Page MenuHomePhabricator
Create Task
Maniphest T399742

Integrated on-page form for EmailAuth recovery requests
Open, Needs TriagePublic
Actions

Description

Research how to build a form in Mediawiki that would pop up in EmailAuth and send data to Zendesk via the Zendesk API.

On the EmailAuth challenge form, we currently instruct users who have lost access to their email account to email ca@. This will be updated to link to a Zendesk form in T399749. However, we want to go further and embed the form directly onto the EmailAuth challenge page.

When the user clicks the link for getting help with account recovery, we should pop up a dialog that contains a form similar to the Zendesk form (but implemented in a MediaWiki extension). When the user submits this form, we should use the Zendesk API to submit the information the user entered to Zendesk, along with information EmailAuth has gathered internally (the username, whether the user successfully authenticated with a password, and maybe a reqId or IP address or other information that would be helpful for the recovery process).

Open questions:

  • Is it OK to rely on JavaScript for this embedded form? If JS is not available, should we just fall back to linking to the Zendesk form?
  • In which repo should this embedded form feature live? In EmailAuth, even though it's WMF-specific? In WikimediaMessages? Somewhere else?
  • How can we reuse the Zendesk API key setting that is currently specific to the ReportIncident extension?

Details

Other Assignee
mmartorana

Related Objects

Event Timeline

Mstyles created this task.Jul 16 2025, 5:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 16 2025, 5:12 PM
Catrope renamed this task from Mediawiki Form Design Research to Integrated on-page form for EmailAuth recovery requests.Jul 16 2025, 6:01 PM
Catrope updated the task description. (Show Details)
Catrope added a subscriber: kostajh.
kostajh added a comment.EditedJul 17 2025, 11:22 AM

Is it OK to rely on JavaScript for this embedded form? If JS is not available, should we just fall back to linking to the Zendesk form?

IMO, yes I think it would be fine to rely on JS, if we need to. We could also consider that the "Get help" link takes you to a Special:EmailAuthHelp form that doesn't require any JS, though.

In which repo should this embedded form feature live? In EmailAuth, even though it's WMF-specific? In WikimediaMessages? Somewhere else?

I'd probably place it in EmailAuth with a feature flag.

How can we reuse the Zendesk API key setting that is currently specific to the ReportIncident extension?

I misremembered about this, sorry. We currently submit tickets to Zendesk without authentication (this is essentially what the Zendesk site form allows for anyway). In T381089, we started discussing the use of OAuth tokens to avoid rate limiting issues.

kostajh added a subscriber: Tgr.Jul 17 2025, 11:25 AM
In T399742#11012886, @kostajh wrote:

Is it OK to rely on JavaScript for this embedded form? If JS is not available, should we just fall back to linking to the Zendesk form?

IMO, yes I think it would be fine to rely on JS, if we need to. We could also consider that the "Get help" link takes you to a Special:EmailAuthHelp form that doesn't require any JS, though.

@Tgr do you have any thoughts on this proposal, or concerns about how this would work with the authentication stack -- specifically, about having the form submission that creates the Zendesk ticket associated with the not-yet-fully-logged-in user who hasn't made it past the EmailAuth token stage?

Tgr added a comment.Sun, Jul 27, 8:31 PM

How do you prove that the Zendesk email is legit? Two approaches that come to mind:

  1. When the user reaches the EmailAuth screen, generate a proof token (could be a JWT with the username in it or whatever - incidentally, we are adding JWT generation support to MW core). Create a special page which verifies the token. The EmailAuth screen would prefill the Zendesk email (could be just a mailto: link, could interact with the ContactPage extension, etc) that includes a link to Special:EmailAuthVerify/<token>, and T&S staff can click it to validate.
  2. When the user reaches the EmailAuth screen, tag their session, then link them to Special:EmailAuthHelp which will use the session to validate the claim and send an email to Zendesk. T&S staff would validate the sender.

Things to be careful about: email address spoofing (only relevant in the second scenario), attacker choosing similar username to the target (can be avoided by us generating the link T&S would use for 2FA reset).

We could either put it in WikimediaEvents (not a great place but the rest of the Wikimedia-specific EmailAuth logic is already there), or make it non-Wikimedia-specific (ie. do not hardcode Zendesk).

Tgr added a project: MediaWiki-extensions-EmailAuth.Fri, Aug 1, 4:10 PM
Tgr added a comment.Thu, Aug 14, 4:57 PM
In T399742#11037889, @Tgr wrote:

We could either put it in WikimediaEvents (not a great place but the rest of the Wikimedia-specific EmailAuth logic is already there), or make it non-Wikimedia-specific (ie. do not hardcode Zendesk).

Or jump the gun and create a catch-all extension for Wikimedia-specific hooks (we talked about that a few times before). I filed T401939: Create a Wikimedia* extension for site customizations about that.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits