Page MenuHomePhabricator
Create Task
Maniphest T44131

Special:UserLogin on labsconsole.wikimedia.org shows a useless "Token" field
Closed, DeclinedPublic
Actions

Description

When I go to https://labsconsole.wikimedia.org/wiki/Special:UserLogin, I see:

Username: [ ]
Password: [ ]
Your domain: [labs]
Token: [ ]

  • Remember my login...

The "token" field is apparently completely useless for a typical login. I'm not really sure why it's there at all. It confused the hell out of me when trying to register a new account. It should, at a minimum, say "Token (optional)" or something.

Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=46179

Details

Reference
bz42131

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:06 AM
bzimport added a project: Wikimedia-Labs-General.
bzimport set Reference to bz42131.
bzimport added a subscriber: Unknown Object (MLST).
MZMcBride created this task.Nov 15 2012, 2:02 AM
Andrew added a comment.Nov 15 2012, 2:04 AM

Token is used for 2-factor auth. I'm surprised that the field present if you don't have 2-factor enabled, but I suspect we're on the verge of turning it on for everyone...

Andrew added a comment.Nov 15 2012, 2:05 AM

Oh, of course it's visible since you /might/ have 2-factor turned on. So that should be explained on the form somehow...

Reedy added a comment.Nov 15 2012, 2:06 AM

(In reply to comment #2)

Oh, of course it's visible since you /might/ have 2-factor turned on. So that
should be explained on the form somehow...

Maybe even use JS to make it hidden by default in a drop down or something..

RyanLane added a comment.Nov 16 2012, 8:36 PM

I'm marking this WONTFIX: Challenge/response is the proper way of handling this, as you shouldn't let an attacker know if two-factor is enabled unless the user logs in with the proper username/password. MediaWiki core has no support for challenge/response.

This isn't really a bug with labsconsole. If you'd like to see this fixed, open two bugs:

  1. A bug in mediawiki core for challenge/response
  2. A bug in extension OATHAuth to use the core support
Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:10 PM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptJan 28 2016, 6:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL