Last modified: 2013-09-21 09:12:22 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T37199, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 35199 - No way to do logins without user surrendering their password to software
No way to do logins without user surrendering their password to software
Status: NEW
Product: Huggle
Classification: Unclassified
WebApp (Other open bugs)
unspecified
All All
: Normal enhancement
: ---
Assigned To: Ryan Lane
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-13 13:32 UTC by Peter Bena
Modified: 2013-09-21 09:12 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Peter Bena 2012-03-13 13:32:35 UTC 
There is currently no way to login to SUL on production. Regular login which asks for password isn't possible because of restrictions set by wmf. This blocks the development of app, until any kind of login is enabled by wmf operation team.
Comment 1 Sam Reed (reedy) 2012-03-13 17:25:06 UTC 
(In reply to comment #0)
> There is currently no way to login to SUL on production. Regular login which
> asks for password isn't possible because of restrictions set by wmf. This
> blocks the development of app, until any kind of login is enabled by wmf
> operation team.

Eh, what?
Comment 2 Peter Bena 2012-03-13 17:36:39 UTC 
Ryan Lane is going to discuss some alternative options which are possible, however until then the development is kind of blocked, so I created this ticket so other devs of huggle wa can see the reason
Comment 3 Ryan Lane 2012-03-13 17:45:24 UTC 
What he's saying is that the web version of huggle needs to log users in as themselves, which means it needs to ask for their username/password. Obviously this sucks a little, but there's no alternative because we don't support OAuth.
Comment 4 Sam Reed (reedy) 2012-03-13 17:50:18 UTC 
(In reply to comment #2)
> Ryan Lane is going to discuss some alternative options which are possible,
> however until then the development is kind of blocked, so I created this ticket
> so other devs of huggle wa can see the reason

(In reply to comment #3)
> What he's saying is that the web version of huggle needs to log users in as
> themselves, which means it needs to ask for their username/password. Obviously
> this sucks a little, but there's no alternative because we don't support OAuth.

Essentially that's no different to how the Windows app works - You still enter your username and password into the application. Just for the web app, you're giving a remote server your details too...
Comment 5 Peter Bena 2012-03-13 19:45:50 UTC 
yes but that is allowed by wmf, while doing it on server is not
Comment 6 Mark A. Hershberger 2012-03-15 01:18:42 UTC 
(In reply to comment #3)
> What he's saying is that the web version of huggle needs to log users in as
> themselves, which means it needs to ask for their username/password. Obviously
> this sucks a little, but there's no alternative because we don't support OAuth.

thread here: http://thread.gmane.org/gmane.science.linguistics.wikipedia.technical/59502
Comment 7 Peter Bena 2012-03-15 14:17:30 UTC 
Ryan:

is there going to be a work-around for this or we need to wait until oauth is implemented? I suppose that in that case we would need to stop for, maybe several years with this. I don't believe tha t anyone is going to implement oauth into mediawiki sooner than in several months and even if they did, the review and deployment to production would likely take even longer. (My experienceis that code review of extension which consist of less than 40 lines of code takes half a year, see request to review Interactive Block Message extension, which I requested months ago)
Comment 8 Michael Movchin 2012-09-11 22:24:02 UTC 
Ryan: Something new with this? We need your input to continue to work :)
Comment 9 Platonides 2012-09-11 22:28:28 UTC 
An option would be to make Huggle accept the cookies instead of the user & password (albeit many users would have trouble extracting them...).

I have long have the idea of allowing "restricted logins", where you can only use a few rights, precisely for handing out to bots. It would be nice here, too.
Comment 10 Ryan Lane 2012-09-12 06:23:35 UTC 
Which cookies?

I don't see much alternative here other than OAuth. A web version of huggle would need to act on a user's behalf. Either huggle needs to do proxy authentication, which is disallowed in labs, or it needs to use OAuth.

I don't really have much say on OAuth priority in MediaWiki. Maybe bring this up on the list again? OAuth is blocking a number of things in labs.
Comment 11 Platonides 2012-09-12 22:24:07 UTC 
The session cookie. The app could still impersonate the user, but it wouldn't have the "permanent" password.

Yes, getting OAuth (or equivalent protocol) up, would be the right solution.
Comment 12 Ryan Lane 2012-09-12 22:43:07 UTC 
The session cookie wouldn't work. It's different domains and separate clusters.
Comment 13 John Mark Vandenberg 2013-08-18 01:15:37 UTC 
Is it possible to provide users with an edit token that is visible via preferences (like the watchlist token), and is expired frequently; e.g. daily reset, with an age of 24 hrs after first use of the token.
Apps can use while we wait for OAuth to be implemented, and its simplicity may mean edit tokens continue to be used in simple apps even after OAuth lands.
Comment 14 MZMcBride 2013-08-18 01:37:23 UTC 
(In reply to comment #13)
> Is it possible to provide users with an edit token that is visible via
> preferences (like the watchlist token), and is expired frequently; e.g. daily
> reset, with an age of 24 hrs after first use of the token.

Possible? Sure. But it's unlikely to be implemented on Wikimedia wikis. According to <http://lists.wikimedia.org/pipermail/wikitech-l/2013-August/071215.html>, OAuth is going into testing on Monday, August 19.
Comment 15 Peter Bena 2013-09-21 09:12:22 UTC 
ok so oauth is partially available for webapp's so this is no longer a blocker, but for app it doesn't work
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links