Log user-agents that are using HTTP when HTTPS is preferred

Log a feature usage message and add a warning to the response when an
API request is made over unencrypted HTTP and the wiki or user has asked
that HTTPS be used by default.

Bug: T105794
Change-Id: I339bfa96614c6318db303bb22a8f86bd0336ddbe

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 6ddc28a..458fd18 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -1231,7 +1231,8 @@ class ApiMain extends ApiBase {
         * @param array $params An array with the request parameters
         */
        protected function setupExternalResponse( $module, $params ) {
-               if ( !$this->getRequest()->wasPosted() && $module->mustBePosted() ) {
+               $request = $this->getRequest();
+               if ( !$request->wasPosted() && $module->mustBePosted() ) {
                        // Module requires POST. GET request might still be allowed
                        // if $wgDebugApi is true, otherwise fail.
                        $this->dieUsageMsgOrDebug( array( 'mustbeposted', $this->mAction ) );
@@ -1243,6 +1244,15 @@ class ApiMain extends ApiBase {
                        // Create an appropriate printer
                        $this->mPrinter = $this->createPrinterByName( $params['format'] );
                }
+
+               if ( $request->getProtocol() === 'http' && (
+                       $request->getSession()->shouldForceHTTPS() ||
+                       ( $this->getUser()->isLoggedIn() &&
+                               $this->getUser()->requiresHTTPS() )
+               ) ) {
+                       $this->logFeatureUsage( 'https-expected' );
+                       $this->setWarning( 'HTTP used when HTTPS was expected' );
+               }
        }
 
        /**