Change Details

(NOTE) work in progress MediaWiki Platform team owned authentication extensions should have good logging and monitoring coverage to help debugging and incident response, and to allow periodic health checks and alerts to spot issues early. This is a tracking/planning task to organize subtasks. * #mediawiki-core-authmanager ** AFAIK it has decent logging. We should probably ask #security-team if they need any improvements. Maybe look into T246471/T246462. ** The main monitoring mechanism is the [[https://grafana.wikimedia.org/d/000000004/authentication-metrics?orgId=1|authevents]] channel, which is partially broken (autocreation, specifically) due to T275085 / [[https://gerrit.wikimedia.org/r/c/mediawiki/core/+/658443|gerrit 658443]]. (There is also the [[https://grafana.wikimedia.org/d/000000131/authentications?orgId=1&refresh=30m|authmanager]] channel, basically the same data.) *** Once {T240685} is done and it's possible to monitor multi-dimensional stats, we should rethink what information to add. (Wiki? Browser family? Authn provider name?) *** Maybe review logging for the Set-Cookie poisoning issues (T274514 T264370 T264369 T256395 etc). Also maybe create smoke tests for Set-Cookie detection in the caching layers. *** Improve the documentation of the cryptic session-related log messages: T181869 T158365 T204459 T204787 T292812 * #mediawiki-extensions-centralauth (split by functionality/component because it is large) ** SSO (authentication providers, CentralIdLookup, SpecialCentralLogin, SpecialCentralAutoLogin) *** monitor account creation job failures (T336627) ** user locking and supression * #mediawiki-extensions-oauth * High-stakes extension, about 30% of all edits happen via OAuth. It badly needs integration tests. ** {T341759} ** {T78314} * #mediawiki-extensions-oauthratelimiter ** Seems to have decent PHPUnit coverage. Should probably have an end-to-end test that actually tests the presence of a rate limit in the JWT ** Doesn't really need logging or monitoring. * #mediawiki-extensions-oathauth ** Lacks unit tests. There should probably be tests for the user repository, more tests for the module registry, more tests for TOTPKey, a test for the authentication provider. Probably also an AuthManager integration test for the authentication provider. ** Should probably have a browser test for the main workflow, if we can reliably mock or simulate the TOTP logic. Maybe also tests for enable/disable. ** Should have monitoring for successful/unsuccessful checks, so it can be used for alerts ({T150903}) * WebAuthn (also #mediawiki-extensions-oathauth; see https://phabricator.wikimedia.org/T303495 about merging the two extensions) ** Has no unit tests whatsoever: {T315778} ** Should probably have 1-2 browser tests for the most important workflows (Selenium [[https://www.selenium.dev/documentation/webdriver/interactions/virtual_authenticator/|has support]] for WebAuthn mocks). ** As OATHAuth, should have monitoring for successful/unsuccessful checks

(NOTE) work in progress MediaWiki Platform team owned authentication extensions should have good logging and monitoring coverage to help debugging and incident response, and to allow periodic health checks and alerts to spot issues early. This is a tracking/planning task to organize subtasks. * #mediawiki-core-authmanager ** AFAIK it has decent logging. We should probably ask #security-team if they need any improvements. Maybe look into T246471/T246462. ** The main monitoring mechanism is the [[https://grafana.wikimedia.org/d/000000004/authentication-metrics?orgId=1|authevents]] channel, which is partially broken (autocreation, specifically) due to T275085 / [[https://gerrit.wikimedia.org/r/c/mediawiki/core/+/658443|gerrit 658443]]. (There is also the [[https://grafana.wikimedia.org/d/000000131/authentications?orgId=1&refresh=30m|authmanager]] channel, basically the same data.) *** Once {T240685} is done and it's possible to monitor multi-dimensional stats, we should rethink what information to add. (Wiki? Browser family? Authn provider name?) *** Maybe review logging for the Set-Cookie poisoning issues (T274514 T264370 T264369 T256395 etc). Also maybe create smoke tests for Set-Cookie detection in the caching layers. *** Improve the documentation of the cryptic session-related log messages: T181869 T158365 T204459 T204787 T292812 ** {T125599} {T151590} * #mediawiki-extensions-centralauth (split by functionality/component because it is large) ** Lacks tests in general: {T230978} ** SSO (authentication providers, CentralIdLookup, SpecialCentralLogin, SpecialCentralAutoLogin) *** Every step of central login, autologin, edge login etc. should be logged (at least at debug level) since it is hard to tell when/how browsers prevent these. The successful/unsuccessful final step should also be monitored. {T327046} *** monitor account creation job failures (T336627) ** user locking and supression * #mediawiki-extensions-oauth ** High-stakes extension, about 30% of all edits happen via OAuth. It badly needs end-to-end tests. *** {T341759} *** {T78314} ** Has decent PHPUnit test coverage, but some important things not covered. E.g. Control, RefreshTokenRepository, ScopeRepository, MWOAuthServer, MWOAuthDataStore. ** Should log consumer creation/management events: {T151590} ** Should log authorizations, revocations and the use of the identify/user profile endpoint. This was done in T208007 but that was before OAuth 2 support was added, so it probably needs to be redone. ** Error messages given to clients are in general pretty bad and confusing (T245477). That should be included, but in cases when we don't want to tell the user the error details, or it's not easy to get them from the error site to the output (since we use multiple external libraries), they should be at least logged so the support desk can look into the issue. ** There should probably be monitoring of OAuth request rate, split by whether authentication was successful, by OAuth version, and whether it was owner-only. This would help catch major breakage quickly via alerts. * #mediawiki-extensions-oauthratelimiter ** Seems to have decent PHPUnit coverage. Should probably have an end-to-end test that actually tests the presence of a rate limit in the JWT ** Doesn't really need logging or monitoring. * #mediawiki-extensions-oathauth ** Lacks unit tests. There should probably be tests for the user repository, more tests for the module registry, more tests for TOTPKey, a test for the authentication provider. Probably also an AuthManager integration test for the authentication provider. ** Should probably have a browser test for the main workflow, if we can reliably mock or simulate the TOTP logic. Maybe also tests for enable/disable. ** Should have monitoring for successful/unsuccessful checks, so it can be used for alerts ({T150903}) * WebAuthn (also #mediawiki-extensions-oathauth; see https://phabricator.wikimedia.org/T303495 about merging the two extensions) ** Has no unit tests whatsoever: {T315778} ** Should probably have 1-2 browser tests for the most important workflows (Selenium [[https://www.selenium.dev/documentation/webdriver/interactions/virtual_authenticator/|has support]] for WebAuthn mocks). ** As OATHAuth, should have monitoring for successful/unsuccessful checks

