How to write login plugin to MediaWiki - mediawiki

I want to connect to our own oauth2 server, so I wrote an oauth2 login extension, there is the code when I get account information from oauth2 server.
$user = User::newFromName($username);
$user->setEmail($email);
$user->load();
if (!($user instanceof User && $user->getId())) {
$user->addToDatabase();
}
$user->setToken();
$user->setCookies();
$this->getContext()->setUser($user);
$user->saveSettings();
It will create user data if the user does not exist, but sometimes login will fail if you are not logout by click logout button, and I totally have no clue to solve this problem.
I found MediaWiki has login API, but it required a password and seems not has user auto-creating feature, any reference to accomplish it?

In MediaWiki 1.27+ login should be done by writing a PrimaryAuthenticationProvider (before 1.27 there was no non-hacky way to do it for non-password-based logins). See the inline documentation in that class, or this patch which provides similar functionality for OAuth1.

Related

CAS 6.2.x MFA Principal Attribute Trigger 'memberOf' Active Directory Not Working

I have CAS 6.2.x running in Kubernetes building the image from this repo. I am passing in the cas.properties file via configmap.I have it wired up against Active Directory and am able to login with the Username/Password. I am now working to enable MFA with the Google Authenticator plugin. I have this working as well if I force the flow globally with the following:
cas.authn.mfa.global-provider-id=mfa-gauth
When I try to use the values described here for Multifactor Authentication: Principal Attribute Trigger it doesn't send me to the MFA flow. These are the settings that I have set:
cas.authn.ldap[0].principalAttributeList=userPrincipalName,cn,givenName,sAMAccountName,memberOf
cas.authn.mfa.global-principal-attribute-name-triggers=memberOf
cas.authn.mfa.global-principal-attribute-value-regex=ForceMfa
When I log in these are the values returned back for memberOf:
memberOf
[CN=Group2,OU=MyOu,DC=subdomain,DC=domain,DC=local, CN=Group1,OU=MyOu,DC=subdomain,DC=domain,DC=local, CN=ForceMfa,OU=MyOu,DC=subdomain,DC=domain,DC=local]
Principal
I used Misagh blog post as a guide.
If I change the trigger and regex to sAMAccountName and my username it then works as expected. Not sure if I need to change the regex format to find the group name or if I just have something else wrong. It just seems like the regex is not finding a match for some reason as the settings seem to be working for me, just not with memberOf.
Thank you
Consider switching this to:
cas.authn.mfa.global-principal-attribute-value-regex=.*ForceMfa.+
Then, attach/review your logs for org.apereo.cas under either DEBUG/TRACE so you can see what's happening.

Mediawiki AuthManager and SessionManager SSO

I am currently using 1.24.x and using LoginForm class and FauxRequest to login the remote (and create it locally if it doesn't exist) but this feature is being removed in 1.27.x so I am forced to write with a new standard using AuthManager and SessionMamager. I also will be upgrading to 1.31 as soon as LTS version of it comes out.
While reading, AuthManager and SessionManager, I just can't understand how can I authenticate external users. I also looked at the extension pluggableSSO which uses PluggableAuth but can't understand it as well.
Can someone please point me to a straightforward example of how can I authenticate a user if I have a user id and user name? and if that user doesn't exist, how can I create one and authenticate them locally?
Thanks
If someone like me who is very new to MediaWiki, there is a solution for SSO called PluggableAuth and Auth_Remoteuser.
I picked PluggableAuth which is implemented based on AuthManager and it is very easy to integrate.
All we need is to define a global variable $PluggableAuth_Class and implement the following methods in it:
public function authenticate( &$id, &$username, &$realname, &$email, &$errorMessage )
public function saveExtraAttributes( $id )
public function deauthenticate( User &$user )
More information can be found on:
PluggableAuth

Add additional validation for logins using LexikJWTAuthenticationBundle

I want to add additional validation to allow the login, ie, not just check that the username and password match but do other validations on the user before allowing him to login.
I tried extending JWTTokenAuthenticator but it seems none of its methods are called during the login.
I thought of using a custom "AuthenticationSuccessHandler" but I'm not sure if this is the place I should do this and how could I report from there that the "login" is actually invalid.
Where should I put this logic?
I end up replacing the "login_form" authentication shown on the LexikJWTAuthenticationBundle bundle documentation for a custom guard authentication just for the login, i.e. different than the guard authentication used to validate the JWT tokens.
In the past, I had a similar requirement. Within the alternatives I chose to implement a custom user provider. Symfony documentation on custom user provider creation is more than enough to accomplish the task. Moreover, "Configuring the user provider" section of the LexikJwt documentation explains how to configure lexik_jwt accordingly.

redmine - register a new user through API without having admin rights

In Redmine is possible to register new account using web interface via
http://redmine/account/register
When Submit is performed browser sends a POST to account\register with this data:
utf8=%E2%9C%93&authenticity_token=6XEpkFIoAsXyIvAk3j%xxxxxxxroM3yJm5yV4dLoExNg%3D&user%5Blogin%5D=myuser&user%5Bpassword%5D=password&user%5Bpassword_confirmation%5D=password&user%5Bfirstname%5D=firstname&user%5Blastname%5D=lastname&user%5Bmail%5D=test123%40mydomain.tld&user%5Blanguage%5D=it&commit=Invia
In logfile is possible to see:
Started POST "/account/register" for 173.102.44.73 at 2017-03-09 15:53:13 +0100
[...]
{
"utf8"=>"✓",
"authenticity_token"=>"long_alphanumeric_string",
"user"=>{
"login"=>"mynewuser",
"password"=>"[FILTERED]",
"password_confirmation"=>"[FILTERED]",
"firstname"=>"myfirstname",
"lastname"=>"mylastname",
"mail"=>"test123#mydomain.tld",
"language"=>"it"
},
"commit"=>"Invia"
}
Redmine has Rest API support but I can't find how to register a new user using JSON.
EDIT: Is it possible to create/register new user via JSON POST using http://redmine/users.json as described here but Administrators rights are needed.
Web interface permits account registration for anonymous users, is it also possible via Rest API ?
The following should work:
create a redmine api-user i.e. api-user-cancreateusers
enable REST API in Administration -> Settings -> Authentication
generate/get the api-user api-key
give the api-user rights to create users
put the api-user name and key into your program/service
profit!
redmine-auth-doc
Edit:
give the api-user rights to create users
as hinted in the comment - it seems there is no such thing. the only way seems to give the api user admin rights (shudder)
alternatively fetch the account/register page and replay with the provided auth_token

Spring Security Authenticates User with old credentials until Web App Restart

Hi there I am developing a web app and I am using Spring Security. In the app the user can change his/her details (username, password and some other fields). I am using a custom User Details Class for this and my Spring Security configuration is the default (keep in mind no cache method is declared, so I suppose NullUserCache is used). All the user records come from DataBase using JDBC Connector (MySQL).
Now when a user changes his/her info or/and username-password those changes update the corresponding columns in DataBase. So now the DB is updated. Because I have not implemented setters in my Custom User Details Class, I force the user to logout log out automatically. But now he/she can login using both the new username and the old one.
Suppose now that the user changed something on the other fields (for example if the age was changed from 20 to 21). When user logins using the new username I can see 21. If user logins using the old username I can see 20!.
I guess Spring Security now creates a new User (during login) which didn't exist and the old one is never removed!
So after reading many posts in the web and trying the corresponding solutions I 'm still unable to fix that.
What I have used (in the controller that is responsible for account editing):
if (authenticate != null){
new SecurityContextLogoutHandler().logout(request, response, authenticate);
}
SecurityContextHolder.getContext().setAuthentication(null);
SecurityContextHolder.clearContext();
What I understand and believe is that Spring Security holds somewhere (I thought User Cache) the username, maybe along with the password and now it sees the old username as a different User. The only way to prevent this from happening is to restart the app. After restarting the user only logins using the new username.
Is there any way I can remove that "user"-username? Any suggestion would be usefull, I am really confused and the only case close to mine was this but his problem was with the oracle connector using connection cache..
UPDATE problem tracked down to a problem inside loadbyusername method..read more on the 14th comment below :)
Happy coding!
I finally found the source of that problem..black hole closed. Credits #Jebil and #Robin Winch for their help!
Well everything worked as it should except the fact that the HashMap on the rensposible for the login DAO, was never cleared..so after every successful login attempt the HashMap returned was appended and so after every username update, it contained both old and new values..solution was simple..before accessing the DB HashMap should be cleared!
Happy dividing by 0 :P