This is the description page for the Scratch 2.0 user verification system that is used on the Scratch Wiki!
Installation status: Done
In January 2015, the system was improved to include many new improvements. The changes were...
- Holding requests
- Moving all the text to the database (so it can be easily edited)
- Deleting old requests manually
- Allowing EWs/admins to view request notes of previously accepted requests
- Better verification code system
- Custom welcome messages
Due to issues with the comment verification system, a new algorithm was generated. Originally, the verification codes were generated by taking the SHA1 hash of the user's IP address concatenated with the month (e.g. IP
192.168.1.1 during January would result in a code of
sha1(192.168.1.11))). That algorithm was replaced by generating completely random codes that were tied to the user's session. In addition, the algorithm that checked comments on the verification project was changed so that it would allow whitespace and entering other stuff besides the code.
The system has been implemented.
Purpose for creation
This system was created because the old account verification system on the Scratch Wiki no longer worked after Scratch 2.0 was released, and something new needed to replace it.
This code is based on the ConfirmAccount MediaWiki extension. Several changes were made to that code to make it more suitable for usage on the Scratch Wiki.
The modified source code is available on Github, and is distributed under the GNU GPL v3.
Instructions and Usage
To install the extension, download the source code on GitHub (link above), and follow the instructions on this page, the information page for the original extension. The "confirmaccount" permission also should be given to the administrator group, rather than just bureaucrats.
The registration page looks like the image on the right. The user will enter their information, and will be given a code to comment on the user verification project. They will also enter a password, and that will be the password on their account if the request is accepted.
To look at the list of account requests, go to Special:ConfirmAccounts. Once on that page, everything else is fairly self-explanatory. However, it is necessary to comment on the users' profile or one of their projects once their request has been accepted, and to explain that they need to log in with the password they were given at registration. Also, note that the emails are simply random numbers to prevent the software from triggering bad email errors, as not all users have emails.
Verification codes are not technically "secure"
No change necessary
When the user is given their verification code, it is simply uses the following:
sha1($_SERVER['REMOTE_ADDR'] . date('m'));. Several users have pointed out that this is not technically "secure", as the code is not completely random. However, despite the not random codes, the system is still secure. The script not only checks that the code was commented on the project, but that it was commented by the user registering. While two users may have the same code, both still have to comment the code. As such, this is not a big issue and will not affect the functionality of the software, nor allow any kind of impersonation.
In addition, in the January 2015 update, the verification code algorithm was changed so that it became completely randomized.