Last modified: 2013-03-15 23:29:26 UTC
When I go to <https://labsconsole.wikimedia.org/wiki/Special:UserLogin>, I see: Username: [ ] Password: [ ] Your domain: [labs] Token: [ ] [ ] Remember my login... The "token" field is apparently completely useless for a typical login. I'm not really sure why it's there at all. It confused the hell out of me when trying to register a new account. It should, at a minimum, say "Token (optional)" or something.
Token is used for 2-factor auth. I'm surprised that the field present if you don't have 2-factor enabled, but I suspect we're on the verge of turning it on for everyone...
Oh, of course it's visible since you /might/ have 2-factor turned on. So that should be explained on the form somehow...
(In reply to comment #2) > Oh, of course it's visible since you /might/ have 2-factor turned on. So that > should be explained on the form somehow... Maybe even use JS to make it hidden by default in a drop down or something..
I'm marking this WONTFIX: Challenge/response is the proper way of handling this, as you shouldn't let an attacker know if two-factor is enabled unless the user logs in with the proper username/password. MediaWiki core has no support for challenge/response. This isn't really a bug with labsconsole. If you'd like to see this fixed, open two bugs: 1. A bug in mediawiki core for challenge/response 2. A bug in extension OATHAuth to use the core support