search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
PHPSessionHandler: Implement SessionHandlerInterface
[mediawiki.git] / includes / api / ApiLogin.php
blob03cd666e7e4c02cc205b2eb03855b435bf3cc26b
1 <?php
2 /**
3 *
4 *
5 * Created on Sep 19, 2006
6 *
7 * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
8 * Daniel Cannon (cannon dot danielc at gmail dot com)
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 * http://www.gnu.org/copyleft/gpl.html
24 *
25 * @file
26 */
27
28 use MediaWiki\Logger\LoggerFactory;
29
30 /**
31 * Unit to authenticate log-in attempts to the current wiki.
32 *
33 * @ingroup API
34 */
35 class ApiLogin extends ApiBase {
36
37 public function __construct( ApiMain $main, $action ) {
38 parent::__construct( $main, $action, 'lg' );
39 }
40
41 /**
42 * Executes the log-in attempt using the parameters passed. If
43 * the log-in succeeds, it attaches a cookie to the session
44 * and outputs the user id, username, and session token. If a
45 * log-in fails, as the result of a bad password, a nonexistent
46 * user, or any other reason, the host is cached with an expiry
47 * and no log-in attempts will be accepted until that expiry
48 * is reached. The expiry is $this->mLoginThrottle.
49 */
50 public function execute() {
51 // If we're in a mode that breaks the same-origin policy, no tokens can
52 // be obtained
53 if ( $this->lacksSameOriginSecurity() ) {
54 $this->getResult()->addValue( null, 'login', array(
55 'result' => 'Aborted',
56 'reason' => 'Cannot log in when the same-origin policy is not applied',
57 ) );
58
59 return;
60 }
61
62 $params = $this->extractRequestParams();
63
64 $result = array();
65
66 // Make sure session is persisted
67 $session = MediaWiki\Session\SessionManager::getGlobalSession();
68 $session->persist();
69
70 // Make sure it's possible to log in
71 if ( !$session->canSetUser() ) {
72 $this->getResult()->addValue( null, 'login', array(
73 'result' => 'Aborted',
74 'reason' => 'Cannot log in when using ' .
75 $session->getProvider()->describe( Language::factory( 'en' ) ),
76 ) );
77
78 return;
79 }
80
81 $authRes = false;
82 $context = new DerivativeContext( $this->getContext() );
83 $loginType = 'N/A';
84
85 // Check login token
86 $token = LoginForm::getLoginToken();
87 if ( $token->wasNew() || !$params['token'] ) {
88 $authRes = LoginForm::NEED_TOKEN;
89 } elseif ( !$token->match( $params['token'] ) ) {
90 $authRes = LoginForm::WRONG_TOKEN;
91 }
92
93 // Try bot passwords
94 if ( $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
95 strpos( $params['name'], BotPassword::getSeparator() ) !== false
96 ) {
97 $status = BotPassword::login(
98 $params['name'], $params['password'], $this->getRequest()
99 );
100 if ( $status->isOk() ) {
101 $session = $status->getValue();
102 $authRes = LoginForm::SUCCESS;
103 $loginType = 'BotPassword';
104 } else {
105 LoggerFactory::getInstance( 'authmanager' )->info(
106 'BotPassword login failed: ' . $status->getWikiText()
107 );
108 }
109 }
110
111 // Normal login
112 if ( $authRes === false ) {
113 $context->setRequest( new DerivativeRequest(
114 $this->getContext()->getRequest(),
115 array(
116 'wpName' => $params['name'],
117 'wpPassword' => $params['password'],
118 'wpDomain' => $params['domain'],
119 'wpLoginToken' => $params['token'],
120 'wpRemember' => ''
121 )
122 ) );
123 $loginForm = new LoginForm();
124 $loginForm->setContext( $context );
125 $authRes = $loginForm->authenticateUserData();
126 $loginType = 'LoginForm';
127 }
128
129 switch ( $authRes ) {
130 case LoginForm::SUCCESS:
131 $user = $context->getUser();
132 $this->getContext()->setUser( $user );
133 $user->setCookies( $this->getRequest(), null, true );
134
135 ApiQueryInfo::resetTokenCache();
136
137 // Run hooks.
138 // @todo FIXME: Split back and frontend from this hook.
139 // @todo FIXME: This hook should be placed in the backend
140 $injected_html = '';
141 Hooks::run( 'UserLoginComplete', array( &$user, &$injected_html ) );
142
143 $result['result'] = 'Success';
144 $result['lguserid'] = intval( $user->getId() );
145 $result['lgusername'] = $user->getName();
146
147 // @todo: These are deprecated, and should be removed at some
148 // point (1.28 at the earliest, and see T121527). They were ok
149 // when the core cookie-based login was the only thing, but
150 // CentralAuth broke that a while back and
151 // SessionManager/AuthManager are *really* going to break it.
152 $result['lgtoken'] = $user->getToken();
153 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
154 $result['sessionid'] = $session->getId();
155 break;
156
157 case LoginForm::NEED_TOKEN:
158 $result['result'] = 'NeedToken';
159 $result['token'] = LoginForm::getLoginToken()->toString();
160 $this->setWarning( 'Fetching a token via action=login is deprecated. ' .
161 'Use action=query&meta=tokens&type=login instead.' );
162 $this->logFeatureUsage( 'action=login&!lgtoken' );
163
164 // @todo: See above about deprecation
165 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
166 $result['sessionid'] = $session->getId();
167 break;
168
169 case LoginForm::WRONG_TOKEN:
170 $result['result'] = 'WrongToken';
171 break;
172
173 case LoginForm::NO_NAME:
174 $result['result'] = 'NoName';
175 break;
176
177 case LoginForm::ILLEGAL:
178 $result['result'] = 'Illegal';
179 break;
180
181 case LoginForm::WRONG_PLUGIN_PASS:
182 $result['result'] = 'WrongPluginPass';
183 break;
184
185 case LoginForm::NOT_EXISTS:
186 $result['result'] = 'NotExists';
187 break;
188
189 // bug 20223 - Treat a temporary password as wrong. Per SpecialUserLogin:
190 // The e-mailed temporary password should not be used for actual logins.
191 case LoginForm::RESET_PASS:
192 case LoginForm::WRONG_PASS:
193 $result['result'] = 'WrongPass';
194 break;
195
196 case LoginForm::EMPTY_PASS:
197 $result['result'] = 'EmptyPass';
198 break;
199
200 case LoginForm::CREATE_BLOCKED:
201 $result['result'] = 'CreateBlocked';
202 $result['details'] = 'Your IP address is blocked from account creation';
203 $block = $context->getUser()->getBlock();
204 if ( $block ) {
205 $result = array_merge( $result, ApiQueryUserInfo::getBlockInfo( $block ) );
206 }
207 break;
208
209 case LoginForm::THROTTLED:
210 $result['result'] = 'Throttled';
211 $throttle = $this->getConfig()->get( 'PasswordAttemptThrottle' );
212 $result['wait'] = intval( $throttle['seconds'] );
213 break;
214
215 case LoginForm::USER_BLOCKED:
216 $result['result'] = 'Blocked';
217 $block = User::newFromName( $params['name'] )->getBlock();
218 if ( $block ) {
219 $result = array_merge( $result, ApiQueryUserInfo::getBlockInfo( $block ) );
220 }
221 break;
222
223 case LoginForm::ABORTED:
224 $result['result'] = 'Aborted';
225 $result['reason'] = $loginForm->mAbortLoginErrorMsg;
226 break;
227
228 default:
229 ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
230 }
231
232 $this->getResult()->addValue( null, 'login', $result );
233
234 LoggerFactory::getInstance( 'authmanager' )->info( 'Login attempt', array(
235 'event' => 'login',
236 'successful' => $authRes === LoginForm::SUCCESS,
237 'loginType' => $loginType,
238 'status' => LoginForm::$statusCodes[$authRes],
239 ) );
240 }
241
242 public function mustBePosted() {
243 return true;
244 }
245
246 public function isReadMode() {
247 return false;
248 }
249
250 public function getAllowedParams() {
251 return array(
252 'name' => null,
253 'password' => array(
254 ApiBase::PARAM_TYPE => 'password',
255 ),
256 'domain' => null,
257 'token' => array(
258 ApiBase::PARAM_TYPE => 'string',
259 ApiBase::PARAM_REQUIRED => false, // for BC
260 ApiBase::PARAM_HELP_MSG => array( 'api-help-param-token', 'login' ),
261 ),
262 );
263 }
264
265 protected function getExamplesMessages() {
266 return array(
267 'action=login&lgname=user&lgpassword=password'
268 => 'apihelp-login-example-gettoken',
269 'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
270 => 'apihelp-login-example-login',
271 );
272 }
273
274 public function getHelpUrls() {
275 return 'https://www.mediawiki.org/wiki/API:Login';
276 }
277 }
MediaWiki Core