(NOTE) work in progress MediaWiki Platform team owned authentication extensions should have good logging and monitoring coverage to help debugging and incident response, and to allow periodic health checks and alerts to spot issues early. This is a tracking/planning task to organize subtasks. * #mediawiki-core-authmanager ** AFAIK it has decent logging. We should probably ask #security-team if they need any improvements. Maybe look into T246471/T246462. ** The main monitoring mechanism is the [[https://grafana.wikimedia.org/d/000000004/authentication-metrics?orgId=1|authevents]] channel, which is partially broken (autocreation, specifically) due to T275085 / [[https://gerrit.wikimedia.org/r/c/mediawiki/core/+/658443|gerrit 658443]]. (There is also the [[https://grafana.wikimedia.org/d/000000131/authentications?orgId=1&refresh=30m|authmanager]] channel, basically the same data.) *** Once {T240685} is done and it's possible to monitor multi-dimensional stats, we should rethink what information to add. (Wiki? Browser family? Authn provider name?) *** Maybe review logging for the Set-Cookie poisoning issues (T274514 T264370 T264369 T256395 etc). Also maybe create smoke tests for Set-Cookie detection in the caching layers. *** Improve the documentation of the cryptic session-related log messages: T181869 T158365 T204459 T204787 T292812 ** {T125599} {T151590} * #mediawiki-extensions-centralauth (split by functionality/component because it is large) ** Lacks tests in general: {T230978} ** SSO (authentication providers, CentralIdLookup, SpecialCentralLogin, SpecialCentralAutoLogin) *** Every step of central login, autologin, edge login etc. should be logged (at least at debug level) since it is hard to tell when/how browsers prevent these. The successful/unsuccessful final step should also be monitored. {T327046} *** monitor account creation job failures (T336627) ** user locking and supression * #mediawiki-extensions-oauth ** High-stakes extension, about 30% of all edits happen via OAuth. It badly needs end-to-end tests. *** {T341759} *** {T78314} ** Has decent PHPUnit test coverage, but some important things not covered. E.g. Control, RefreshTokenRepository, ScopeRepository, MWOAuthServer, MWOAuthDataStore. ** Should log consumer creation/management events: {T151590} ** Should log authorizations, revocations and the use of the identify/user profile endpoint. This was done in T208007 but that was before OAuth 2 support was added, It badso it probably needs integration teststo be redone. ** {T341759}Error messages given to clients are in general pretty bad and confusing (T245477). That should be included, but in cases when we don't want to tell the user the error details, or it's not easy to get them from the error site to the output (since we use multiple external libraries), they should be at least logged so the support desk can look into the issue. ** {T78314}There should probably be monitoring of OAuth request rate, split by whether authentication was successful, by OAuth version, and whether it was owner-only. This would help catch major breakage quickly via alerts. * #mediawiki-extensions-oauthratelimiter ** Seems to have decent PHPUnit coverage. Should probably have an end-to-end test that actually tests the presence of a rate limit in the JWT ** Doesn't really need logging or monitoring. * #mediawiki-extensions-oathauth ** Lacks unit tests. There should probably be tests for the user repository, more tests for the module registry, more tests for TOTPKey, a test for the authentication provider. Probably also an AuthManager integration test for the authentication provider. ** Should probably have a browser test for the main workflow, if we can reliably mock or simulate the TOTP logic. Maybe also tests for enable/disable. ** Should have monitoring for successful/unsuccessful checks, so it can be used for alerts ({T150903}) * WebAuthn (also #mediawiki-extensions-oathauth; see https://phabricator.wikimedia.org/T303495 about merging the two extensions) ** Has no unit tests whatsoever: {T315778} ** Should probably have 1-2 browser tests for the most important workflows (Selenium [[https://www.selenium.dev/documentation/webdriver/interactions/virtual_authenticator/|has support]] for WebAuthn mocks). ** As OATHAuth, should have monitoring for successful/unsuccessful checks