clientlogin + 2FA #260

framawiki · 2017-11-11T19:24:54Z

To be able to login with 2FA enabled, we need to use clientlogin instead of login, and at least to correctly detect users with this security enabled.
In case of 2fa, a second http request is needed to send user, pass, totp (2fa code), fake loginreturnurl, rememberMe boolean and our classical token.

It's the first commit, currently the login form works as usual for normal users. users with 2fa enabled can' t be connected yet.

So this commit is not ready to be merged for now.

Inspired by https://github.com/commons-app/apps-android-commons/blob/b0e8175003a686789474238dd293aa89d1e925c7/app/src/main/java/fr/free/nrw/commons/mwapi/ApacheHttpClientMediaWikiApi.java#L93

Bug: https://phabricator.wikimedia.org/T180279

To be able to login with 2FA enabled, we need to use clientlogin instead of login. In case of 2fa, a second http request is needed to send user, pass, totp (2fa code), fake loginreturnurl, rememberMe boolean and our classical token. It's the first commit, currently the login form works as usual for normal users. users with 2fa enabled want be connected yet. **So this commit is not ready to be merged for now.** Inspired by https://github.com/commons-app/apps-android-commons/blob/b0e8175003a686789474238dd293aa89d1e925c7/app/src/main/java/fr/free/nrw/commons/mwapi/ApacheHttpClientMediaWikiApi.java#L93 Bug: https://phabricator.wikimedia.org/T180279

framawiki

@benapetr I still have two main problems. Can you help me solve them? Thanks !

framawiki · 2017-11-11T19:29:50Z

huggle/login.cpp

+            query->UsingPOST = true;
+            query->Process();
+            ApiQueryResult *result = query->GetApiQueryResult();
+            ApiQueryResultNode *ln = result->GetNode("clientlogin");


We need to execute this second request, but I can't finish it correctly without spending it with other connection requests.

framawiki · 2017-11-11T19:32:56Z

huggle/login.cpp

+    if (status == "UI") {
+        // Need a user interaction like captacha or 2FA
+        //QString v_id = ln->ChildNodes.at(0)->GetAttribute("id", "unknown");
+        //if (v_id == "TOTPAuthenticationRequest"){


I can't parse the xml tree to get back the TOTPAuthenticationRequest value... Here is what contain the answer.

benapetr · 2017-11-11T21:07:30Z

Isn't action=login deprecated anyway? I think we need to replace it with "clientlogin" at some point anyway or is that one also deprecated?

benapetr · 2017-11-11T21:09:07Z

Can you maybe create some diagram of how is this supposed to work? It's hard to review the code if I have no clue on how 2FA login is working within MW. Why is there even a need for callback URL, this isn't OAuth.

benapetr · 2017-11-11T21:14:54Z

huggle/apiquery.cpp

@@ -416,6 +417,10 @@ void ApiQuery::SetAction(const Action action)
            this->ActionPart = "login";
            this->EnforceLogin = false;
            return;
+        case ClientLogin:


This needs to be called ActionClientLogin

benapetr · 2017-11-11T21:15:40Z

huggle/login.cpp

@@ -554,21 +555,20 @@ void Login::PerformLoginPart2(WikiSite *site)
    this->Statuses[site] = WaitingForToken;
    this->LoginQueries.remove(site);
    query->DecRef();
-    query = new ApiQuery(ActionLogin, site);
+    query = new ApiQuery(ClientLogin, site);


Are you sure that Bot login can use "ClientLogin"?

... no, i can't log me in with botpassword... so it looks like that we need to leave both connection methods available in parallel :(
@addshore can you confirm that ClientLogin doesn't support botpassword ?

I actually think that classic login was deprecated for everything except for bot passwords, basically in future it should replace classic login with bot password login only.

benapetr · 2017-11-11T21:18:12Z

huggle/login.cpp

+            query->IncRef();
+            query->Parameters = "username=" + QUrl::toPercentEncoding(hcfg->SystemConfig_BotLogin)
+                        + "&password=" + QUrl::toPercentEncoding(hcfg->TemporaryConfig_Password)
+                        + "&OATHToken=" + totp + "&loginreturnurl=http://example.com/&rememberMe=1&logintoken=" + QUrl::toPercentEncoding(this->Tokens[site]);


Why is loginreturnurl needed at all here

yeah I'll use logincontinue

framawiki · 2017-11-12T18:05:18Z

action=login looks depreciated, see https://www.mediawiki.org/w/api.php?action=help&modules=login :

This action should only be used in combination with Special:BotPasswords; use for main-account login is deprecated and may fail without warning. To safely log in to the main account, use action=clientlogin.

Please look https://www.mediawiki.org/w/api.php?action=help&modules=clientlogin too.

benapetr · 2017-11-13T15:26:34Z

huggle/apiquery.cpp

@@ -417,7 +417,7 @@ void ApiQuery::SetAction(const Action action)
            this->ActionPart = "login";
            this->EnforceLogin = false;
            return;
-        case ClientLogin:


I think you forgot to renamed it elsewhere because now it doesn't compile at all

benapetr · 2017-11-16T12:42:08Z

This is how I imagine it should work, but it now doesn't:

          +----------------------+                    +---------------------------+
          |Bot login is requested|                    |Classic login is requested |
          +-----------+----------+                    +--------------+------------+
                      |                                              |
                      |                                              |
                      |                                              v
        +-------------v-------------+                    +-----------+---------+
  Nope  |* Check if username conform|                    |ClientLogin API query+----------+
+-------+  (it has @suffix)         |                    |is requested         |          |
|       +-------------+-------------+                    +------+--------+-----+          |
|                     |                                         |        |           +----v-----------------------+
|                     | Yes                                     |        |           |Query fails with other error|
|                     |                                         |        |           +--------------------------+-+
|                     |                                         |        |                                      |
|       +-------------v------------------+                      |  +-----v----------+   +---------------------+ |
|       |* Login using standard API query|                      |  |Query fails with+--->2FA form is displayed| |
|       |  action=login                  |                      |  |"UI" error      |   |to user and ask for  | |
|       +-----+--------------------+-----+                      |  +----------------+   |their login token    | |
|             |                    |                            |                       +-----+---------------+ |
|             |                    |                            |                             |                 |
|      +------v-----+        +-----v-----------------------+    |                      +------v--------------+  |
|      |Query failed|        |Query is successfuly finished|    |              +-------+ClientLogin API query|  |
|      +------+-----+        +---------------------------+-+    |              |       |with token           |  |
|             |                                          |      |              |       +-----------+---------+  |
|             |                                          |      |              |                   |            |
|             |                                          |   +--v--------------v-+                 |            |
|             |                                          |   |Query is successful|          +------v----+       |
|             |                                          |   +--------------+----+          |Query fails|       |
|             |                                          |                  |               +------+----+       |
|             |                                          |                  |                      |            |
|      +------v----------------------------+             |   +--------------v--------+             |            |
+------>Show error to user with explanation|             +--->Login successful.      |             |            |
       |on what's wrong                    |                 |                       |             |            |
       +--------------------------^---^----+                 +-----------------------+             |            |
                                  |   |                                                            |            |
                                  |   +-------------------------------------------------------------------------+
                                  |                                                                |
                                  |                                                                |
                                  +----------------------------------------------------------------+

framawiki force-pushed the 2fa/T180279 branch from 5b2bc26 to 85f0612 Compare November 11, 2017 19:26

framawiki force-pushed the 2fa/T180279 branch from 85f0612 to af06a68 Compare November 11, 2017 19:27

framawiki changed the title ~~First commit for clientlogin + 2FA~~ clientlogin + 2FA Nov 11, 2017

framawiki commented Nov 11, 2017

View reviewed changes

benapetr reviewed Nov 11, 2017

View reviewed changes

benapetr reviewed Nov 13, 2017

View reviewed changes

improvements

3e68481

framawiki force-pushed the 2fa/T180279 branch from 0ef6b2c to 3e68481 Compare November 15, 2017 17:57

benapetr added 2 commits November 18, 2017 11:50

Merge https://github.com/huggle/huggle3-qt-lx into 2fa/T180279

5abbf15

Merge github.com:huggle/huggle3-qt-lx into 2fa/T180279

904172b

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

clientlogin + 2FA #260

clientlogin + 2FA #260

framawiki commented Nov 11, 2017 •

edited

framawiki left a comment

framawiki Nov 11, 2017

framawiki Nov 11, 2017 •

edited

benapetr commented Nov 11, 2017

benapetr commented Nov 11, 2017

benapetr Nov 11, 2017

framawiki Nov 12, 2017

benapetr Nov 11, 2017

framawiki Nov 12, 2017 •

edited

benapetr Nov 12, 2017

benapetr Nov 11, 2017

framawiki Nov 12, 2017

framawiki commented Nov 12, 2017

benapetr Nov 13, 2017

framawiki Nov 15, 2017

benapetr commented Nov 16, 2017

clientlogin + 2FA #260

Are you sure you want to change the base?

clientlogin + 2FA #260

Conversation

framawiki commented Nov 11, 2017 • edited

framawiki left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

framawiki Nov 11, 2017 • edited

Choose a reason for hiding this comment

benapetr commented Nov 11, 2017

benapetr commented Nov 11, 2017

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

framawiki Nov 12, 2017 • edited

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

framawiki commented Nov 12, 2017

Choose a reason for hiding this comment

Choose a reason for hiding this comment

benapetr commented Nov 16, 2017

framawiki commented Nov 11, 2017 •

edited

framawiki Nov 11, 2017 •

edited

framawiki Nov 12, 2017 •

edited