X-Git-Url: http://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fapi%2FApiLogin.php;h=aa570cbc6742bebf165768a25dab5cc64e5dc782;hb=14d2728ea69f972f1f981251708cbb0396e5f92c;hp=1caac148f7078e9690c86456c9fd1e2ffd49487b;hpb=11522533106f4d28a9efbef8567aac71cc198713;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php index 1caac148f7..aa570cbc67 100644 --- a/includes/api/ApiLogin.php +++ b/includes/api/ApiLogin.php @@ -1,11 +1,10 @@ @gmail.com, + * Created on Sep 19, 2006 + * + * Copyright © 2006-2007 Yuri Astrakhan @gmail.com, * Daniel Cannon (cannon dot danielc at gmail dot com) * * This program is free software; you can redistribute it and/or modify @@ -20,230 +19,205 @@ * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., - * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * http://www.gnu.org/copyleft/gpl.html + * + * @file */ -if (!defined('MEDIAWIKI')) { - // Eclipse helper - will be ignored in production - require_once ('ApiBase.php'); -} - /** * Unit to authenticate log-in attempts to the current wiki. * - * @addtogroup API + * @ingroup API */ class ApiLogin extends ApiBase { - - /** - * The amount of time a user must wait after submitting - * a bad login (will be multiplied by the THROTTLE_FACTOR for each bad attempt) - */ - const THROTTLE_TIME = 10; - /** - * The factor by which the wait-time in between authentication - * attempts is increased every failed attempt. - */ - const THROTTLE_FACTOR = 1.5; - - /** - * The maximum number of failed logins after which the wait increase stops. - */ - const THOTTLE_MAX_COUNT = 10; - - public function __construct($main, $action) { - parent :: __construct($main, $action, 'lg'); + public function __construct( $main, $action ) { + parent::__construct( $main, $action, 'lg' ); } /** * Executes the log-in attempt using the parameters passed. If * the log-in succeeeds, it attaches a cookie to the session * and outputs the user id, username, and session token. If a - * log-in fails, as the result of a bad password, a nonexistant + * log-in fails, as the result of a bad password, a nonexistent * user, or any other reason, the host is cached with an expiry * and no log-in attempts will be accepted until that expiry * is reached. The expiry is $this->mLoginThrottle. - * - * @access public */ public function execute() { - $name = $password = $domain = null; - extract($this->extractRequestParams()); - - $params = new FauxRequest(array ( - 'wpName' => $name, - 'wpPassword' => $password, - 'wpDomain' => $domain, - 'wpRemember' => '' - )); - - $result = array (); - - $nextLoginIn = $this->getNextLoginTimeout(); - if ($nextLoginIn > 0) { - $result['result'] = 'NeedToWait'; - $result['details'] = "Please wait $nextLoginIn seconds before next log-in attempt"; - $result['wait'] = $nextLoginIn; - $this->getResult()->addValue(null, 'login', $result); - return; - } + $params = $this->extractRequestParams(); + + $result = array(); - $loginForm = new LoginForm($params); - switch ($loginForm->authenticateUserData()) { - case LoginForm :: SUCCESS : - global $wgUser; + // Init session if necessary + if ( session_id() == '' ) { + wfSetupSession(); + } - $wgUser->setOption('rememberpassword', 1); - $wgUser->setCookies(); + $context = new DerivativeContext( $this->getContext() ); + $context->setRequest( new DerivativeRequest( + $this->getContext()->getRequest(), + array( + 'wpName' => $params['name'], + 'wpPassword' => $params['password'], + 'wpDomain' => $params['domain'], + 'wpLoginToken' => $params['token'], + 'wpRemember' => '' + ) + ) ); + $loginForm = new LoginForm(); + $loginForm->setContext( $context ); + + global $wgCookiePrefix, $wgPasswordAttemptThrottle; + + $authRes = $loginForm->authenticateUserData(); + switch ( $authRes ) { + case LoginForm::SUCCESS: + $user = $context->getUser(); + $this->getContext()->setUser( $user ); + $user->setOption( 'rememberpassword', 1 ); + $user->setCookies( $this->getRequest() ); + + // Run hooks. + // @todo FIXME: Split back and frontend from this hook. + // @todo FIXME: This hook should be placed in the backend + $injected_html = ''; + wfRunHooks( 'UserLoginComplete', array( &$user, &$injected_html ) ); $result['result'] = 'Success'; - $result['lguserid'] = $_SESSION['wsUserID']; - $result['lgusername'] = $_SESSION['wsUserName']; - $result['lgtoken'] = $_SESSION['wsToken']; + $result['lguserid'] = intval( $user->getId() ); + $result['lgusername'] = $user->getName(); + $result['lgtoken'] = $user->getToken(); + $result['cookieprefix'] = $wgCookiePrefix; + $result['sessionid'] = session_id(); + break; + + case LoginForm::NEED_TOKEN: + $result['result'] = 'NeedToken'; + $result['token'] = $loginForm->getLoginToken(); + $result['cookieprefix'] = $wgCookiePrefix; + $result['sessionid'] = session_id(); + break; + + case LoginForm::WRONG_TOKEN: + $result['result'] = 'WrongToken'; break; - case LoginForm :: NO_NAME : + case LoginForm::NO_NAME: $result['result'] = 'NoName'; break; - case LoginForm :: ILLEGAL : + + case LoginForm::ILLEGAL: $result['result'] = 'Illegal'; break; - case LoginForm :: WRONG_PLUGIN_PASS : + + case LoginForm::WRONG_PLUGIN_PASS: $result['result'] = 'WrongPluginPass'; break; - case LoginForm :: NOT_EXISTS : + + case LoginForm::NOT_EXISTS: $result['result'] = 'NotExists'; break; - case LoginForm :: WRONG_PASS : + + case LoginForm::RESET_PASS: // bug 20223 - Treat a temporary password as wrong. Per SpecialUserLogin - "The e-mailed temporary password should not be used for actual logins;" + case LoginForm::WRONG_PASS: $result['result'] = 'WrongPass'; break; - case LoginForm :: EMPTY_PASS : + + case LoginForm::EMPTY_PASS: $result['result'] = 'EmptyPass'; break; - default : - ApiBase :: dieDebug(__METHOD__, 'Unhandled case value'); - } - if ($result['result'] != 'Success') { - $result['wait'] = $this->cacheBadLogin(); - } - // if we were allowed to try to login, memcache is fine - - $this->getResult()->addValue(null, 'login', $result); - } + case LoginForm::CREATE_BLOCKED: + $result['result'] = 'CreateBlocked'; + $result['details'] = 'Your IP address is blocked from account creation'; + break; - - /** - * Caches a bad-login attempt associated with the host and with an - * expiry of $this->mLoginThrottle. These are cached by a key - * separate from that used by the captcha system--as such, logging - * in through the standard interface will get you a legal session - * and cookies to prove it, but will not remove this entry. - * - * Returns the number of seconds until next login attempt will be allowed. - * - * @access private - */ - private function cacheBadLogin() { - global $wgMemc; - - $key = $this->getMemCacheKey(); - $val =& $wgMemc->get( $key ); - - $val['lastReqTime'] = time(); - if (!isset($val['count'])) { - $val['count'] = 1; - } else { - $val['count'] = 1 + $val['count']; - } - - $delay = ApiLogin::calculateDelay($val); - - $wgMemc->delete($key); - $wgMemc->add( $key, $val, $delay ); - - return $delay; - } - - /** - * How much time the client must wait before it will be - * allowed to try to log-in next. - * The return value is 0 if no wait is required. - */ - private function getNextLoginTimeout() { - global $wgMemc; - - $val = $wgMemc->get($this->getMemCacheKey()); + case LoginForm::THROTTLED: + $result['result'] = 'Throttled'; + $result['wait'] = intval( $wgPasswordAttemptThrottle['seconds'] ); + break; - $elapse = (time() - $val['lastReqTime']) / 1000; // in seconds - $canRetryIn = ApiLogin::calculateDelay($val) - $elapse; - $canRetryIn = $canRetryIn < 0 ? 