Change Details

Now that #ipoid-service is running, we can make use of its data in account creation requests. This task proposes that an extension implements a pre authentication provider to check for the presence of an IP address used in account creation against ipoid's database. The extension should allow for configuring which risk types (e.g. callback proxy) and tunnel types (e.g. proxy or vpn) to block account creation for. I'm proposing CentralAuth both for lack of a better place for this integration for now, and because CentralAuth has utilities to make it easy to check if an account creation belongs to a user who has local/global IP block exemption.

## Context Now that #ipoid-service is running, we can make use of its data in account creation requests and other actions taken on wiki. This is useful for providing additional context into an action; it also provides for the possibility of implementing mitigations based on various signals, rather than relying on individual IPs or IP ranges for actions. ## Proposal This task proposes that an extension implements a pre authentication provider to check for the presence of an IP address used in account creation against ipoid's database. The extension should allow for configuring which risk types (e.g. callback proxy) and tunnel types (e.g. proxy or vpn) to check account creation for. In the short term, we'll use CentralAuth both for lack of a better place for this integration for now. Longer term, this functionality should go into #mediawiki-extensions-ipreputation ## Consequences 1. There is a central location for event logging, statsd, and logstash logs for IP reputation data associated with an action 1. There is configuration that allows for implementing mitigations per action for IP addresses matching configured risk criteria

Now that #ipoid-service is running, we can make use of its data in account creation requests. This task proposes that an extension implements a pre authentication provider to check for the presence of an IP address used in account creation against ipoid's database.## Context The extension should allow for configuring which risk types (e.gNow that #ipoid-service is running, we can make use of its data in account creation requests and other actions taken on wiki. callback proxy) and tunnel types (e.g.This is useful for providing additional context into an action; it also provides for the possibility of implementing mitigations based on various signals, proxy or vpn) to block account creation forrather than relying on individual IPs or IP ranges for actions. I'm proposing## Proposal This task proposes that an extension implements a pre authentication provider to check for the presence of an IP address used in account creation against ipoid's database. The extension should allow for configuring which risk types (e.g. callback proxy) and tunnel types (e.g. proxy or vpn) to check account creation for. In the short term, we'll use CentralAuth both for lack of a better place for this integration for now,. Longer term, this functionality should go into #mediawiki-extensions-ipreputation ## Consequences 1. There is a central location for event logging, statsd, and logstash logs for IP reputation data associated with an action 1. and because CentralAuth has utilities to make it easy to check if an account creation belongs to a user who has local/global IP block exemption.There is configuration that allows for implementing mitigations per action for IP addresses matching configured risk criteria