Page MenuHomePhabricator
Create Task
Maniphest T404362

Create a maintenance script that updates encrypted data within oathauth_devices from one OATHSecretKey value to another
Open, Needs TriagePublic
Actions

Description

With the completion of T145915, we should create a new maintenance script (or simply add an option to the existing UpdateTOTPSecretsToEncryptedFormat.php) that migrates encrypted data within the oathauth_devices table from one OATHSecretKey value to another. Various OATHSecretKey values will likely be accidentally or intentionally leaked or compromised and there is currently no good option to efficiently support switching to a new key value when such incidents occur.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add a maintenance script to re-encrypt secretsmediawiki/extensions/OATHAuthmaster+184 -26
Customize query in gerrit

Related Objects

Event Timeline

sbassett created this task.Sep 11 2025, 2:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2025, 2:26 PM
Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Sep 17 2025, 9:30 AM
Reedy merged a task: T403180: Add method to re-encrypt secrets with a new key.Oct 25 2025, 6:09 PM
Reedy added a comment.Mar 20 2026, 5:33 PM

I guess the script just needs to read the encrypted rows, decrypt with $old key, encrypt with $new key, and save back to the database.

Probably a little thought of how we want to take those as parameters, or whether to use $wgOATHSecretKey for one of them...

Is it worth allowing $wgOATHSecretKey to be an array... And if decryption fails (like during actions on the site whilte migration is happening), use the other key... Or is that just overcomplicating something that shouldn't take too long (well, depending on the number of users)...

Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptMar 20 2026, 5:33 PM
gerritbot added a comment.Mar 20 2026, 6:05 PM

Change #1256465 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] WIP: Add script to re-encrypt secrets

https://gerrit.wikimedia.org/r/1256465

gerritbot added a project: Patch-For-Review.Mar 20 2026, 6:05 PM
gerritbot added a comment.Tue, May 26, 11:40 PM

Change #1256465 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Add a maintenance script to re-encrypt secrets

https://gerrit.wikimedia.org/r/1256465

Maintenance_bot removed a project: Patch-For-Review.Wed, May 27, 12:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits