Skizzerz has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/405807 )
Change subject: Ensure creds are always set in primary provider ...................................................................... Ensure creds are always set in primary provider We need to explicitly set the user's pw in the primary provider on account creation, as AuthManager makes no assumptions about it, and as such users were getting set up with null credentials (preventing them from logging in). Now that this is resolved, re-enabled the secondary screen to change password as default. Change-Id: Icf549f241181976af2398051542f0140b0d62f63 --- M ExternalWikiPrimaryAuthenticationProvider.php M extension.json 2 files changed, 13 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/MediaWikiAuth refs/changes/07/405807/1 diff --git a/ExternalWikiPrimaryAuthenticationProvider.php b/ExternalWikiPrimaryAuthenticationProvider.php index 4de21dd..686e5ba 100644 --- a/ExternalWikiPrimaryAuthenticationProvider.php +++ b/ExternalWikiPrimaryAuthenticationProvider.php @@ -13,6 +13,7 @@ { protected $cookieJar; private $userCache = []; + private $pwKey = 'MediaWikiAuth-userpw'; // should be private const, but that's PHP 7.1+ public function __construct( array $params = [] ) { parent::__construct( $params ); @@ -56,6 +57,10 @@ return AuthenticationResponse::newAbstain(); } + // Save the user password so we can set it in autoCreatedAccount (otherwise the user has + // null credentials unless they go through the optional password change process) + $this->manager->setAuthenticationSessionData( $this->pwKey, $req->password ); + // Grab remote MediaWiki version; our auth flow depends on what we get back $resp = $this->apiRequest( 'GET', [ 'action' => 'query', @@ -89,6 +94,7 @@ if ( $resp->login->result !== 'Success' ) { $this->logger->info( 'Authentication against legacy remote API failed for reason ' . $resp->login->result, [ 'remoteVersion' => $remoteVersion, 'caller' => __METHOD__, 'username' => $username ] ); + $this->manager->removeAuthenticationSessionData( $this->pwKey ); return AuthenticationResponse::newFail( wfMessage( 'mwa-authfail' ) ); } } else { @@ -117,6 +123,7 @@ if ( $resp->clientlogin->status !== 'PASS' ) { $this->logger->info( 'Authentication against modern remote API failed for reason ' . $resp->clientlogin->status, [ 'remoteVersion' => $remoteVersion, 'caller' => __METHOD__, 'username' => $username ] ); + $this->manager->removeAuthenticationSessionData( $this->pwKey ); return AuthenticationResponse::newFail( wfMessage( 'mwa-authfail' ) ); } } @@ -143,6 +150,11 @@ return; } + // ensure the user can log in even if we don't do secondary password reset + $password = $this->manager->getAuthenticationSessionData( $this->pwKey ); + $this->manager->removeAuthenticationSessionData( $this->pwKey ); + $user->setPassword( $password ); + // $user->saveChanges() is called automatically after this runs, // so calling it ourselves is not necessary. // This is where we fetch user preferences and watchlist to save locally. diff --git a/extension.json b/extension.json index d62130b..5e4f606 100644 --- a/extension.json +++ b/extension.json @@ -12,7 +12,7 @@ "license-name": "GPL-2.0+", "type": "other", "config": { - "MediaWikiAuthAllowPasswordChange": false, + "MediaWikiAuthAllowPasswordChange": true, "MediaWikiAuthApiUrl": "", "MediaWikiAuthImportGroups": true, "MediaWikiAuthImportWatchlist": true, -- To view, visit https://gerrit.wikimedia.org/r/405807 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Icf549f241181976af2398051542f0140b0d62f63 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/MediaWikiAuth Gerrit-Branch: master Gerrit-Owner: Skizzerz <skizz...@skizzerz.net> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits