3 use MediaWiki\MediaWikiServices
;
4 use MediaWiki\Session\BotPasswordSessionProvider
;
5 use MediaWiki\Session\SessionManager
;
6 use Wikimedia\TestingAccessWrapper
;
15 class ApiLoginTest
extends ApiTestCase
{
18 * Test result of attempted login with an empty username
20 public function testNoName() {
22 'wsTokenSecrets' => [ 'login' => 'foobar' ],
24 $ret = $this->doApiRequest( [
27 'lgpassword' => self
::$users['sysop']->getPassword(),
28 'lgtoken' => (string)( new MediaWiki\Session\
Token( 'foobar', '' ) ),
30 $this->assertSame( 'Failed', $ret[0]['login']['result'] );
33 private function doUserLogin( $name, $password ) {
34 $ret = $this->doApiRequest( [
39 $this->assertSame( 'NeedToken', $ret[0]['login']['result'] );
41 return $this->doApiRequest( [
43 'lgtoken' => $ret[0]['login']['token'],
45 'lgpassword' => $password,
49 public function testBadPass() {
50 $user = self
::$users['sysop'];
51 $userName = $user->getUser()->getName();
52 $user->getUser()->logout();
54 $ret = $this->doUserLogin( $userName, 'bad' );
56 $this->assertSame( 'Failed', $ret[0]['login']['result'] );
59 public function testGoodPass() {
60 $user = self
::$users['sysop'];
61 $userName = $user->getUser()->getName();
62 $password = $user->getPassword();
63 $user->getUser()->logout();
65 $ret = $this->doUserLogin( $userName, $password );
67 $this->assertSame( 'Success', $ret[0]['login']['result'] );
73 public function testGotCookie() {
74 $this->markTestIncomplete( "The server can't do external HTTP requests, "
75 . "and the internal one won't give cookies" );
77 global $wgServer, $wgScriptPath;
79 $user = self
::$users['sysop'];
80 $userName = $user->getUser()->getName();
81 $password = $user->getPassword();
83 $req = MWHttpRequest
::factory(
84 self
::$apiUrl . '?action=login&format=json',
88 'lgname' => $userName,
89 'lgpassword' => $password,
96 $content = json_decode( $req->getContent() );
98 $this->assertSame( 'NeedToken', $content->login
->result
);
101 'lgtoken' => $content->login
->token
,
102 'lgname' => $userName,
103 'lgpassword' => $password,
107 $cj = $req->getCookieJar();
108 $serverName = parse_url( $wgServer, PHP_URL_HOST
);
109 $this->assertNotEquals( false, $serverName );
110 $serializedCookie = $cj->serializeToHttpRequest( $wgScriptPath, $serverName );
112 '/_session=[^;]*; .*UserID=[0-9]*; .*UserName=' . $userName . '; .*Token=/',
117 public function testBotPassword() {
118 global $wgSessionProviders;
120 $this->setMwGlobals( [
121 // We can't use mergeMwGlobalArrayValue because it will overwrite the existing entry
123 'wgSessionProviders' => array_merge( $wgSessionProviders, [
125 'class' => BotPasswordSessionProvider
::class,
126 'args' => [ [ 'priority' => 40 ] ],
129 'wgEnableBotPasswords' => true,
130 'wgBotPasswordsDatabase' => false,
131 'wgCentralIdLookupProvider' => 'local',
132 'wgGrantPermissions' => [
133 'test' => [ 'read' => true ],
137 // Make sure our session provider is present
138 $manager = TestingAccessWrapper
::newFromObject( SessionManager
::singleton() );
139 if ( !isset( $manager->sessionProviders
[BotPasswordSessionProvider
::class] ) ) {
140 $tmp = $manager->sessionProviders
;
141 $manager->sessionProviders
= null;
142 $manager->sessionProviders
= $tmp +
$manager->getProviders();
144 $this->assertNotNull(
145 SessionManager
::singleton()->getProvider( BotPasswordSessionProvider
::class ),
149 $user = self
::$users['sysop'];
150 $centralId = CentralIdLookup
::factory()->centralIdFromLocalUser( $user->getUser() );
151 $this->assertNotSame( 0, $centralId, 'sanity check' );
153 $password = 'ngfhmjm64hv0854493hsj5nncjud2clk';
154 $passwordFactory = MediaWikiServices
::getInstance()->getPasswordFactory();
155 // A is unsalted MD5 (thus fast) ... we don't care about security here, this is test only
156 $passwordHash = $passwordFactory->newFromPlaintext( $password );
158 $dbw = wfGetDB( DB_MASTER
);
162 'bp_user' => $centralId,
163 'bp_app_id' => 'foo',
164 'bp_password' => $passwordHash->toString(),
166 'bp_restrictions' => MWRestrictions
::newDefault()->toJson(),
167 'bp_grants' => '["test"]',
172 $lgName = $user->getUser()->getName() . BotPassword
::getSeparator() . 'foo';
174 $ret = $this->doUserLogin( $lgName, $password );
176 $this->assertSame( 'Success', $ret[0]['login']['result'] );
179 public function testLoginWithNoSameOriginSecurity() {
180 $this->setTemporaryHook( 'RequestHasSameOriginSecurity',
186 $ret = $this->doApiRequest( [
191 'result' => 'Aborted',
192 'reason' => 'Cannot log in when the same-origin policy is not applied.',