1<?php 2 3use MediaWiki\Extension\OATHAuth\IModule; 4use MediaWiki\MediaWikiServices; 5use MediaWiki\Session\SessionManager; 6 7if ( getenv( 'MW_INSTALL_PATH' ) ) { 8 $IP = getenv( 'MW_INSTALL_PATH' ); 9} else { 10 $IP = __DIR__ . '/../../..'; 11} 12require_once "$IP/maintenance/Maintenance.php"; 13 14class DisableOATHAuthForUser extends Maintenance { 15 public function __construct() { 16 parent::__construct(); 17 $this->addDescription( 'Remove OATHAuth from a specific user' ); 18 $this->addArg( 'user', 'The username to remove OATHAuth from.' ); 19 $this->requireExtension( 'OATHAuth' ); 20 } 21 22 public function execute() { 23 $username = $this->getArg( 0 ); 24 25 $user = User::newFromName( $username ); 26 if ( $user && $user->getId() === 0 ) { 27 $this->error( "User $username doesn't exist!", 1 ); 28 } 29 30 $repo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' ); 31 $oathUser = $repo->findByUser( $user ); 32 $module = $oathUser->getModule(); 33 if ( !( $module instanceof IModule ) || $module->isEnabled( $oathUser ) === false ) { 34 $this->error( "User $username doesn't have OATHAuth enabled!", 1 ); 35 } 36 37 $repo->remove( $oathUser, 'Maintenance script' ); 38 // Kill all existing sessions. If this disable was social-engineered by an attacker, 39 // the legitimate user will hopefully login again and notice that the second factor 40 // is missing or different, and alert the operators. 41 SessionManager::singleton()->invalidateSessionsForUser( $user ); 42 43 $this->output( "OATHAuth disabled for $username.\n" ); 44 } 45} 46 47$maintClass = DisableOATHAuthForUser::class; 48require_once RUN_MAINTENANCE_IF_MAIN; 49