Page MenuHomePhabricator
Create Task
Maniphest T408025

Make RecoveryCodeCountPresentationModel useful again
Closed, ResolvedPublic
Actions

Description

RecoveryCodeCountPresentationModel was tied to recovery codes inside TOTP... Do we want to keep it, and make it used in the future?

Noticed it kinda becomes orphaned while doing T404806: Remove $wgOATHAllowMultipleModules and $wgOATHAuthNewUI and stripping the recovery codes out of TOTP.

Also, per @Catrope on slack...

"notification-body-oathauth-recoverycodesleft": "{{GENDER:$2|You}} have $3 recovery {{PLURAL:$3|code|codes}} left. You may want to consider disabling and re-enabling two-factor authentication to generate $4 new recovery {{PLURAL:$4|code|codes}} to use in future.",

It does need updating to reflect the state of recovery codes regeneration. That message update part is easy enough.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Wire RecoveryCodeCountPresentationModel back into usagemediawiki/extensions/OATHAuthmaster+14 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
Restricted Task
 ResolvedReedyT408025 Make RecoveryCodeCountPresentationModel useful again

Event Timeline

Reedy created this task.Oct 22 2025, 9:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 22 2025, 9:02 PM
Reedy updated the task description. (Show Details)Oct 22 2025, 9:19 PM
Reedy added a subscriber: Catrope.
Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Oct 25 2025, 2:39 PM
Catrope added a subscriber: EMill-WMF.Nov 12 2025, 11:34 PM

Some more context: the old 2FA code sent a notification when a user had 2 or fewer recovery codes remaining, encouraging them to regenerate their recovery codes. (But there was no way to do that directly, so the text of the notification instead encouraged them to disable then re-enable 2FA.) In the refactor to make recovery codes a separate method, this behavior was lost (the code still exists, but it's never used). At first we thought this would be unnecessary, because each user only had 1 recovery code and we were planning to show them their new code after they logged in with their old code (T406281), but now that we've changed the number of recovery codes back to 10 this is a bit murkier.

@EMill-WMF We'll need to decide whether we should:

  • Revive this notification, with updated language that correctly reflects how to regenerate your recovery codes; or
  • Implement some version of T406281 where we draw the user's attention to their low number of recovery codes during the login process

(or maybe both?)

Catrope mentioned this in T406281: Display new recovery code after user logs in with recovery code.Nov 12 2025, 11:36 PM
EMill-WMF added a comment.Nov 22 2025, 3:22 AM

I do think both is the correct answer - I posted in https://phabricator.wikimedia.org/T406281 with some thoughts there.

Reedy moved this task from Inbox to Tech debt cleanup on the FY2025-26 WE 4.6 - Account Security (WE 4.6.4 - 2FA improvements and passkey support) board.Feb 9 2026, 4:19 PM
gerritbot added a comment.Apr 20 2026, 8:59 PM

Change #1275528 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] Wire RecoveryCodeCountPresentationModel back into usage

https://gerrit.wikimedia.org/r/1275528

Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptApr 20 2026, 8:59 PM
gerritbot added a project: Patch-For-Review.Apr 20 2026, 8:59 PM
gerritbot added a comment.Apr 27 2026, 11:42 PM

Change #1275528 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Wire RecoveryCodeCountPresentationModel back into usage

https://gerrit.wikimedia.org/r/1275528

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.26; 2026-04-28).Apr 28 2026, 12:01 AM
Reedy closed this task as Resolved.Apr 28 2026, 12:24 AM
Reedy claimed this task.
Maintenance_bot removed a project: Patch-For-Review.Apr 28 2026, 12:30 AM
Reedy added a parent task: Restricted Task.Apr 29 2026, 12:25 PM
Reedy mentioned this in T424840: Send notifications on recovery code usage.Apr 29 2026, 12:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits