Having local wikis store password hashes and tokens of accounts that authenticate against CentralAuth is an unnecessary liability, if that wiki has their user table made public.
Obviously, if the account is detached, we need the local hash rewritten.
The hash is include under two circumstances:
- When a user attaches an account to CentralAuth, the local wiki's password hash remains.
- If a user logs into a wiki where they don't have an account (global or local), using their CentralAuth credentials, the password hash is stored in the local wiki's database.
We should be able to remove the local hash on login, and could probably provide a maintenance script too, although preventing a possible race condition with the account being detached is problematic.
Version: master
Severity: normal