SECURITY: Add throttling for BotPasswords authentication attempts

[lhc/web/wiklou.git] / includes / api / ApiLogin.php

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 398c8c7..9636789 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -41,11 +41,11 @@ class ApiLogin extends ApiBase {
                parent::__construct( $main, $action, 'lg' );
        }
 
-       protected function getDescriptionMessage() {
+       protected function getExtendedDescription() {
                if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
-                       return 'apihelp-login-description';
+                       return 'apihelp-login-extended-description';
                } else {
-                       return 'apihelp-login-description-nobotpasswords';
+                       return 'apihelp-login-extended-description-nobotpasswords';
                }
        }
 
@@ -134,7 +134,7 @@ class ApiLogin extends ApiBase {
                                $session = $status->getValue();
                                $authRes = 'Success';
                                $loginType = 'BotPassword';
-                       } elseif ( !$botLoginData[2] ) {
+                       } elseif ( !$botLoginData[2] || $status->hasMessage( 'login-throttled' ) ) {
                                $authRes = 'Failed';
                                $message = $status->getMessage();
                                LoggerFactory::getInstance( 'authentication' )->info(