dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge "Http::getProxy() method to get proxy configuration"
[lhc/web/wiklou.git] / includes / api / ApiLogin.php
1 <?php
2 /**
3 *
4 *
5 * Created on Sep 19, 2006
6 *
7 * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
8 * Daniel Cannon (cannon dot danielc at gmail dot com)
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 * http://www.gnu.org/copyleft/gpl.html
24 *
25 * @file
26 */
27
28 use MediaWiki\Logger\LoggerFactory;
29
30 /**
31 * Unit to authenticate log-in attempts to the current wiki.
32 *
33 * @ingroup API
34 */
35 class ApiLogin extends ApiBase {
36
37 public function __construct( ApiMain $main, $action ) {
38 parent::__construct( $main, $action, 'lg' );
39 }
40
41 /**
42 * Executes the log-in attempt using the parameters passed. If
43 * the log-in succeeds, it attaches a cookie to the session
44 * and outputs the user id, username, and session token. If a
45 * log-in fails, as the result of a bad password, a nonexistent
46 * user, or any other reason, the host is cached with an expiry
47 * and no log-in attempts will be accepted until that expiry
48 * is reached. The expiry is $this->mLoginThrottle.
49 */
50 public function execute() {
51 // If we're in a mode that breaks the same-origin policy, no tokens can
52 // be obtained
53 if ( $this->lacksSameOriginSecurity() ) {
54 $this->getResult()->addValue( null, 'login', [
55 'result' => 'Aborted',
56 'reason' => 'Cannot log in when the same-origin policy is not applied',
57 ] );
58
59 return;
60 }
61
62 $params = $this->extractRequestParams();
63
64 $result = [];
65
66 // Make sure session is persisted
67 $session = MediaWiki\Session\SessionManager::getGlobalSession();
68 $session->persist();
69
70 // Make sure it's possible to log in
71 if ( !$session->canSetUser() ) {
72 $this->getResult()->addValue( null, 'login', [
73 'result' => 'Aborted',
74 'reason' => 'Cannot log in when using ' .
75 $session->getProvider()->describe( Language::factory( 'en' ) ),
76 ] );
77
78 return;
79 }
80
81 $authRes = false;
82 $context = new DerivativeContext( $this->getContext() );
83 $loginType = 'N/A';
84
85 // Check login token
86 $token = LoginForm::getLoginToken();
87 if ( $token->wasNew() || !$params['token'] ) {
88 $authRes = LoginForm::NEED_TOKEN;
89 } elseif ( !$token->match( $params['token'] ) ) {
90 $authRes = LoginForm::WRONG_TOKEN;
91 }
92
93 // Try bot passwords
94 if ( $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
95 strpos( $params['name'], BotPassword::getSeparator() ) !== false
96 ) {
97 $status = BotPassword::login(
98 $params['name'], $params['password'], $this->getRequest()
99 );
100 if ( $status->isOK() ) {
101 $session = $status->getValue();
102 $authRes = LoginForm::SUCCESS;
103 $loginType = 'BotPassword';
104 } else {
105 LoggerFactory::getInstance( 'authmanager' )->info(
106 'BotPassword login failed: ' . $status->getWikiText()
107 );
108 }
109 }
110
111 // Normal login
112 if ( $authRes === false ) {
113 $context->setRequest( new DerivativeRequest(
114 $this->getContext()->getRequest(),
115 [
116 'wpName' => $params['name'],
117 'wpPassword' => $params['password'],
118 'wpDomain' => $params['domain'],
119 'wpLoginToken' => $params['token'],
120 'wpRemember' => ''
121 ]
122 ) );
123 $loginForm = new LoginForm();
124 $loginForm->setContext( $context );
125 $authRes = $loginForm->authenticateUserData();
126 $loginType = 'LoginForm';
127 }
128
129 switch ( $authRes ) {
130 case LoginForm::SUCCESS:
131 $user = $context->getUser();
132 $this->getContext()->setUser( $user );
133 $user->setCookies( $this->getRequest(), null, true );
134
135 ApiQueryInfo::resetTokenCache();
136
137 // Run hooks.
138 // @todo FIXME: Split back and frontend from this hook.
