Skizzerz has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/405807 )
Change subject: Ensure creds are always set in primary provider
......................................................................
Ensure creds are always set in primary provider
We need to explicitly set the user's pw in the primary provider on
account creation, as AuthManager makes no assumptions about it, and as
such users were getting set up with null credentials (preventing them
from logging in).
Now that this is resolved, re-enabled the secondary screen to change
password as default.
Change-Id: Icf549f241181976af2398051542f0140b0d62f63
---
M ExternalWikiPrimaryAuthenticationProvider.php
M extension.json
2 files changed, 13 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/MediaWikiAuth
refs/changes/07/405807/1
diff --git a/ExternalWikiPrimaryAuthenticationProvider.php
b/ExternalWikiPrimaryAuthenticationProvider.php
index 4de21dd..686e5ba 100644
--- a/ExternalWikiPrimaryAuthenticationProvider.php
+++ b/ExternalWikiPrimaryAuthenticationProvider.php
@@ -13,6 +13,7 @@
{
protected $cookieJar;
private $userCache = [];
+ private $pwKey = 'MediaWikiAuth-userpw'; // should be private const,
but that's PHP 7.1+
public function __construct( array $params = [] ) {
parent::__construct( $params );
@@ -56,6 +57,10 @@
return AuthenticationResponse::newAbstain();
}
+ // Save the user password so we can set it in
autoCreatedAccount (otherwise the user has
+ // null credentials unless they go through the optional
password change process)
+ $this->manager->setAuthenticationSessionData( $this->pwKey,
$req->password );
+
// Grab remote MediaWiki version; our auth flow depends on what
we get back
$resp = $this->apiRequest( 'GET', [
'action' => 'query',
@@ -89,6 +94,7 @@
if ( $resp->login->result !== 'Success' ) {
$this->logger->info( 'Authentication against
legacy remote API failed for reason ' . $resp->login->result,
[ 'remoteVersion' => $remoteVersion,
'caller' => __METHOD__, 'username' => $username ] );
+
$this->manager->removeAuthenticationSessionData( $this->pwKey );
return AuthenticationResponse::newFail(
wfMessage( 'mwa-authfail' ) );
}
} else {
@@ -117,6 +123,7 @@
if ( $resp->clientlogin->status !== 'PASS' ) {
$this->logger->info( 'Authentication against
modern remote API failed for reason ' . $resp->clientlogin->status,
[ 'remoteVersion' => $remoteVersion,
'caller' => __METHOD__, 'username' => $username ] );
+
$this->manager->removeAuthenticationSessionData( $this->pwKey );
return AuthenticationResponse::newFail(
wfMessage( 'mwa-authfail' ) );
}
}
@@ -143,6 +150,11 @@
return;
}
+ // ensure the user can log in even if we don't do secondary
password reset
+ $password = $this->manager->getAuthenticationSessionData(
$this->pwKey );
+ $this->manager->removeAuthenticationSessionData( $this->pwKey );
+ $user->setPassword( $password );
+
// $user->saveChanges() is called automatically after this runs,
// so calling it ourselves is not necessary.
// This is where we fetch user preferences and watchlist to
save locally.
diff --git a/extension.json b/extension.json
index d62130b..5e4f606 100644
--- a/extension.json
+++ b/extension.json
@@ -12,7 +12,7 @@
"license-name": "GPL-2.0+",
"type": "other",
"config": {
- "MediaWikiAuthAllowPasswordChange": false,
+ "MediaWikiAuthAllowPasswordChange": true,
"MediaWikiAuthApiUrl": "",
"MediaWikiAuthImportGroups": true,
"MediaWikiAuthImportWatchlist": true,
--
To view, visit https://gerrit.wikimedia.org/r/405807
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Icf549f241181976af2398051542f0140b0d62f63
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/MediaWikiAuth
Gerrit-Branch: master
Gerrit-Owner: Skizzerz <skizz...@skizzerz.net>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
