Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

clientlogin + 2FA #260

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

clientlogin + 2FA #260

wants to merge 4 commits into from

Conversation

framawiki
Copy link
Contributor

@framawiki framawiki commented Nov 11, 2017

To be able to login with 2FA enabled, we need to use clientlogin instead of login, and at least to correctly detect users with this security enabled.
In case of 2fa, a second http request is needed to send user, pass, totp (2fa code), fake loginreturnurl, rememberMe boolean and our classical token.

It's the first commit, currently the login form works as usual for normal users. users with 2fa enabled can' t be connected yet.

So this commit is not ready to be merged for now.

Inspired by https://github.com/commons-app/apps-android-commons/blob/b0e8175003a686789474238dd293aa89d1e925c7/app/src/main/java/fr/free/nrw/commons/mwapi/ApacheHttpClientMediaWikiApi.java#L93

Bug: https://phabricator.wikimedia.org/T180279

To be able to login with 2FA enabled, we need to use clientlogin instead of login.
In case of 2fa, a second http request is needed to send user, pass, totp (2fa code), fake loginreturnurl, rememberMe boolean and our classical token.

It's the first commit, currently the login form works as usual for normal users. users with 2fa enabled want be connected yet.

**So this commit is not ready to be merged for now.**

Inspired by https://github.com/commons-app/apps-android-commons/blob/b0e8175003a686789474238dd293aa89d1e925c7/app/src/main/java/fr/free/nrw/commons/mwapi/ApacheHttpClientMediaWikiApi.java#L93

Bug: https://phabricator.wikimedia.org/T180279
@framawiki framawiki changed the title First commit for clientlogin + 2FA clientlogin + 2FA Nov 11, 2017
Copy link
Contributor Author

@framawiki framawiki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@benapetr I still have two main problems. Can you help me solve them? Thanks !

huggle/login.cpp Outdated
query->UsingPOST = true;
query->Process();
ApiQueryResult *result = query->GetApiQueryResult();
ApiQueryResultNode *ln = result->GetNode("clientlogin");
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to execute this second request, but I can't finish it correctly without spending it with other connection requests.

huggle/login.cpp Outdated
if (status == "UI") {
// Need a user interaction like captacha or 2FA
//QString v_id = ln->ChildNodes.at(0)->GetAttribute("id", "unknown");
//if (v_id == "TOTPAuthenticationRequest"){
Copy link
Contributor Author

@framawiki framawiki Nov 11, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't parse the xml tree to get back the TOTPAuthenticationRequest value... Here is what contain the answer.

@benapetr
Copy link
Member

Isn't action=login deprecated anyway? I think we need to replace it with "clientlogin" at some point anyway or is that one also deprecated?

@benapetr
Copy link
Member

Can you maybe create some diagram of how is this supposed to work? It's hard to review the code if I have no clue on how 2FA login is working within MW. Why is there even a need for callback URL, this isn't OAuth.

@@ -416,6 +417,10 @@ void ApiQuery::SetAction(const Action action)
this->ActionPart = "login";
this->EnforceLogin = false;
return;
case ClientLogin:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be called ActionClientLogin

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

huggle/login.cpp Outdated
@@ -554,21 +555,20 @@ void Login::PerformLoginPart2(WikiSite *site)
this->Statuses[site] = WaitingForToken;
this->LoginQueries.remove(site);
query->DecRef();
query = new ApiQuery(ActionLogin, site);
query = new ApiQuery(ClientLogin, site);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure that Bot login can use "ClientLogin"?

Copy link
Contributor Author

@framawiki framawiki Nov 12, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... no, i can't log me in with botpassword... so it looks like that we need to leave both connection methods available in parallel :(
@addshore can you confirm that ClientLogin doesn't support botpassword ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually think that classic login was deprecated for everything except for bot passwords, basically in future it should replace classic login with bot password login only.

huggle/login.cpp Outdated
query->IncRef();
query->Parameters = "username=" + QUrl::toPercentEncoding(hcfg->SystemConfig_BotLogin)
+ "&password=" + QUrl::toPercentEncoding(hcfg->TemporaryConfig_Password)
+ "&OATHToken=" + totp + "&loginreturnurl=http://example.com/&rememberMe=1&logintoken=" + QUrl::toPercentEncoding(this->Tokens[site]);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is loginreturnurl needed at all here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I'll use logincontinue

@framawiki
Copy link
Contributor Author

action=login looks depreciated, see https://www.mediawiki.org/w/api.php?action=help&modules=login :

This action should only be used in combination with Special:BotPasswords; use for main-account login is deprecated and may fail without warning. To safely log in to the main account, use action=clientlogin.

Please look https://www.mediawiki.org/w/api.php?action=help&modules=clientlogin too.

@@ -417,7 +417,7 @@ void ApiQuery::SetAction(const Action action)
this->ActionPart = "login";
this->EnforceLogin = false;
return;
case ClientLogin:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you forgot to renamed it elsewhere because now it doesn't compile at all

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@benapetr
Copy link
Member

This is how I imagine it should work, but it now doesn't:

          +----------------------+                    +---------------------------+
          |Bot login is requested|                    |Classic login is requested |
          +-----------+----------+                    +--------------+------------+
                      |                                              |
                      |                                              |
                      |                                              v
        +-------------v-------------+                    +-----------+---------+
  Nope  |* Check if username conform|                    |ClientLogin API query+----------+
+-------+  (it has @suffix)         |                    |is requested         |          |
|       +-------------+-------------+                    +------+--------+-----+          |
|                     |                                         |        |           +----v-----------------------+
|                     | Yes                                     |        |           |Query fails with other error|
|                     |                                         |        |           +--------------------------+-+
|                     |                                         |        |                                      |
|       +-------------v------------------+                      |  +-----v----------+   +---------------------+ |
|       |* Login using standard API query|                      |  |Query fails with+--->2FA form is displayed| |
|       |  action=login                  |                      |  |"UI" error      |   |to user and ask for  | |
|       +-----+--------------------+-----+                      |  +----------------+   |their login token    | |
|             |                    |                            |                       +-----+---------------+ |
|             |                    |                            |                             |                 |
|      +------v-----+        +-----v-----------------------+    |                      +------v--------------+  |
|      |Query failed|        |Query is successfuly finished|    |              +-------+ClientLogin API query|  |
|      +------+-----+        +---------------------------+-+    |              |       |with token           |  |
|             |                                          |      |              |       +-----------+---------+  |
|             |                                          |      |              |                   |            |
|             |                                          |   +--v--------------v-+                 |            |
|             |                                          |   |Query is successful|          +------v----+       |
|             |                                          |   +--------------+----+          |Query fails|       |
|             |                                          |                  |               +------+----+       |
|             |                                          |                  |                      |            |
|      +------v----------------------------+             |   +--------------v--------+             |            |
+------>Show error to user with explanation|             +--->Login successful.      |             |            |
       |on what's wrong                    |                 |                       |             |            |
       +--------------------------^---^----+                 +-----------------------+             |            |
                                  |   |                                                            |            |
                                  |   +-------------------------------------------------------------------------+
                                  |                                                                |
                                  |                                                                |
                                  +----------------------------------------------------------------+

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants