Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

$wgAuth is deprecated in 1.27 #11

Closed
jdarwood007 opened this issue Oct 18, 2016 · 5 comments
Closed

$wgAuth is deprecated in 1.27 #11

jdarwood007 opened this issue Oct 18, 2016 · 5 comments
Labels
SMF 2.0 SMF 2.1
Milestone
MediaWIki 1.31 LTS

Comments

@jdarwood007
Copy link
Member

https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager

While working on #10 I was informed $wgAuth is deprecated and should be replaced by AuthManager Plugin system.

https://www.mediawiki.org/wiki/Manual:SessionManager_and_AuthManager

This will greatly change how we handle auth. Looking at it, we would be using SessionManager to validate the login and then tell MW what to do (login, create user, etc). We also will need to build this as the plugin system.
The GoogleLogin plugin uses this. As does IPBLoginAuth

Would like to find more plugins to use for researching on how others are handling this.
@jdarwood007 jdarwood007 added this to the SMF 2.1 milestone Oct 18, 2016
@jdarwood007 jdarwood007 modified the milestones: SMF 2.0, SMF 2.1 Oct 18, 2016
@tazinator
Copy link

https://www.mediawiki.org/wiki/Extension:GoogleLogin/PostAuthManager

Might be of assistance there. Seems thats using AuthManager.

@Vekseid
Copy link

Vekseid commented Oct 1, 2019

https://github.com/Vekseid/ForumSessionProvider

I wrote this for SMF and Elkarte both as I'm preparing for conversion. It should work with SMF 2.1 out of the box.

@jdarwood007
Copy link
Member Author

Looking into this the base that @Vekseid provided is the right direction for the future. Some of the errors would be easy to solve, but MediaWiki has decided to overload session_start(), which creates another set of issues. PHP 7.2 also made this more difficult to do as well and prevents us from calling session_start again and complicates this more.

Since you can't interact with SMF's session data. This prevents the auth plugin from issuing old_url to the session. Which means PHP and MediaWiki have just made this impossible to do securely since the only other way to do this is to insecurely send the return url in the request.

Thats about as much as I looked into it. I couldn't see a way to get into the SMF session to inject the old_url.

This most likely means we need to implant a system in 2.1 which can allow the auth system to issue redirects in the safest way. Only way I can see doing that is a trusted domains list, which means a attacker could still issue a attack to a url you controlled, but not outside your site. This also means it would be possible for a attack to occur by a blind redirect attack. Need more time to think up a solution.

@Vekseid
Copy link

Vekseid commented Nov 10, 2019
edited

@jdarwood007 is that what was going on.

I think, a better solution would be, if SMF gets hit on the logout url without valid session tokens backing it up, just confirm it with the user.

@jdarwood007
Copy link
Member Author

Logout it makes sense for us to allow a confirmation page to confirm logouts. This is easily setup.
I have an idea of what we can do for the redirects. Will work on a solution for 2.1 and somebody can backport it to 2.0 if desired.

@Vekseid Vekseid mentioned this issue Nov 11, 2019
Open
@jdarwood007 jdarwood007 mentioned this issue Nov 12, 2019
Closed
@jdarwood007 jdarwood007 modified the milestones: SMF 2.1, MediaWIki 1.31 LTS Aug 10, 2022
@berianwilliams berianwilliams mentioned this issue Jan 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SMF 2.0 SMF 2.1
Projects
None yet
Milestone
MediaWIki 1.31 LTS
Development

No branches or pull requests
3 participants
@jdarwood007 @tazinator @Vekseid