Extension talk:OATHAuth

I set in LocalSettings: $wgOATHRequiredForGroups = ['editor']; and no effect.

Looking for something similar, would like to know the correct syntax for $wgOATHRequiredForGroups

Any luck w/ this? I'm trying to enforce TFA for all users, and it's unclear how to do that:

$wgOATHRequiredForGroups[] = 'user';

does nothing different from

$wgGroupPermissions['*']['oathauth-enable'] = true;

I have the following config

##Users should be given access to the oathauth-enable user right so that they can enable it at Special:OATHAuth

$wgGroupPermissions['user']['oathauth-enable'] = true;

##Set MFA for all logged in users

#$wgOATHRequiredForGroups[] = ['user','WIKI-PSWiki-Admins'];

##Remove 'read' right until auth with MFA

$wgOATHExclusiveRights = ['read'];

But with this the users are being asked to do MFA but they don't have the rights to see the preferences page

As MediaWiki in general is architected for situations where users have read rights, you might run into unexpected problems when they don't, this being one of them. Manual:Preventing_access suggests Manual:$wgWhitelistRead. I'm not sure anyone has ever tested for a situation like the one you are describing, so unsure if that suggestion will work.

I had the same issue with my installation, so I edited the plugin.

In extensions/OATHAuth/src/Hook/HookHandler.php replace, from line 220 to 228:

$session = $user->getRequest()->getSession();

$WhitelistArray = $this->config->get( 'WhitelistRead' );
               if ( !is_array( $WhitelistArray ) ) {
                       $WhitelistArray = array();
               }

		if (
			!(bool)$session->get( OATHAuth::AUTHENTICATED_OVER_2FA, false ) &&
			in_array( $action, $this->config->get( 'OATHExclusiveRights' ) ) &&
			!in_array( $title, $WhitelistArray )
		) {
			$result = 'oathauth-action-exclusive-to-2fa';
			return false;
		}
		return true;

then, in LocalSettings.php:

$wgOATHExclusiveRights = ['read'];
$wgOATHRequiredForGroups = ['user'];
$wgWhitelistRead = [
   'Special:UserLogin',
   'Special:Preferences',
   'Special:Manage Two-factor authentication',
   'Special:OATHAuth',
   'MediaWiki:Common.css',
   'MediaWiki:Common.js'
]

Once 2FA is enabled, user must logout and login again

Anyone know what OATH stands for? Perhaps we can work this into the page somewhere, to help folks remember the extension name.

See the last link in See also:

• Initiative for Open Authentication (OATH)

When I use the latest version of OATHAuth on MediaWiki1.39.4，an error occurred.

2023/07/21 00:34:54 [error] 12943#0: *2494 FastCGI sent in stderr: ＂PHP message: PHP Fatal error:  Uncaught Exception: Unable to open file /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json: filemtime(): stat failed for /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json in /www/wwwroot/wiki.youshouyan.org/includes/registration/ExtensionRegistry.php:199
Stack trace:


# 0 /www/wwwroot/wiki.youshouyan.org/includes/GlobalFunctions.php(49): ExtensionRegistry-＞queue()
# 1 /www/wwwroot/wiki.youshouyan.org/LocalSettings.php(218): wfLoadExtension()
# 2 /www/wwwroot/wiki.youshouyan.org/includes/Setup.php(218): require_once(＇...＇)
# 3 /www/wwwroot/wiki.youshouyan.org/includes/WebStart.php(86): require_once(＇...＇)
# 4 /www/wwwroot/wiki.youshouyan.org/index.php(44): require(＇...＇)
# 5 {main}

 thrown in /www/wwwroot/wiki.youshouyan.org/includes/registration/ExtensionRegistry.php on line 199＂ while reading response header from upstream, client: 103.15.97.139, server: wiki.zorua.top, request: ＂GET /wiki/有兽档案馆:首页 HTTP/1.1＂, upstream: ＂fastcgi://unix:/tmp/php-cgi-81.sock:＂

Unable to open file /www/wwwroot/wiki.youshouyan.org/extensions/OATHAuth/extension.json

Make sure your php process is allowed to open this file.

As it is already possible to force users to login before reading pages, is it possible to have 2FA also mandatory for this?

1. $wgOATHExclusiveRights=['read'];

But try first.

Any secondary effects from disabling this?

I recently added this extension to my wiki and my users can get setup and work well. I have noticed that sometimes it seems like user rights disappear and I am wondering if this is due to the 2FA login "expiring"?

I usually tick the "Keep me signed in" box on the logon page. Does having 2FA change the functionality of this checkbox?

It seems that the rights in $wgOATHExclusiveRights, which I have set to move and delete, get removed after some period of time.

Is this the proper behavior? How long do rights stay active after adding 2FA?

Hi,

What is the correct syntax for $wgOATHExclusiveRights ? I want to revoke sysop right for deleteperm. Should i type something like this ? false or true ? I think adding one example would help users to understand better. :)

$wgOATHExclusiveRight['sysop']['deleteperm'] = false;

Or should i just type : $wgOATHExclusiveRight['sysop']= true;

And will it revoke all sysop rights until they activate 2FA ?

thanks,

I'm wondering about the same, nothing seems to work. I dug into CheckExclusiveRights.php and i'm still confused.

You should list the permissions you want to restrict in the array:

$wgOATHExclusiveRights = ['edit', 'move'];

I don't think you can take a permission away from a specific group. If you want to take the "delete" permission away from sysops unless they log in with 2FA, it will be simply:

$wgOATHExclusiveRights = ['delete'];

and then only those who logged in with 2FA will be able to delete pages, as long as their user group allows for that. Hope this is helpful!

What if I wanted to force 2FA for all logins? Could I take away ALL permissions? Something like this...

$wgOATHExclusiveRights = ['*'];

it seems doesnt work "up"

Have you tried taking away the 'read' right?