cwruchiellab / casauth Goto Github PK

If a user logins through CAS for the first time and he doesn't already has a user on mediawiki the web UI throws this:
Fatal exception of type "Error"

And apache2 logs show this

[Wed Feb 10 07:33:29.602817 2021] [php7:warn] [pid 1687451] [client 192.168.0.100:41382] PHP Warning:  session_set_save_handler(): Cannot change save handler when session is active in /var/www/html/extensions/CASAuth/CAS/source/CAS/Client.php on line 1116
[Wed Feb 10 07:33:29.688588 2021] [php7:warn] [pid 1687451] [client 192.168.0.100:41382] PHP Warning:  session_destroy(): Trying to destroy uninitialized session in /var/www/html/extensions/CASAuth/CASAuth.php on line 231
[Wed Feb 10 07:33:29.726882 2021] [php7:warn] [pid 1687451] [client 192.168.0.100:41382] PHP Warning:  session_destroy(): Trying to destroy uninitialized session in /var/www/html/extensions/CASAuth/CASAuth.php on line 244
[Wed Feb 10 07:33:29.823279 2021] [php7:warn] [pid 1687449] [client 192.168.0.100:41388] PHP Warning:  session_set_save_handler(): Cannot change save handler when session is active in /var/www/html/extensions/CASAuth/CAS/source/CAS/Client.php on line 1116

Note: Mediawiki version is 1.35.0, php is 7.4 and $CASAuth["CreateAccounts"]=true; is set

When I press logout I get this message in the web UI:
Could not connect to the server. Make sure you have a working internet connection and try again.
Mediawiki server has no problem reaching the CAS server.

And this is thrown in the apache2 logs
[Wed Feb 10 07:41:23.512520 2021] [php7:warn] [pid 1687451] [client 192.168.0.100:45136] PHP Warning: session_set_save_handler(): Cannot change save handler when session is active in /var/www/html/extensions/CASAuth/CAS/source/CAS/Client.php on line 1116, referer: https://wiki.domain.com/index.php/Main_Page

Note: Mediawiki version is 1.35.0, php is 7.4 and $CASAuth["LogoutServers"][]='cas.domain.com'; $CASAuth["LogoutServers"]=true;

I'm afraid I can provide only limited help since I am not currently developing in MediaWiki and have stopped maintaining this project.

Do you plan to pick up development?

Is it ok for the Free Software Foundation to take over the project?

Hi folks, we recently upgraded from MediaWiki 1.31 LTS to 1.35 LTS and ran into a problem with CAS logouts due to MW1.35's change to using an AJAX post for logout rather than the default link following behavior. This new behavior was added in https://phabricator.wikimedia.org/T222626 . This may not be an issue for others if your CAS server sets CORS headers that allow the /cas/logout path to be accessed as part of AJAX requests, but our currently doesn't.

The work-around I ended up using is to comment out the Javascript code in MediaWiki that takes over the interaction for the logout link. This makes logout a two-click process, but one that has the benefit of not failing with CORS errors.

diff --git a/mediawiki/resources/src/mediawiki.page.ready/ready.js b/mediawiki/resources/src/mediawiki.page.ready/ready.j
index 6acffdf..a6f19a6 100644
--- a/mediawiki/resources/src/mediawiki.page.ready/ready.js
+++ b/mediawiki/resources/src/mediawiki.page.ready/ready.js
@@ -67,6 +67,12 @@ $( function () {
                e.preventDefault();
        } );
 
+/*
+       // Commented out by Adam Franco 2021-06-22 to avoid CORS issues with sending
+       // the CAS logout request via AJAX rather than a full client redirect.
+       // This code to turn the logout link into an AJAX POST was added in:
+       // https://phabricator.wikimedia.org/T222626
+
        // Turn logout to a POST action
        $( '#pt-logout a[data-mw="interface"]' ).on( 'click', function ( e ) {
                var api = new mw.Api(),
@@ -90,6 +96,7 @@ $( function () {
                );
                e.preventDefault();
        } );
+*/
 } );
 
 /**

If anyone has suggestions for alternate fixes that don't involve modifying the CAS server I'd be interested in hearing your ideas.

Hello,

Thanks for maintaining this extension. I appreciate the work you've put into this.

I have noticed an issue when using this extension with MW 1.27 on both of our wikis that make use of CASAuth. Users are unable to change their email address, due to a redirect loop. On other sites that we manage this is sometimes due to a failure to authenticate or lack of user permissions on the client side. The infinite redirect loop is such:

/wiki?title=Special:ChangeEmail&returnto=Special%3APreferences
/wiki?title=Special:UserLogin&returnto=Special%3AChangeEmail&returntoquery=returnto%3DSpecial%253APreferences&force=ChangeEmail
/wiki?title=Special:ChangeEmail&action=purge
/wiki?title=Special:UserLogin&returnto=Special%3AChangeEmail&returntoquery=action%3Dpurge&force=ChangeEmail
/wiki?title=Special:ChangeEmail&action=purge

Do you see this on your own wiki?

This isn't a super important issue for us, so no pressure. Thanks again for your work on this extension.

Thanks,
Andrew

Hello,
I have a server with MediaWiki 1.28 and phpCAS 1.3.5. On the wiki i press login, it sends me to the CAS login page and after i press login the page keeps loading saying "waiting for my.server.com..." until it times out and says "CAS Authentication failed!"
Do you have any idea what could cause this?

Cannot login to wiki via MediaWiki API; as a result automated API-based libraries like pywikibot cannot login.

It's theoretically possible to login via API using the hash, but since the MD5 hash is salted the end user has no way of obtaining their own password.

The CASAuth extension is installed in Free Software Directory (aka the Directory). The Free Software Foundation needs pywikibot to occasionally batch upload tens of thousands files to the Directory to sync the wiki with the data provided by the Debian package repository.