Page MenuHomePhabricator
Create Task
Maniphest T55197

OATH should use $wgSecureLogin
Open, LowPublicFeature
Actions

Description

The TOTP RFC recommends all communications (especially those involving the secret key) be over TLS. I recommend using $wgSecureLogin as an indicator of whether communications should be forced over HTTPS.

Version: master
Severity: enhancement

Details

Reference
bz53197
SubjectRepoBranchLines +/-
Make OATHAuth respect $wgSecureLoginmediawiki/extensions/OATHAuthmaster+25 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:08 AM
bzimport added a project: MediaWiki-extensions-OATHAuth.
bzimport set Reference to bz53197.
Parent5446 created this task.Aug 22 2013, 3:30 AM
Aklapper removed RyanLane as the assignee of this task.Apr 26 2015, 12:11 PM
Parent5446 claimed this task.May 24 2015, 8:16 AM
gerritbot subscribed.May 26 2015, 12:46 AM

Change 213770 had a related patch set uploaded (by Parent5446):
Make OATHAuth respect $wgSecureLogin

https://gerrit.wikimedia.org/r/213770

Parent5446 moved this task from Backlog to In Progress on the MediaWiki-extensions-OATHAuth board.May 26 2015, 12:46 AM
gerritbot added a project: Patch-For-Review.May 26 2015, 12:46 AM
Reedy renamed this task from OATH should use $wgSecureLogin (or have its own similar variable) to OATH should use $wgSecureLogin.Oct 31 2016, 2:41 PM
Reedy set Security to None.
Reedy mentioned this in T55192: Merge Extension:TwoFactorAuthentication into Extension:OATHAuth.Nov 12 2016, 2:23 AM
Reedy subscribed.Nov 12 2016, 3:10 AM

Does AuthManager actually handle this now?

TheDJ subscribed.EditedNov 23 2016, 9:42 AM

@Reedy, I grepped through our source code, but I see no indication of AuthManager handling this. It should also be noted that the flow to enable and disable 2FA are not (yet) part of AuthManager and I presume would still require this changeset.

Tgr subscribed.Nov 18 2017, 10:10 PM

AuthManager handles $wgSecureLogin on login, so entering the one-time key is secured. The other AuthManager special pages do not respect $wgSecureLogin; they probably should though. Filed T180886: AuthManager special pages should honor $wgSecureLogin.

gerritbot added a comment.Aug 7 2019, 4:22 PM

Change 213770 abandoned by Reedy:
Make OATHAuth respect $wgSecureLogin

https://gerrit.wikimedia.org/r/213770

Maintenance_bot removed a project: Patch-For-Review.Aug 7 2019, 5:10 PM
Aklapper removed Parent5446 as the assignee of this task.May 17 2020, 12:31 PM
Aklapper subscribed.

@Parent5446: I am resetting the assignee of this task because there has not been progress lately (please correct me if I am wrong!). Resetting the assignee avoids the impression that somebody is already working on this task. It also allows others to potentially work towards fixing this task. Please claim this task again when you plan to work on it (via Add Action...Assign / Claim in the dropdown menu) - it would be welcome. Thanks for your understanding!

Aklapper triaged this task as Low priority.Feb 4 2022, 10:51 AM
Aklapper changed the subtype of this task from "Task" to "Feature Request".
Aklapper moved this task from In Progress to Backlog on the MediaWiki-extensions-OATHAuth board.Jul 23 2022, 10:08 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL