Page MenuHomePhabricator
Create Task
Maniphest T419621

Move site JS reauth code out into WikimediaCustomizations
Closed, ResolvedPublic
Actions

Assigned To
Mstyles
Authored By
sbassett
Mar 10 2026, 10:20 PM
Tags
Referenced Files
F76166444: image.png
Thu, Apr 16, 5:42 AM
Subscribers
A_smart_kitten
Aklapper
Catrope
EMill-WMF
Izno
jhsoby
Johannnes89
View All 13 Subscribers

Description

The code to force reauth for editing site JS currently lives in PrivateSettings.php. We should move it to WikimediaCustomizations for now. Eventually we'll want to build this as a real feature in MW core (T197160), but for now we should just move the hook-based code from a private place to a public place.

Details

Risk Rating
High
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ForceReauth: Improve permission errormediawiki/extensions/WikimediaCustomizationsmaster+16 -4
Force Reauthmediawiki/extensions/WikimediaCustomizationsmaster+87 -1
Force Reauthmediawiki/extensions/WikimediaCustomizationswmf/1.46.0-wmf.24+87 -1
Customize query in gerrit

Related Objects

Event Timeline

sbassett created this task.Mar 10 2026, 10:20 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2026, 10:20 PM
sbassett renamed this task from Clean up user/site javascript reauth code, make it a real feature, move it out of PrivateSettings.php to Clean up user/site javascript reauth code.Mar 10 2026, 10:21 PM
sbassett triaged this task as High priority.
sbassett added projects: Product Safety and Integrity, 2026-user-javascript-incident.
sbassett updated the task description. (Show Details)
sbassett changed Risk Rating from N/A to High.
sbassett added subscribers: Catrope, Tgr.
Tgr added a comment.Mar 11 2026, 8:00 PM

T418507: Move wmfGetPrivilegedGroups(), $wmgPrivilegedGroups, $wmgPrivilegedGlobalGroups, GetSecurityLogContext and PasswordPoliciesForUser hook handlers to WikimediaCustomizations would create a PrivilegedGroups component in WikimediaCustomizations, that might be a good (temporary) place for the code.

Tgr added a comment.Mar 11 2026, 9:17 PM

One thing that could be improved: currently the script checks Title::isSiteJsConfigPage() but not $wgRawHtmlMessages (compare with PermissionManager::checkSiteConfigPermissions()).

(See also {T419768} and {T419769} for improving that from the other end.)

Restricted Application added a subscriber: jhsoby. · View Herald TranscriptMar 11 2026, 9:17 PM
Novem_Linguae subscribed.Mar 15 2026, 6:26 AM
sbassett moved this task from Incoming to Back Orders on the Security-Team board.Mar 16 2026, 6:15 PM
sbassett added a project: SecTeam-Processed.
Reedy added a project: MediaWiki-Core-AuthManager.Mar 18 2026, 4:49 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 18 2026, 4:49 PM
Catrope moved this task from Backlog to Q4 on the 2026-user-javascript-incident board.Mar 18 2026, 4:50 PM
Catrope added a subscriber: EMill-WMF.Mar 18 2026, 9:49 PM

Idea from @EMill-WMF: add the ability to require WebAuthn-only reauth (no TOTP or recovery codes) for certain rights+groups. For example, staff users should not be able to use TOTP/recovery codes to reauth for sensitive actions (but they should still be able to reauth for 2FA CRUD that way).

matmarex subscribed.Mar 18 2026, 11:03 PM
MLechvien-WMF added a project: Sustainability (Incident Followup).Mar 19 2026, 11:42 AM
matmarex added a subscriber: JTweed-WMF.Mar 23 2026, 3:58 PM
JTweed-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.Mar 23 2026, 3:59 PM
Catrope renamed this task from Clean up user/site javascript reauth code to Move site JS reauth code out into WikimediaCustomizations.Mar 26 2026, 3:37 AM
Catrope assigned this task to Mstyles.
Catrope added a project: WikimediaCustomizations.
Catrope updated the task description. (Show Details)
Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".
Catrope changed the edit policy from "Custom Policy" to "All Users".
Catrope changed the subtype of this task from "Security Issue" to "Task".
Catrope edited projects, added Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))); removed Product Safety and Integrity.
stjn subscribed.Mar 26 2026, 12:43 PM

Since same question in T197160 might be ignored, what's the timeline for making re-auth less painful to deal with? It's been 2 weeks since your self-inflicted petard hoisting incident. This actively prevents people from making well-intentioned edits.

A_smart_kitten subscribed.Mar 26 2026, 1:05 PM
Aklapper added a comment.Mar 26 2026, 1:07 PM

@stjn: How is moving code (the scope of this task) related to your question which comes across as passive-aggressive to me?

gerritbot added a comment.Apr 1 2026, 5:45 PM

Change #1266329 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/WikimediaCustomizations@master] Force Reauth

https://gerrit.wikimedia.org/r/1266329

gerritbot added a project: Patch-For-Review.Apr 1 2026, 5:45 PM
matmarex mentioned this in T197137: Editing sitewide JS/CSS pages should require elevated security.Tue, Apr 14, 8:02 PM
Mstyles added a comment.Tue, Apr 14, 8:08 PM

Deployment plan (from @sbassett)

  1. Patch gets reviewed and +2
  2. Merge your patch to master (wouldn't be cut until next week)
  3. Pick the patch to .24 by one of this Thursday's backport windows
  4. Schedule this deployment
  5. Make the change to PS.php just before the deployment
  6. We run a sync-world to deploy your patch and the PS.php change
Johannnes89 subscribed.Tue, Apr 14, 8:33 PM
Izno subscribed.Tue, Apr 14, 10:13 PM
gerritbot added a comment.Wed, Apr 15, 8:01 PM

