huggle3-qt-lx
huggle3-qt-lx copied to clipboard
huggle
clientlogin + 2FA
To be able to login with 2FA enabled, we need to use clientlogin instead of login, and at least to correctly detect users with this security enabled. In case of 2fa, a second http request is needed to send user, pass, totp (2fa code), fake loginreturnurl, rememberMe boolean and our classical token.
It's the first commit, currently the login form works as usual for normal users. users with 2fa enabled can' t be connected yet.
So this commit is not ready to be merged for now.
Inspired by https://github.com/commons-app/apps-android-commons/blob/b0e8175003a686789474238dd293aa89d1e925c7/app/src/main/java/fr/free/nrw/commons/mwapi/ApacheHttpClientMediaWikiApi.java#L93
Bug: https://phabricator.wikimedia.org/T180279
Isn't action=login deprecated anyway? I think we need to replace it with "clientlogin" at some point anyway or is that one also deprecated?
Can you maybe create some diagram of how is this supposed to work? It's hard to review the code if I have no clue on how 2FA login is working within MW. Why is there even a need for callback URL, this isn't OAuth.
action=login looks depreciated, see https://www.mediawiki.org/w/api.php?action=help&modules=login :
This action should only be used in combination with Special:BotPasswords; use for main-account login is deprecated and may fail without warning. To safely log in to the main account, use action=clientlogin.
Please look https://www.mediawiki.org/w/api.php?action=help&modules=clientlogin too.
This is how I imagine it should work, but it now doesn't:
+----------------------+ +---------------------------+
|Bot login is requested| |Classic login is requested |
+-----------+----------+ +--------------+------------+
| |
| |
| v
+-------------v-------------+ +-----------+---------+
Nope |* Check if username conform| |ClientLogin API query+----------+
+-------+ (it has @suffix) | |is requested | |
| +-------------+-------------+ +------+--------+-----+ |
| | | | +----v-----------------------+
| | Yes | | |Query fails with other error|
| | | | +--------------------------+-+
| | | | |
| +-------------v------------------+ | +-----v----------+ +---------------------+ |
| |* Login using standard API query| | |Query fails with+--->2FA form is displayed| |
| | action=login | | |"UI" error | |to user and ask for | |
| +-----+--------------------+-----+ | +----------------+ |their login token | |
| | | | +-----+---------------+ |
| | | | | |
| +------v-----+ +-----v-----------------------+ | +------v--------------+ |
| |Query failed| |Query is successfuly finished| | +-------+ClientLogin API query| |
| +------+-----+ +---------------------------+-+ | | |with token | |
| | | | | +-----------+---------+ |
| | | | | | |
| | | +--v--------------v-+ | |
| | | |Query is successful| +------v----+ |
| | | +--------------+----+ |Query fails| |
| | | | +------+----+ |
| | | | | |
| +------v----------------------------+ | +--------------v--------+ | |
+------>Show error to user with explanation| +--->Login successful. | | |
|on what's wrong | | | | |
+--------------------------^---^----+ +-----------------------+ | |
| | | |
| +-------------------------------------------------------------------------+
| |
| |
+----------------------------------------------------------------+