions/OATHAuth@master] Add role=alert to TOTP and recovery-code error messages

https://gerrit.wikimedia.org/r/1195361

Catrope removed a project: FY2025-26 WE4.6.2 Multiple Authenticators.Oct 22 2025, 4:49 AM
Catrope moved this task from Inbox to UX cleanup on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Oct 22 2025, 5:05 AM
Mstyles subscribed.Dec 4 2025, 11:56 PM

@Adarsh2406 your patch looks pretty good and it addressed a lot of the issues that @Reedy mentioned. I wonder if you would be interested in reopening your patch?

Reedy removed a project: Patch-For-Review.Jan 29 2026, 6:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits