[MediaWiki-commits] [Gerrit] mediawiki...CentralAuth[wmf/1.30.0-wmf.7]: Fix handling of password hash upgrade on login
jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/363891 ) Change subject: Fix handling of password hash upgrade on login .. Fix handling of password hash upgrade on login Ie0fbf797 caused the user to be immediately logged out if their password hash was upgraded on login, by moving the auth token reset to post-send where it can't update the user's session cookie. This is fixed by not bothering with the auth token reset in that code path. I5e22a184 caused the password hash upgrade to fail, accidentally, by moving most processing to a non-master CentralAuthUser instance so ->setPassword() was being called on a master instance that hadn't yet had its data loaded. Thus, the call to ->getId() which did trigger that loading was overwriting ->mPassword. This is fixed by making sure ->setPassword() loads the data before it starts setting fields. Bug: T169261 Change-Id: I7f01c02ed7c369e71f748ac9142edd1709ea6514 (cherry picked from commit 80eeb133cc707426c9fcca0cc1e6183d50f29211) --- M includes/CentralAuthUser.php 1 file changed, 10 insertions(+), 1 deletion(-) Approvals: Legoktm: Looks good to me, approved jenkins-bot: Verified diff --git a/includes/CentralAuthUser.php b/includes/CentralAuthUser.php index a85c1dd..903138d 100644 --- a/includes/CentralAuthUser.php +++ b/includes/CentralAuthUser.php @@ -1903,7 +1903,12 @@ $centralUser = CentralAuthUser::newMasterInstanceFromId( $this->getId() ); if ( $centralUser ) { - $centralUser->setPassword( $password ); + // Don't bother resetting the auth token for a hash + // upgrade. It's not really a password *change*, and + // since this is being done post-send it'll cause the + // user to be logged out when they just tried to log in + // since it can't update the just-sent session cookies. + $centralUser->setPassword( $password, false ); $centralUser->saveSettings(); } } ); @@ -2537,6 +2542,10 @@ */ function setPassword( $password, $resetAuthToken = true ) { $this->checkWriteMode(); + + // Make sure state is loaded before updating ->mPassword + $this->loadState(); + list( $salt, $hash ) = $this->saltedPassword( $password ); $this->mPassword = $hash; -- To view, visit https://gerrit.wikimedia.org/r/363891 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7f01c02ed7c369e71f748ac9142edd1709ea6514 Gerrit-PatchSet: 2 Gerrit-Project: mediawiki/extensions/CentralAuth Gerrit-Branch: wmf/1.30.0-wmf.7 Gerrit-Owner: LegoktmGerrit-Reviewer: Anomie Gerrit-Reviewer: Legoktm Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] mediawiki...CentralAuth[wmf/1.30.0-wmf.7]: Fix handling of password hash upgrade on login
Legoktm has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/363891 ) Change subject: Fix handling of password hash upgrade on login .. Fix handling of password hash upgrade on login Ie0fbf797 caused the user to be immediately logged out if their password hash was upgraded on login, by moving the auth token reset to post-send where it can't update the user's session cookie. This is fixed by not bothering with the auth token reset in that code path. I5e22a184 caused the password hash upgrade to fail, accidentally, by moving most processing to a non-master CentralAuthUser instance so ->setPassword() was being called on a master instance that hadn't yet had its data loaded. Thus, the call to ->getId() which did trigger that loading was overwriting ->mPassword. This is fixed by making sure ->setPassword() loads the data before it starts setting fields. Bug: T169261 Change-Id: I7f01c02ed7c369e71f748ac9142edd1709ea6514 (cherry picked from commit 80eeb133cc707426c9fcca0cc1e6183d50f29211) --- M includes/CentralAuthUser.php 1 file changed, 10 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/CentralAuth refs/changes/91/363891/1 diff --git a/includes/CentralAuthUser.php b/includes/CentralAuthUser.php index a85c1dd..903138d 100644 --- a/includes/CentralAuthUser.php +++ b/includes/CentralAuthUser.php @@ -1903,7 +1903,12 @@ $centralUser = CentralAuthUser::newMasterInstanceFromId( $this->getId() ); if ( $centralUser ) { - $centralUser->setPassword( $password ); + // Don't bother resetting the auth token for a hash + // upgrade. It's not really a password *change*, and + // since this is being done post-send it'll cause the + // user to be logged out when they just tried to log in + // since it can't update the just-sent session cookies. + $centralUser->setPassword( $password, false ); $centralUser->saveSettings(); } } ); @@ -2537,6 +2542,10 @@ */ function setPassword( $password, $resetAuthToken = true ) { $this->checkWriteMode(); + + // Make sure state is loaded before updating ->mPassword + $this->loadState(); + list( $salt, $hash ) = $this->saltedPassword( $password ); $this->mPassword = $hash; -- To view, visit https://gerrit.wikimedia.org/r/363891 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7f01c02ed7c369e71f748ac9142edd1709ea6514 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/CentralAuth Gerrit-Branch: wmf/1.30.0-wmf.7 Gerrit-Owner: LegoktmGerrit-Reviewer: Anomie ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits