Page MenuHomePhabricator
Create Task
Maniphest T332411

Make some authentication APIs unavailable to temporary users
Closed, ResolvedPublic
Actions

Assigned To
Tchanders
Authored By
Tchanders
Mar 17 2023, 3:56 PM
Tags
Referenced Files
F37114926: T332411_IPMasking_NotLogged_RemoveAuth.png
Jun 23 2023, 5:38 PM
F37114924: T332411_IPMasking_NotLogged_ChangeAuth.png
Jun 23 2023, 5:38 PM
F37114922: T332411_IPMasking_Temp_RemoveAuth.png
Jun 23 2023, 5:38 PM
F37114920: T332411_IPMasking_Temp_ChangeAuth.png
Jun 23 2023, 5:38 PM
F37111438: T332411_IPMasking_API_RemoveAuthData2.png
Jun 21 2023, 7:35 PM
F37111436: T332411_IPMasking_API_RemoveAuthData1.png
Jun 21 2023, 7:35 PM
F37111433: T332411_IPMasking_API_ChangeAuthData2.png
Jun 21 2023, 7:35 PM
F37111431: T332411_IPMasking_API_ChangeAuthData1.png
Jun 21 2023, 7:35 PM
Subscribers
Aklapper
ARamirez_WMF
drochford
GMikesell-WMF
JayCano
Niharika
Prtksxna
View All 10 Subscribers

Description

The following throw a notloggedin error for anonymous users, and should do the same for temporary users:

  • ApiChangeAuthenticationData
  • ApiRemoveAuthenticationData
  • ApiLinkAccount
  • TemporaryPasswordPrimaryAuthenticationProvider No update needed; anons are identified by having an IP for a name, and a custom message is used that assumes the name is an IP address.
  • ApiValidatePassword This is just for checking generic password/username validity and is available to anons

Details

SubjectRepoBranchLines +/-
Prevent temporary users from accessing APIs for changing passwordsmediawiki/coremaster+2 -2
Prevent temporary users from accessing ApiLinkAccountmediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tchanders created this task.Mar 17 2023, 3:56 PM
Tchanders mentioned this in T326759: Investigate: Which WMF deployed code might be affected by IP Masking?.
Tchanders added a subscriber: tstarling.

@tstarling Before we pick this up, is there any reason why a temporary account should have access to any of these?

MusikAnimal unsubscribed.Mar 17 2023, 11:21 PM
Tchanders updated the task description. (Show Details)Jun 8 2023, 6:32 AM
gerritbot added a comment.Jun 9 2023, 4:21 PM

Change 928869 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] Prevent temporary users from accessing APIs for changing passwords

https://gerrit.wikimedia.org/r/928869

gerritbot added a project: Patch-For-Review.Jun 9 2023, 4:21 PM
gerritbot added a comment.Jun 9 2023, 4:28 PM

Change 928871 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] Prevent temporary users from accessing ApiLinkAccount

https://gerrit.wikimedia.org/r/928871

gerritbot added a comment.Jun 10 2023, 5:56 PM

Change 928871 merged by jenkins-bot:

[mediawiki/core@master] Prevent temporary users from accessing ApiLinkAccount

https://gerrit.wikimedia.org/r/928871

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.13; 2023-06-13).Jun 10 2023, 7:00 PM
Tchanders edited projects, added Anti-Harassment (AHaT Sprint 31 - The Fez); removed Anti-Harassment.Jun 14 2023, 4:58 PM
Tchanders moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 31 - The Fez) board.
Tchanders claimed this task.Jun 14 2023, 5:40 PM
Umherirrender added a project: MediaWiki-Action-API.Jun 15 2023, 7:32 PM
Niharika moved this task from AHaT Sprint 31 - The Fez to AHaT Sprint 32 - Baseball Cap on the Anti-Harassment board.Jun 20 2023, 6:00 PM
Niharika edited projects, added Anti-Harassment (AHaT Sprint 32 - Baseball Cap); removed Anti-Harassment (AHaT Sprint 31 - The Fez).
Niharika moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.
AGueyte moved this task from Code Review 🔍 to QA/Testing 🐞 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Jun 21 2023, 2:02 PM
gerritbot added a comment.Jun 21 2023, 3:11 PM

Change 928869 merged by jenkins-bot:

[mediawiki/core@master] Prevent temporary users from accessing APIs for changing passwords

https://gerrit.wikimedia.org/r/928869

Maintenance_bot removed a project: Patch-For-Review.Jun 21 2023, 3:30 PM
ReleaseTaggerBot edited projects, added MW-1.41-notes (1.41.0-wmf.15; 2023-06-27); removed MW-1.41-notes (1.41.0-wmf.13; 2023-06-13).Jun 21 2023, 4:00 PM
Tchanders updated the task description. (Show Details)Jun 21 2023, 5:24 PM

Testing notes

ApiChangeAuthenticationData:

  • On Special:ApiSandbox, fill in the fields:
    • action=changeauthenticationdata
    • changeauthrequest=MediaWiki\\Auth\\PasswordAuthenticationRequest
  • Click on auto-fill token if necessary
  • Results should contain "code": "notloggedin"
  • Before these patches were merged, results contained "code": "reauthenticate"

ApiRemoveAuthenticationData:

  • As for ApiChangeAuthenticationData, but fill in the fields:
    • action=removeauthenticationdata
    • request=MediaWiki\\Auth\\TemporaryPasswordAuthenticationRequest

(Note: This shouldn't be needed since the above should just work, but to find out what to enter for changeauthrequest, use the action=query&meta=authmanagerinfo API and enter amirequestsfor=change. To find out what to enter for request, do the same but enter amirequestsfor=remove.)

ApiLinkAccount:
This is tricky to test as it's for 3rd-party authentication. It's small enough and similar enough to the others that I'm happy to bypass QA on this one.

GMikesell-WMF subscribed.Jun 21 2023, 7:35 PM

@Tchanders I'm getting a different request as seen in my screenshots. It may be something with. my own local config?

changeauthenticationdata

T332411_IPMasking_API_ChangeAuthData1.png (1×3 px, 349 KB)

T332411_IPMasking_API_ChangeAuthData2.png (1×3 px, 368 KB)

removeauthenticationdata

T332411_IPMasking_API_RemoveAuthData1.png (977×3 px, 343 KB)

T332411_IPMasking_API_RemoveAuthData2.png (1×3 px, 371 KB)

Tchanders added a comment.Jun 22 2023, 2:01 PM

@GMikesell-WMF What happens if you do this?

(Note: This shouldn't be needed since the above should just work, but to find out what to enter for changeauthrequest, use the action=query&meta=authmanagerinfo API and enter amirequestsfor=change. To find out what to enter for request, do the same but enter amirequestsfor=remove.)

GMikesell-WMF added a comment.Jun 23 2023, 5:38 PM

@Tchanders After the git stash to get rid of the updates and update again, it works fine as seen in the screenshots below. I will move this to Done, thanks!

Accountchangeauthenticationdataremoveauthenticationdata
Temp User
T332411_IPMasking_Temp_ChangeAuth.png (856×3 px, 281 KB)
T332411_IPMasking_Temp_RemoveAuth.png (850×3 px, 276 KB)
Not Logged In
T332411_IPMasking_NotLogged_ChangeAuth.png (615×1 px, 169 KB)
T332411_IPMasking_NotLogged_RemoveAuth.png (624×1 px, 169 KB)
GMikesell-WMF moved this task from QA/Testing 🐞 to Done Q1 2023-2024 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Jun 23 2023, 5:38 PM
Tchanders closed this task as Resolved.Aug 14 2023, 10:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits