308 lines
9.5 KiB
PHP
308 lines
9.5 KiB
PHP
<?php
|
|
/**
|
|
*
|
|
*
|
|
* Created on Sep 19, 2006
|
|
*
|
|
* Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
|
|
* Daniel Cannon (cannon dot danielc at gmail dot com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
* http://www.gnu.org/copyleft/gpl.html
|
|
*
|
|
* @file
|
|
*/
|
|
|
|
use MediaWiki\Auth\AuthManager;
|
|
use MediaWiki\Auth\AuthenticationRequest;
|
|
use MediaWiki\Auth\AuthenticationResponse;
|
|
use MediaWiki\Logger\LoggerFactory;
|
|
|
|
/**
|
|
* Unit to authenticate log-in attempts to the current wiki.
|
|
*
|
|
* @ingroup API
|
|
*/
|
|
class ApiLogin extends ApiBase {
|
|
|
|
public function __construct( ApiMain $main, $action ) {
|
|
parent::__construct( $main, $action, 'lg' );
|
|
}
|
|
|
|
protected function getDescriptionMessage() {
|
|
if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
|
|
return 'apihelp-login-description';
|
|
} else {
|
|
return 'apihelp-login-description-nobotpasswords';
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Executes the log-in attempt using the parameters passed. If
|
|
* the log-in succeeds, it attaches a cookie to the session
|
|
* and outputs the user id, username, and session token. If a
|
|
* log-in fails, as the result of a bad password, a nonexistent
|
|
* user, or any other reason, the host is cached with an expiry
|
|
* and no log-in attempts will be accepted until that expiry
|
|
* is reached. The expiry is $this->mLoginThrottle.
|
|
*/
|
|
public function execute() {
|
|
// If we're in a mode that breaks the same-origin policy, no tokens can
|
|
// be obtained
|
|
if ( $this->lacksSameOriginSecurity() ) {
|
|
$this->getResult()->addValue( null, 'login', [
|
|
'result' => 'Aborted',
|
|
'reason' => 'Cannot log in when the same-origin policy is not applied',
|
|
] );
|
|
|
|
return;
|
|
}
|
|
|
|
$params = $this->extractRequestParams();
|
|
|
|
$result = [];
|
|
|
|
// Make sure session is persisted
|
|
$session = MediaWiki\Session\SessionManager::getGlobalSession();
|
|
$session->persist();
|
|
|
|
// Make sure it's possible to log in
|
|
if ( !$session->canSetUser() ) {
|
|
$this->getResult()->addValue( null, 'login', [
|
|
'result' => 'Aborted',
|
|
'reason' => 'Cannot log in when using ' .
|
|
$session->getProvider()->describe( Language::factory( 'en' ) ),
|
|
] );
|
|
|
|
return;
|
|
}
|
|
|
|
$authRes = false;
|
|
$context = new DerivativeContext( $this->getContext() );
|
|
$loginType = 'N/A';
|
|
|
|
// Check login token
|
|
$token = $session->getToken( '', 'login' );
|
|
if ( $token->wasNew() || !$params['token'] ) {
|
|
$authRes = 'NeedToken';
|
|
} elseif ( !$token->match( $params['token'] ) ) {
|
|
$authRes = 'WrongToken';
|
|
}
|
|
|
|
// Try bot passwords
|
|
if ( $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
|
|
strpos( $params['name'], BotPassword::getSeparator() ) !== false
|
|
) {
|
|
$status = BotPassword::login(
|
|
$params['name'], $params['password'], $this->getRequest()
|
|
);
|
|
if ( $status->isOK() ) {
|
|
$session = $status->getValue();
|
|
$authRes = 'Success';
|
|
$loginType = 'BotPassword';
|
|
} else {
|
|
$authRes = 'Failed';
|
|
$message = $status->getMessage();
|
|
LoggerFactory::getInstance( 'authentication' )->info(
|
|
'BotPassword login failed: ' . $status->getWikiText( false, false, 'en' )
|
|
);
|
|
}
|
|
}
|
|
|
|
if ( $authRes === false ) {
|
|
// Simplified AuthManager login, for backwards compatibility
|
|
$manager = AuthManager::singleton();
|
|
$reqs = AuthenticationRequest::loadRequestsFromSubmission(
|
|
$manager->getAuthenticationRequests( AuthManager::ACTION_LOGIN, $this->getUser() ),
|
|
[
|
|
'username' => $params['name'],
|
|
'password' => $params['password'],
|
|
'domain' => $params['domain'],
|
|
'rememberMe' => true,
|
|
]
|
|
);
|
|
$res = AuthManager::singleton()->beginAuthentication( $reqs, 'null:' );
|
|
switch ( $res->status ) {
|
|
case AuthenticationResponse::PASS:
|
|
if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
|
|
$warn = 'Main-account login via action=login is deprecated and may stop working ' .
|
|
'without warning.';
|
|
$warn .= ' To continue login with action=login, see [[Special:BotPasswords]].';
|
|
$warn .= ' To safely continue using main-account login, see action=clientlogin.';
|
|
} else {
|
|
$warn = 'Login via action=login is deprecated and may stop working without warning.';
|
|
$warn .= ' To safely log in, see action=clientlogin.';
|
|
}
|
|
$this->setWarning( $warn );
|
|
$authRes = 'Success';
|
|
$loginType = 'AuthManager';
|
|
break;
|
|
|
|
case AuthenticationResponse::FAIL:
|
|
// Hope it's not a PreAuthenticationProvider that failed...
|
|
$authRes = 'Failed';
|
|
$message = $res->message;
|
|
\MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
|
|
->info( __METHOD__ . ': Authentication failed: '
|
|
. $message->inLanguage( 'en' )->plain() );
|
|
break;
|
|
|
|
default:
|
|
\MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
|
|
->info( __METHOD__ . ': Authentication failed due to unsupported response type: '
|
|
. $res->status, $this->getAuthenticationResponseLogData( $res ) );
|
|
$authRes = 'Aborted';
|
|
break;
|
|
}
|
|
}
|
|
|
|
$result['result'] = $authRes;
|
|
switch ( $authRes ) {
|
|
case 'Success':
|
|
$user = $session->getUser();
|
|
|
|
ApiQueryInfo::resetTokenCache();
|
|
|
|
// Deprecated hook
|
|
$injected_html = '';
|
|
Hooks::run( 'UserLoginComplete', [ &$user, &$injected_html, true ] );
|
|
|
|
$result['lguserid'] = intval( $user->getId() );
|
|
$result['lgusername'] = $user->getName();
|
|
|
|
// @todo: These are deprecated, and should be removed at some
|
|
// point (1.28 at the earliest, and see T121527). They were ok
|
|
// when the core cookie-based login was the only thing, but
|
|
// CentralAuth broke that a while back and
|
|
// SessionManager/AuthManager *really* break it.
|
|
$result['lgtoken'] = $user->getToken();
|
|
$result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
|
|
$result['sessionid'] = $session->getId();
|
|
break;
|
|
|
|
case 'NeedToken':
|
|
$result['token'] = $token->toString();
|
|
$this->setWarning( 'Fetching a token via action=login is deprecated. ' .
|
|
'Use action=query&meta=tokens&type=login instead.' );
|
|
$this->logFeatureUsage( 'action=login&!lgtoken' );
|
|
|
|
// @todo: See above about deprecation
|
|
$result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
|
|
$result['sessionid'] = $session->getId();
|
|
break;
|
|
|
|
case 'WrongToken':
|
|
break;
|
|
|
|
case 'Failed':
|
|
$result['reason'] = $message->useDatabase( 'false' )->inLanguage( 'en' )->text();
|
|
break;
|
|
|
|
case 'Aborted':
|
|
$result['reason'] = 'Authentication requires user interaction, ' .
|
|
'which is not supported by action=login.';
|
|
if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
|
|
$result['reason'] .= ' To be able to login with action=login, see [[Special:BotPasswords]].';
|
|
$result['reason'] .= ' To continue using main-account login, see action=clientlogin.';
|
|
} else {
|
|
$result['reason'] .= ' To log in, see action=clientlogin.';
|
|
}
|
|
break;
|
|
|
|
default:
|
|
ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
|
|
}
|
|
|
|
$this->getResult()->addValue( null, 'login', $result );
|
|
|
|
if ( $loginType === 'LoginForm' && isset( LoginForm::$statusCodes[$authRes] ) ) {
|
|
$authRes = LoginForm::$statusCodes[$authRes];
|
|
}
|
|
LoggerFactory::getInstance( 'authevents' )->info( 'Login attempt', [
|
|
'event' => 'login',
|
|
'successful' => $authRes === 'Success',
|
|
'loginType' => $loginType,
|
|
'status' => $authRes,
|
|
] );
|
|
}
|
|
|
|
public function isDeprecated() {
|
|
return !$this->getConfig()->get( 'EnableBotPasswords' );
|
|
}
|
|
|
|
public function mustBePosted() {
|
|
return true;
|
|
}
|
|
|
|
public function isReadMode() {
|
|
return false;
|
|
}
|
|
|
|
public function getAllowedParams() {
|
|
return [
|
|
'name' => null,
|
|
'password' => [
|
|
ApiBase::PARAM_TYPE => 'password',
|
|
],
|
|
'domain' => null,
|
|
'token' => [
|
|
ApiBase::PARAM_TYPE => 'string',
|
|
ApiBase::PARAM_REQUIRED => false, // for BC
|
|
ApiBase::PARAM_HELP_MSG => [ 'api-help-param-token', 'login' ],
|
|
],
|
|
];
|
|
}
|
|
|
|
protected function getExamplesMessages() {
|
|
return [
|
|
'action=login&lgname=user&lgpassword=password'
|
|
=> 'apihelp-login-example-gettoken',
|
|
'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
|
|
=> 'apihelp-login-example-login',
|
|
];
|
|
}
|
|
|
|
public function getHelpUrls() {
|
|
return 'https://www.mediawiki.org/wiki/API:Login';
|
|
}
|
|
|
|
/**
|
|
* Turns an AuthenticationResponse into a hash suitable for passing to Logger
|
|
* @param AuthenticationResponse $response
|
|
* @return array
|
|
*/
|
|
protected function getAuthenticationResponseLogData( AuthenticationResponse $response ) {
|
|
$ret = [
|
|
'status' => $response->status,
|
|
];
|
|
if ( $response->message ) {
|
|
$ret['message'] = $response->message->inLanguage( 'en' )->plain();
|
|
};
|
|
$reqs = [
|
|
'neededRequests' => $response->neededRequests,
|
|
'createRequest' => $response->createRequest,
|
|
'linkRequest' => $response->linkRequest,
|
|
];
|
|
foreach ( $reqs as $k => $v ) {
|
|
if ( $v ) {
|
|
$v = is_array( $v ) ? $v : [ $v ];
|
|
$reqClasses = array_unique( array_map( 'get_class', $v ) );
|
|
sort( $reqClasses );
|
|
$ret[$k] = implode( ', ', $reqClasses );
|
|
}
|
|
}
|
|
return $ret;
|
|
}
|
|
}
|