Last modified: 2013-03-15 23:29:26 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T44131, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 42131 - Special:UserLogin on labsconsole.wikimedia.org shows a useless "Token" field
Special:UserLogin on labsconsole.wikimedia.org shows a useless "Token" field
Status: RESOLVED WONTFIX
Product: Wikimedia Labs
Classification: Unclassified
General (Other open bugs)
unspecified
All All
: Unprioritized normal
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-15 02:02 UTC by MZMcBride
Modified: 2013-03-15 23:29 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description MZMcBride 2012-11-15 02:02:08 UTC 
When I go to <https://labsconsole.wikimedia.org/wiki/Special:UserLogin>, I see:

Username:    [     ]
Password:    [     ]
Your domain: [labs]
Token:       [     ]
[ ] Remember my login...

The "token" field is apparently completely useless for a typical login. I'm not really sure why it's there at all. It confused the hell out of me when trying to register a new account. It should, at a minimum, say "Token (optional)" or something.
Comment 1 Andrew Bogott 2012-11-15 02:04:09 UTC 
Token is used for 2-factor auth.  I'm surprised that the field present if you don't have 2-factor enabled, but I suspect we're on the verge of turning it on for everyone...
Comment 2 Andrew Bogott 2012-11-15 02:05:58 UTC 
Oh, of course it's visible since you /might/ have 2-factor turned on.  So that should be explained on the form somehow...
Comment 3 Sam Reed (reedy) 2012-11-15 02:06:56 UTC 
(In reply to comment #2)
> Oh, of course it's visible since you /might/ have 2-factor turned on.  So that
> should be explained on the form somehow...

Maybe even use JS to make it hidden by default in a drop down or something..
Comment 4 Ryan Lane 2012-11-16 20:36:56 UTC 
I'm marking this WONTFIX: Challenge/response is the proper way of handling this, as you shouldn't let an attacker know if two-factor is enabled unless the user logs in with the proper username/password. MediaWiki core has no support for challenge/response.

This isn't really a bug with labsconsole. If you'd like to see this fixed, open two bugs:

1. A bug in mediawiki core for challenge/response
2. A bug in extension OATHAuth to use the core support
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links