Change #1271886 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/WikimediaCustomizations@wmf/1.46.0-wmf.24] Force Reauth

https://gerrit.wikimedia.org/r/1271886

gerritbot added a comment.Wed, Apr 15, 8:05 PM

Change #1271886 merged by jenkins-bot:

[mediawiki/extensions/WikimediaCustomizations@wmf/1.46.0-wmf.24] Force Reauth

https://gerrit.wikimedia.org/r/1271886

gerritbot added a comment.Wed, Apr 15, 8:21 PM

Change #1266329 merged by jenkins-bot:

[mediawiki/extensions/WikimediaCustomizations@master] Force Reauth

https://gerrit.wikimedia.org/r/1266329

Stashbot mentioned this in T420007: Measurement plan: Email confirmation banner instrumentation.Wed, Apr 15, 8:23 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-15T20:23:10Z] <mstyles@deploy1003> Started scap sync-world: Backport for [[gerrit:1271886|Force Reauth (T419621)]], [[gerrit:1271830|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271831|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271833|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271832|Rename Test Kitchen Experiment (T420007)]]

Stashbot added a comment.Wed, Apr 15, 8:25 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-15T20:25:04Z] <mstyles@deploy1003> mstyles: Backport for [[gerrit:1271886|Force Reauth (T419621)]], [[gerrit:1271830|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271831|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271833|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271832|Rename Test Kitchen Experiment (T420007)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now

Maintenance_bot removed a project: Patch-For-Review.Wed, Apr 15, 8:30 PM
Stashbot added a comment.Wed, Apr 15, 8:31 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-15T20:30:58Z] <mstyles@deploy1003> Finished scap sync-world: Backport for [[gerrit:1271886|Force Reauth (T419621)]], [[gerrit:1271830|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271831|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271833|Rename Test Kitchen Experiment (T420007)]], [[gerrit:1271832|Rename Test Kitchen Experiment (T420007)]] (duration: 07m 48s)

stjn unsubscribed.Wed, Apr 15, 8:32 PM
ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.24; 2026-04-14).Wed, Apr 15, 9:00 PM
Novem_Linguae added a comment.Wed, Apr 15, 9:19 PM

Quick question on the re-auth code. What happens when you try to make a sensitive API query but haven't re-authed recently? Does the API query silently fail? Is it unaffected by reauth?

sbassett added a comment.Wed, Apr 15, 9:27 PM
In T419621#11827320, @Novem_Linguae wrote:

What happens when you try to make a sensitive API query but haven't re-authed recently? Does the API query silently fail? Is it unaffected by reauth?

My reading of the current mitigation is that it's just for editsitejs operations on actual MW pages with titles, see: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikimediaCustomizations/+/1271886/1/src/ForceReauth/ForceReauthHookHandler.php. Eventually, we do plan to support more varieties of sensitive operations and likely sensitive API requests.

SomeRandomDeveloper subscribed.Wed, Apr 15, 9:29 PM
matmarex added a comment.Thu, Apr 16, 12:03 AM

@Novem_Linguae Assuming that you mean an API query that would edit a page that normally triggers reauthentication:

  • If the authentication type used for the API query has the ability to reauth (e.g. cookies in a browser), then it will fail with the same error message as in T423193, until you reauthenticate while using the same auth session. If this is a gadget etc. running in your browser, you can reauth in another browser tab, and it'll succeed on the next try.
  • If the authentication type used for the API query does not have the ability to reauth (e.g. OAuth, bot passwords), then it will always succeed. This is fine since those auth types can't be used from a browser that could be running malicious code.
matmarex mentioned this in T423537: Site JS reauth hack can be bypassed using 'centralauthtoken'.Thu, Apr 16, 12:05 AM
Novem_Linguae added a comment.Thu, Apr 16, 5:42 AM

This is already being enforced in the API? Ah I see. Confirmed with testing. Thanks for the clarification.

image.png (982×2 px, 195 KB)

Mstyles added a comment.Thu, Apr 16, 8:31 PM

Hooks have been removed from PrivateSettings.php - https://sal.toolforge.org/log/VHnwl50B1kByGTxA1dA8

Mstyles closed this task as Resolved.Thu, Apr 16, 8:32 PM
Mstyles moved this task from Back Orders to Our Part Is Done on the Security-Team board.
Tgr added a comment.Sat, May 2, 2:10 PM
In T419621#11827741, @matmarex wrote:

If this is a gadget etc. running in your browser, you can reauth in another browser tab, and it'll succeed on the next try.

Once T208667: Tie reauthentication (login with elevated security) to a specific security level gets done, you'll need a hard-to-guess link to start reauthentication. We should probably include that in the error message (or say something like "visit the edit form from your browser to start the reauthentication process").

Also would be nice to return the security level in a machine-readable way in the error message.

gerritbot added a comment.Sat, May 2, 4:26 PM

Change #1281818 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/WikimediaCustomizations@master] ForceReauth: Improve permission error

https://gerrit.wikimedia.org/r/1281818

gerritbot added a project: Patch-For-Review.Sat, May 2, 4:26 PM
gerritbot added a comment.Tue, May 5, 6:56 PM

Change #1281818 merged by jenkins-bot:

[mediawiki/extensions/WikimediaCustomizations@master] ForceReauth: Improve permission error

https://gerrit.wikimedia.org/r/1281818

ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.2; 2026-05-12).Tue, May 5, 7:00 PM
Maintenance_bot removed a project: Patch-For-Review.Tue, May 5, 7:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits