From 0a461ba1938060ede5d85c6915d4deaf20d8e52e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Sun, 23 Mar 2025 20:33:17 +0100
Subject: [PATCH] SECURITY: Do not treat autocreation as login for
 reauthentication

Auotcreation doesn't necessarily involve real-time user
identification, it can be based on some provider identifying the
user based on a session cookie or similar low-fidelity information.
Do not restart the reauthentication timer.

Bug: T389009
Change-Id: Icfb4d0ffe71a92421e8630a92ae302cc459aa9d6
---
 includes/auth/AuthManager.php | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/includes/auth/AuthManager.php b/includes/auth/AuthManager.php
index 1ec091991d9..780483b4283 100644
--- a/includes/auth/AuthManager.php
+++ b/includes/auth/AuthManager.php
@@ -1940,7 +1940,7 @@ class AuthManager implements LoggerAwareInterface {
 			$user->loadFromId( IDBAccessObject::READ_LATEST );
 			if ( $login ) {
 				$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
-				$this->setSessionDataForUser( $user, $remember );
+				$this->setSessionDataForUser( $user, $remember, false );
 			}
 			return Status::newGood()->warning( 'userexists' );
 		}
@@ -2100,7 +2100,7 @@ class AuthManager implements LoggerAwareInterface {
 					] );
 					if ( $login ) {
 						$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
-						$this->setSessionDataForUser( $user, $remember );
+						$this->setSessionDataForUser( $user, $remember, false );
 					}
 					$status = Status::newGood()->warning( 'userexists' );
 				} else {
@@ -2158,7 +2158,7 @@ class AuthManager implements LoggerAwareInterface {
 
 		if ( $login ) {
 			$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
-			$this->setSessionDataForUser( $user, $remember );
+			$this->setSessionDataForUser( $user, $remember, false );
 		}
 		$retStatus = Status::newGood();
 		$this->logAutocreationAttempt( $retStatus, $user, $source, $login );
@@ -2851,9 +2851,11 @@ class AuthManager implements LoggerAwareInterface {
 	/**
 	 * Log the user in
 	 * @param User $user
-	 * @param bool|null $remember
+	 * @param bool|null $remember The "remember me" flag.
+	 * @param bool $isReauthentication Whether creating this session should count as a recent
+	 *   authentication for $wgReauthenticateTime checks.
 	 */
-	private function setSessionDataForUser( $user, $remember = null ) {
+	private function setSessionDataForUser( $user, $remember = null, $isReauthentication = true ) {
 		$session = $this->request->getSession();
 		$delay = $session->delaySave();
 
@@ -2865,8 +2867,10 @@ class AuthManager implements LoggerAwareInterface {
 		if ( $remember !== null ) {
 			$session->setRememberUser( $remember );
 		}
-		$session->set( 'AuthManager:lastAuthId', $user->getId() );
-		$session->set( 'AuthManager:lastAuthTimestamp', time() );
+		if ( $isReauthentication ) {
+			$session->set( 'AuthManager:lastAuthId', $user->getId() );
+			$session->set( 'AuthManager:lastAuthTimestamp', time() );
+		}
 		$session->persist();
 
 		\Wikimedia\ScopedCallback::consume( $delay );
-- 
2.43.0