Page MenuHomePhabricator

OATH should use $wgSecureLogin
Open, LowPublicFeature


The TOTP RFC recommends all communications (especially those involving the secret key) be over TLS. I recommend using $wgSecureLogin as an indicator of whether communications should be forced over HTTPS.

Version: master
Severity: enhancement

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:08 AM
bzimport set Reference to bz53197.

Change 213770 had a related patch set uploaded (by Parent5446):
Make OATHAuth respect $wgSecureLogin

Reedy renamed this task from OATH should use $wgSecureLogin (or have its own similar variable) to OATH should use $wgSecureLogin.Oct 31 2016, 2:41 PM
Reedy set Security to None.

Does AuthManager actually handle this now?

@Reedy, I grepped through our source code, but I see no indication of AuthManager handling this. It should also be noted that the flow to enable and disable 2FA are not (yet) part of AuthManager and I presume would still require this changeset.

AuthManager handles $wgSecureLogin on login, so entering the one-time key is secured. The other AuthManager special pages do not respect $wgSecureLogin; they probably should though. Filed T180886: AuthManager special pages should honor $wgSecureLogin.

Change 213770 abandoned by Reedy:
Make OATHAuth respect $wgSecureLogin

Aklapper subscribed.

@Parent5446: I am resetting the assignee of this task because there has not been progress lately (please correct me if I am wrong!). Resetting the assignee avoids the impression that somebody is already working on this task. It also allows others to potentially work towards fixing this task. Please claim this task again when you plan to work on it (via Add Action...Assign / Claim in the dropdown menu) - it would be welcome. Thanks for your understanding!

Aklapper triaged this task as Low priority.Feb 4 2022, 10:51 AM
Aklapper changed the subtype of this task from "Task" to "Feature Request".