0 : $canRetryIn; + case LoginForm::USER_BLOCKED: + $result['result'] = 'Blocked'; + break; - return $canRetryIn; + case LoginForm::ABORTED: + $result['result'] = 'Aborted'; + $result['reason'] = $loginForm->mAbortLoginErrorMsg; + break; + + default: + ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" ); + } + + $this->getResult()->addValue( null, 'login', $result ); } - - /** - * Based on the number of previously attempted logins, returns - * the delay (in seconds) when the next login attempt will be allowed. - */ - private static function calculateDelay($val) { - // Defensive programming - $count = $val['count']; - $count = $count < 1 ? 1 : $count; - $count = $count > self::THOTTLE_MAX_COUNT ? self::THOTTLE_MAX_COUNT : $count; - return self::THROTTLE_TIME + self::THROTTLE_TIME * ($count - 1) * self::THROTTLE_FACTOR; - } + public function mustBePosted() { + return true; + } - /** - * Internal cache key for badlogin checks. Robbed from the - * ConfirmEdit extension and modified to use a key unique to the - * API login.3 - * - * @return string - * @access private - */ - private function getMemCacheKey() { - return wfMemcKey( 'apilogin', 'badlogin', 'ip', wfGetIP() ); + public function isReadMode() { + return false; } - protected function getAllowedParams() { - return array ( + public function getAllowedParams() { + return array( 'name' => null, 'password' => null, - 'domain' => null + 'domain' => null, + 'token' => null, ); } - protected function getParamDescription() { - return array ( + public function getParamDescription() { + return array( 'name' => 'User Name', 'password' => 'Password', - 'domain' => 'Domain (optional)' + 'domain' => 'Domain (optional)', + 'token' => 'Login token obtained in first request', ); } - protected function getDescription() { - return array ( - 'This module is used to login and get the authentication tokens. ' . - 'In the event of a successful log-in, a cookie will be attached ' . - 'to your session. In the event of a failed log-in, you will not ' . - 'be able to attempt another log-in through this method for 60 ' . - 'seconds--this is to prevent its use in aiding automated password ' . - 'crackers.' + public function getDescription() { + return array( + 'Log in and get the authentication tokens. ', + 'In the event of a successful log-in, a cookie will be attached', + 'to your session. In the event of a failed log-in, you will not ', + 'be able to attempt another log-in through this method for 5 seconds.', + 'This is to prevent password guessing by automated password crackers' ); } - - protected function getExamples() { + + public function getPossibleErrors() { + return array_merge( parent::getPossibleErrors(), array( + array( 'code' => 'NeedToken', 'info' => 'You need to resubmit your login with the specified token. See https://bugzilla.wikimedia.org/show_bug.cgi?id=23076' ), + array( 'code' => 'WrongToken', 'info' => 'You specified an invalid token' ), + array( 'code' => 'NoName', 'info' => 'You didn\'t set the lgname parameter' ), + array( 'code' => 'Illegal', 'info' => ' You provided an illegal username' ), + array( 'code' => 'NotExists', 'info' => ' The username you provided doesn\'t exist' ), + array( 'code' => 'EmptyPass', 'info' => ' You didn\'t set the lgpassword parameter or you left it empty' ), + array( 'code' => 'WrongPass', 'info' => ' The password you provided is incorrect' ), + array( 'code' => 'WrongPluginPass', 'info' => 'Same as "WrongPass", returned when an authentication plugin rather than MediaWiki itself rejected the password' ), + array( 'code' => 'CreateBlocked', 'info' => 'The wiki tried to automatically create a new account for you, but your IP address has been blocked from account creation' ), + array( 'code' => 'Throttled', 'info' => 'You\'ve logged in too many times in a short time' ), + array( 'code' => 'Blocked', 'info' => 'User is blocked' ), + ) ); + } + + public function getExamples() { return array( 'api.php?action=login&lgname=user&lgpassword=password' ); } + public function getHelpUrls() { + return 'https://www.mediawiki.org/wiki/API:Login'; + } + public function getVersion() { return __CLASS__ . ': $Id$'; } } -?>