139 // @todo FIXME: This hook should be placed in the backend
140 $injected_html = '';
141 Hooks::run( 'UserLoginComplete', [ &$user, &$injected_html ] );
142
143 $result['result'] = 'Success';
144 $result['lguserid'] = intval( $user->getId() );
145 $result['lgusername'] = $user->getName();
146
147 // @todo: These are deprecated, and should be removed at some
148 // point (1.28 at the earliest, and see T121527). They were ok
149 // when the core cookie-based login was the only thing, but
150 // CentralAuth broke that a while back and
151 // SessionManager/AuthManager are *really* going to break it.
152 $result['lgtoken'] = $user->getToken();
153 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
154 $result['sessionid'] = $session->getId();
155 break;
156
157 case LoginForm::NEED_TOKEN:
158 $result['result'] = 'NeedToken';
159 $result['token'] = LoginForm::getLoginToken()->toString();
160 $this->setWarning( 'Fetching a token via action=login is deprecated. ' .
161 'Use action=query&meta=tokens&type=login instead.' );
162 $this->logFeatureUsage( 'action=login&!lgtoken' );
163
164 // @todo: See above about deprecation
165 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
166 $result['sessionid'] = $session->getId();
167 break;
168
169 case LoginForm::WRONG_TOKEN:
170 $result['result'] = 'WrongToken';
171 break;
172
173 case LoginForm::NO_NAME:
174 $result['result'] = 'NoName';
175 break;
176
177 case LoginForm::ILLEGAL:
178 $result['result'] = 'Illegal';
179 break;
180
181 case LoginForm::WRONG_PLUGIN_PASS:
182 $result['result'] = 'WrongPluginPass';
183 break;
184
185 case LoginForm::NOT_EXISTS:
186 $result['result'] = 'NotExists';
187 break;
188
189 // bug 20223 - Treat a temporary password as wrong. Per SpecialUserLogin:
190 // The e-mailed temporary password should not be used for actual logins.
191 case LoginForm::RESET_PASS:
192 case LoginForm::WRONG_PASS:
193 $result['result'] = 'WrongPass';
194 break;
195
196 case LoginForm::EMPTY_PASS:
197 $result['result'] = 'EmptyPass';
198 break;
199
200 case LoginForm::CREATE_BLOCKED:
201 $result['result'] = 'CreateBlocked';
202 $result['details'] = 'Your IP address is blocked from account creation';
203 $block = $context->getUser()->getBlock();
204 if ( $block ) {
205 $result = array_merge( $result, ApiQueryUserInfo::getBlockInfo( $block ) );
206 }
207 break;
208
209 case LoginForm::THROTTLED:
210 $result['result'] = 'Throttled';
211 $result['wait'] = intval( $loginForm->mThrottleWait );
212 break;
213
214 case LoginForm::USER_BLOCKED:
215 $result['result'] = 'Blocked';
216 $block = User::newFromName( $params['name'] )->getBlock();
217 if ( $block ) {
218 $result = array_merge( $result, ApiQueryUserInfo::getBlockInfo( $block ) );
219 }
220 break;
221
222 case LoginForm::ABORTED:
223 $result['result'] = 'Aborted';
224 $result['reason'] = $loginForm->mAbortLoginErrorMsg;
225 break;
226
227 default:
228 ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
229 }
230
231 $this->getResult()->addValue( null, 'login', $result );
232
233 LoggerFactory::getInstance( 'authmanager' )->info( 'Login attempt', [
234 'event' => 'login',
235 'successful' => $authRes === LoginForm::SUCCESS,
236 'loginType' => $loginType,
237 'status' => LoginForm::$statusCodes[$authRes],
238 ] );
239 }
240
241 public function mustBePosted() {
242 return true;
243 }
244
245 public function isReadMode() {
246 return false;
247 }
248
249 public function getAllowedParams() {
250 return [
251 'name' => null,
252 'password' => [
253 ApiBase::PARAM_TYPE => 'password',
254 ],
255 'domain' => null,
256 'token' => [
257 ApiBase::PARAM_TYPE => 'string',
258 ApiBase::PARAM_REQUIRED => false, // for BC
259 ApiBase::PARAM_HELP_MSG => [ 'api-help-param-token', 'login' ],
260 ],
261 ];
262 }
263
264 protected function getExamplesMessages() {
265 return [
266 'action=login&lgname=user&lgpassword=password'
267 => 'apihelp-login-example-gettoken',
268 'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
269 => 'apihelp-login-example-login',
270 ];
271 }
272
273 public function getHelpUrls() {
274 return 'https://www.mediawiki.org/wiki/API:Login';
275 }
276 }
Wiklou, le Wiki du Wiklou