Page MenuHomePhabricator

Reenable $wgMWOAuthSecureTokenTransfer=true; on the beta cluster
Closed, ResolvedPublic


Once SSL is working in beta, we should reset all of the consumer secrets and require secure token transfer. The spec requires it, and it's good for security.

Version: unspecified
Severity: enhancement


Related Gerrit Patches:

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:18 AM
bzimport set Reference to bz65421.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.May 16 2014, 10:03 PM

Blocked by Bug 68387 - beta labs no longer listens for HTTPS

Legoktm renamed this task from Reenable $wgMWOAuthSecureTokenTransfer=true; to Reenable $wgMWOAuthSecureTokenTransfer=true; on the beta cluster.Apr 19 2015, 12:18 AM
Legoktm set Security to None.
hashar changed the task status from Open to Stalled.Oct 6 2015, 1:28 PM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptOct 6 2015, 1:28 PM

@csteipp, @Tgr: How do you reset all consumer secrets? Once we find that out we can unstall this and do it.

Tgr added a comment.Aug 2 2016, 9:02 PM

Set oarc_secret_key to MWCryptRand::generateHex( 32 ), send notification to the user that they should go to<consumer key>, check the reset option and update so they can get a new secret key (no one seems to be using the RSA option).

Is it really worth the hassle for beta, though?

Let's enable secure token transfer, then if someone decides we really need to do that in beta, it can be done afterwards?

Change 302630 had a related patch set uploaded (by Gergő Tisza):
Reenable $wgMWOAuthSecureTokenTransfer=true; on the beta cluster

hashar changed the task status from Stalled to Open.Aug 31 2016, 3:15 PM

Beta has SSL now (T50501)

Change 302630 merged by jenkins-bot:
Reenable $wgMWOAuthSecureTokenTransfer=true; on the beta cluster

AlexMonk-WMF closed this task as Resolved.Aug 31 2016, 3:42 PM

I'm considering this done, unless someone really thinks we need to reset those. (@dpatrick, @Bawolff?)