The TOTP RFC recommends all communications (especially those involving the secret key) be over TLS. I recommend using $wgSecureLogin as an indicator of whether communications should be forced over HTTPS.
Version: master
Severity: enhancement
The TOTP RFC recommends all communications (especially those involving the secret key) be over TLS. I recommend using $wgSecureLogin as an indicator of whether communications should be forced over HTTPS.
Version: master
Severity: enhancement
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Make OATHAuth respect $wgSecureLogin | mediawiki/extensions/OATHAuth | master | +25 -1 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Parent5446 | T55192 Merge Extension:TwoFactorAuthentication into Extension:OATHAuth | |||
Open | Feature | None | T55197 OATH should use $wgSecureLogin |
Change 213770 had a related patch set uploaded (by Parent5446):
Make OATHAuth respect $wgSecureLogin
@Reedy, I grepped through our source code, but I see no indication of AuthManager handling this. It should also be noted that the flow to enable and disable 2FA are not (yet) part of AuthManager and I presume would still require this changeset.
AuthManager handles $wgSecureLogin on login, so entering the one-time key is secured. The other AuthManager special pages do not respect $wgSecureLogin; they probably should though. Filed T180886: AuthManager special pages should honor $wgSecureLogin.
@Parent5446: I am resetting the assignee of this task because there has not been progress lately (please correct me if I am wrong!). Resetting the assignee avoids the impression that somebody is already working on this task. It also allows others to potentially work towards fixing this task. Please claim this task again when you plan to work on it (via Add Action... → Assign / Claim in the dropdown menu) - it would be welcome. Thanks for your understanding!