User:BDavis (WMF)/Notes/Recover OAuth secret
< User:BDavis (WMF) | Notes
It is possible to recover a lost OAuth secret key if you have production database and deployment configuration access. This isn't a quick process, so it's not widely advertised.
First, get the oarc_secret_key from the metawiki database for the consumer:
SELECT oarc_secret_key FROM oauth_registered_consumer
WHERE oarc_callback_url = 'https://tools.wmflabs.org/bash/';
Then get the $wgOAuthSecretKey value that is being used on the production cluster:
$ mwscript eval.php metawiki
> var_dump($wgOAuthSecretKey); # or $wgSecretKey if null
string(37) "Nope, not giving it away here. Sorry."
Finally compute the SHA1 HMAC of the consumer secret and the cluster secret:
<?php
$wgOAuthSecretKey = "Nope, not giving it away here. Sorry.";
$secret = 'bd808bd808bd808bd808bd808bd808bd';
echo hash_hmac( 'sha1', $secret, $wgOAuthSecretKey ), "\n";
Gergő suggests a more direct alternative:
$ mwscript shell.php metawiki
>>> $consumer_key = '3f0e3e91f2cba000c7d81932f59d615a';
>>> echo MediaWiki\Extension\OAuth\Backend\Utils::hmacDBSecret( MediaWiki\Extension\OAuth\Backend\OAuth1Consumer::newFromKey( wfGetDB( DB_REPLICA ), $consumer_key )->getSecretKey() );