Jump to content

Extension talk:OATHAuth

About this board

TattooedLeprechaun (talkcontribs)

Says MediaWiki version required is >= 1.43, but the latest is 1.42.1... so I'm confused.

TheDJ (talkcontribs)

That is probably for the current unreleased version. These tables are automatically constructed and it is difficult to reflect all information for each version of Mediawiki.

TattooedLeprechaun (talkcontribs)

Okie dokie. Thank you.

Reply to "MediaWiki version"

MediaWiki 1.35.8 (2f77810) "wgOATHRequiredForGroups" not work.

3
Mkepler (talkcontribs)

I set in LocalSettings: $wgOATHRequiredForGroups = ['editor']; and no effect.

174.95.149.12 (talkcontribs)

Looking for something similar, would like to know the correct syntax for $wgOATHRequiredForGroups

School4schools (talkcontribs)

Any luck w/ this? I'm trying to enforce TFA for all users, and it's unclear how to do that:

$wgOATHRequiredForGroups[] = 'user';

does nothing different from

$wgGroupPermissions['*']['oathauth-enable'] = true;

Reply to "MediaWiki 1.35.8 (2f77810) "wgOATHRequiredForGroups" not work."

How to enforce MFA to all users, any examples will be useful

5
Wikiusr23 (talkcontribs)

I have the following config

##Users should be given access to the oathauth-enable user right so that they can enable it at Special:OATHAuth

$wgGroupPermissions['user']['oathauth-enable'] = true;

##Set MFA for all logged in users

#$wgOATHRequiredForGroups[] = ['user','WIKI-PSWiki-Admins'];

##Remove 'read' right until auth with MFA

$wgOATHExclusiveRights = ['read'];


But with this the users are being asked to do MFA but they don't have the rights to see the preferences page

TheDJ (talkcontribs)

As MediaWiki in general is architected for situations where users have read rights, you might run into unexpected problems when they don't, this being one of them. Manual:Preventing_access suggests Manual:$wgWhitelistRead. I'm not sure anyone has ever tested for a situation like the one you are describing, so unsure if that suggestion will work.

Wikiusr23 (talkcontribs)

Is my syntax in configuration correct?

The user are not able to see the login page as well though I have

$wgWhitelistRead = array ("Special:Userlogin");

Say I remove $wgOATHExclusiveRights, will $wgOATHRequiredForGroups take care of enforcing the user to have MFA on login, like register to MFA if they don't have it set.

This post was hidden by Wikiusr23 (history)
Nu77p0int3r (talkcontribs)

I had the same issue with my installation, so I edited the plugin.


In extensions/OATHAuth/src/Hook/HookHandler.php replace, from line 220 to 228:

$session = $user->getRequest()->getSession();

$WhitelistArray = $this->config->get( 'WhitelistRead' );
               if ( !is_array( $WhitelistArray ) ) {
                       $WhitelistArray = array();
               }

		if (
			!(bool)$session->get( OATHAuth::AUTHENTICATED_OVER_2FA, false ) &&
			in_array( $action, $this->config->get( 'OATHExclusiveRights' ) ) &&
			!in_array( $title, $WhitelistArray )
		) {
			$result = 'oathauth-action-exclusive-to-2fa';
			return false;
		}
		return true;


then, in LocalSettings.php:

$wgOATHExclusiveRights = ['read'];
$wgOATHRequiredForGroups = ['user'];
$wgWhitelistRead = [
   'Special:UserLogin',
   'Special:Preferences',
   'Special:Manage Two-factor authentication',
   'Special:OATHAuth',
   'MediaWiki:Common.css',
   'MediaWiki:Common.js'
]


Once 2FA is enabled, user must logout and login again

Reply to "How to enforce MFA to all users, any examples will be useful"

Two factor authentication disable

2
Caiovernaglia (talkcontribs)

There's any way to prevent an user to disable the two factor authentication?

Tgr (talkcontribs)

Not at the moment but probably soon. See T150562.

Reply to "Two factor authentication disable"
Novem Linguae (talkcontribs)

Anyone know what OATH stands for? Perhaps we can work this into the page somewhere, to help folks remember the extension name.

TheDJ (talkcontribs)
Reply to "OATH"

PHP Fatal Error Occurred

4
Zorua Fox (talkcontribs)

When I use the latest version of OATHAuth on MediaWiki1.39.4,an error occurred.

2023/07/21 00:34:54 [error] 12943#0: *2494 FastCGI sent in stderr: "PHP message: PHP Fatal error:  Uncaught Exception: Unable to open file /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json: filemtime(): stat failed for /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json in /www/wwwroot/wiki.youshouyan.org/includes/registration/ExtensionRegistry.php:199
Stack trace:


# 0 /www/wwwroot/wiki.youshouyan.org/includes/GlobalFunctions.php(49): ExtensionRegistry->queue()
# 1 /www/wwwroot/wiki.youshouyan.org/LocalSettings.php(218): wfLoadExtension()
# 2 /www/wwwroot/wiki.youshouyan.org/includes/Setup.php(218): require_once('...')
# 3 /www/wwwroot/wiki.youshouyan.org/includes/WebStart.php(86): require_once('...')
# 4 /www/wwwroot/wiki.youshouyan.org/index.php(44): require('...')
# 5 {main}

 thrown in /www/wwwroot/wiki.youshouyan.org/includes/registration/ExtensionRegistry.php on line 199" while reading response header from upstream, client: 103.15.97.139, server: wiki.zorua.top, request: "GET /wiki/有兽档案馆:首页 HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-cgi-81.sock:"
TheDJ (talkcontribs)
Unable to open file /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json

Make sure your php process is allowed to open this file.

Zorua Fox (talkcontribs)

I've changed the permission code of extension.js from 655 to 755, and PHP stopped throwing the error above. However, when I click the "enable" button on Special:OATHAuth page, the website still returns code 404, without any further explanation in the error log. Actually, this is the original bug that drove me to look into the error log yesterday.

I've performed an investigation into the source code, and I found that 404 is thrown when PHP is executing Line 121 of src/Module/TOTP.php, i.e., creating a TOTPEnableForm object. I hope this information is helpful for debugging, and I'm always glad to provide more information when needed.

This post was hidden by Zorua Fox (history)
Reply to "PHP Fatal Error Occurred"

Can 2FA be enforced for all users?

2
81.89.197.85 (talkcontribs)

As it is already possible to force users to login before reading pages, is it possible to have 2FA also mandatory for this?

Mkepler (talkcontribs)
  1. $wgOATHExclusiveRights=['read'];

But try first.

Reply to "Can 2FA be enforced for all users?"

Error: Class 'Base32\Base32' not found

1
Summary by Lotusccong

After relogin . It works.

Lotusccong (talkcontribs)

When I want to enable the TOTP.

I got this error - [c884f5c00ef4a4497ae26590] /index.php?title=Special:OATH%E9%AA%8C%E8%AF%81&action=enable&module=totp&warn=1 Error: Class 'Base32\Base32' not found

even I have check that the all required dependency has been installed like christian-riesen/base32 .


MW 1.39 . Did I missed out any setting ?

Cojoilustrado (talkcontribs)

Any secondary effects from disabling this?

Reply to "Disabling OATHAuth"

How long can a user stay "signed in" to the wiki with 2FA enabled?

1
BryanAtCrystal (talkcontribs)

I recently added this extension to my wiki and my users can get setup and work well. I have noticed that sometimes it seems like user rights disappear and I am wondering if this is due to the 2FA login "expiring"?

I usually tick the "Keep me signed in" box on the logon page. Does having 2FA change the functionality of this checkbox?

It seems that the rights in $wgOATHExclusiveRights, which I have set to move and delete, get removed after some period of time.

Is this the proper behavior? How long do rights stay active after adding 2FA?

Reply to "How long can a user stay "signed in" to the wiki with 2FA enabled?"