Merge "Move up devunt's name to Developers"

[lhc/web/wiklou.git] / includes / api / ApiLogin.php

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 28937f7..6ac261d 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -70,6 +70,14 @@ class ApiLogin extends ApiBase {
                        return;
                }
 
+               try {
+                       $this->requirePostedParameters( [ 'password', 'token' ] );
+               } catch ( UsageException $ex ) {
+                       // Make this a warning for now, upgrade to an error in 1.29.
+                       $this->setWarning( $ex->getMessage() );
+                       $this->logFeatureUsage( 'login-params-in-query-string' );
+               }
+
                $params = $this->extractRequestParams();
 
                $result = [];
@@ -102,17 +110,18 @@ class ApiLogin extends ApiBase {
                }
 
                // Try bot passwords
-               if ( $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
-                       strpos( $params['name'], BotPassword::getSeparator() ) !== false
+               if (
+                       $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
+                       ( $botLoginData = BotPassword::canonicalizeLoginData( $params['name'], $params['password'] ) )
                ) {
                        $status = BotPassword::login(
-                               $params['name'], $params['password'], $this->getRequest()
+                               $botLoginData[0], $botLoginData[1], $this->getRequest()
                        );
                        if ( $status->isOK() ) {
                                $session = $status->getValue();
                                $authRes = 'Success';
                                $loginType = 'BotPassword';
-                       } else {
+                       } elseif ( !$botLoginData[2] ) {
                                $authRes = 'Failed';
                                $message = $status->getMessage();
                                LoggerFactory::getInstance( 'authentication' )->info(
@@ -181,15 +190,6 @@ class ApiLogin extends ApiBase {
 
                                $result['lguserid'] = intval( $user->getId() );
                                $result['lgusername'] = $user->getName();
-
-                               // @todo: These are deprecated, and should be removed at some
-                               // point (1.28 at the earliest, and see T121527). They were ok
-                               // when the core cookie-based login was the only thing, but
-                               // CentralAuth broke that a while back and
-                               // SessionManager/AuthManager *really* break it.
-                               $result['lgtoken'] = $user->getToken();
-                               $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
-                               $result['sessionid'] = $session->getId();
                                break;
 
                        case 'NeedToken':
@@ -197,10 +197,6 @@ class ApiLogin extends ApiBase {
                                $this->setWarning( 'Fetching a token via action=login is deprecated. ' .
                                   'Use action=query&meta=tokens&type=login instead.' );
                                $this->logFeatureUsage( 'action=login&!lgtoken' );
-
-                               // @todo: See above about deprecation
-                               $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
-                               $result['sessionid'] = $session->getId();
                                break;
 
                        case 'WrongToken':