search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge "Special:Upload should not crash on failing previews"
[mediawiki.git] / includes / api / ApiLogin.php
blob6cf1fad30cd8827f6d23b2da8e4ce43f75d1a859
1 <?php
2 /**
3 *
4 *
5 * Created on Sep 19, 2006
6 *
7 * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
8 * Daniel Cannon (cannon dot danielc at gmail dot com)
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 * http://www.gnu.org/copyleft/gpl.html
24 *
25 * @file
26 */
27
28 use MediaWiki\Auth\AuthManager;
29 use MediaWiki\Auth\AuthenticationRequest;
30 use MediaWiki\Auth\AuthenticationResponse;
31 use MediaWiki\Logger\LoggerFactory;
32
33 /**
34 * Unit to authenticate log-in attempts to the current wiki.
35 *
36 * @ingroup API
37 */
38 class ApiLogin extends ApiBase {
39
40 public function __construct( ApiMain $main, $action ) {
41 parent::__construct( $main, $action, 'lg' );
42 }
43
44 protected function getDescriptionMessage() {
45 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
46 return 'apihelp-login-description';
47 } else {
48 return 'apihelp-login-description-nobotpasswords';
49 }
50 }
51
52 /**
53 * Executes the log-in attempt using the parameters passed. If
54 * the log-in succeeds, it attaches a cookie to the session
55 * and outputs the user id, username, and session token. If a
56 * log-in fails, as the result of a bad password, a nonexistent
57 * user, or any other reason, the host is cached with an expiry
58 * and no log-in attempts will be accepted until that expiry
59 * is reached. The expiry is $this->mLoginThrottle.
60 */
61 public function execute() {
62 // If we're in a mode that breaks the same-origin policy, no tokens can
63 // be obtained
64 if ( $this->lacksSameOriginSecurity() ) {
65 $this->getResult()->addValue( null, 'login', [
66 'result' => 'Aborted',
67 'reason' => 'Cannot log in when the same-origin policy is not applied',
68 ] );
69
70 return;
71 }
72
73 try {
74 $this->requirePostedParameters( [ 'password', 'token' ] );
75 } catch ( ApiUsageException $ex ) {
76 // Make this a warning for now, upgrade to an error in 1.29.
77 foreach ( $ex->getStatusValue()->getErrors() as $error ) {
78 $this->addDeprecation( $error, 'login-params-in-query-string' );
79 }
80 }
81
82 $params = $this->extractRequestParams();
83
84 $result = [];
85
86 // Make sure session is persisted
87 $session = MediaWiki\Session\SessionManager::getGlobalSession();
88 $session->persist();
89
90 // Make sure it's possible to log in
91 if ( !$session->canSetUser() ) {
92 $this->getResult()->addValue( null, 'login', [
93 'result' => 'Aborted',
94 'reason' => 'Cannot log in when using ' .
95 $session->getProvider()->describe( Language::factory( 'en' ) ),
96 ] );
97
98 return;
99 }
100
101 $authRes = false;
102 $context = new DerivativeContext( $this->getContext() );
103 $loginType = 'N/A';
104
105 // Check login token
106 $token = $session->getToken( '', 'login' );
107 if ( $token->wasNew() || !$params['token'] ) {
108 $authRes = 'NeedToken';
109 } elseif ( !$token->match( $params['token'] ) ) {
110 $authRes = 'WrongToken';
111 }
112
113 // Try bot passwords
114 if (
115 $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
116 ( $botLoginData = BotPassword::canonicalizeLoginData( $params['name'], $params['password'] ) )
117 ) {
118 $status = BotPassword::login(
119 $botLoginData[0], $botLoginData[1], $this->getRequest()
120 );
121 if ( $status->isOK() ) {
122 $session = $status->getValue();
123 $authRes = 'Success';
124 $loginType = 'BotPassword';
125 } elseif ( !$botLoginData[2] ) {
126 $authRes = 'Failed';
127 $message = $status->getMessage();
128 LoggerFactory::getInstance( 'authentication' )->info(
129 'BotPassword login failed: ' . $status->getWikiText( false, false, 'en' )
130 );
131 }
132 }
133
134 if ( $authRes === false ) {
135 // Simplified AuthManager login, for backwards compatibility
136 $manager = AuthManager::singleton();
137 $reqs = AuthenticationRequest::loadRequestsFromSubmission(
138 $manager->getAuthenticationRequests( AuthManager::ACTION_LOGIN, $this->getUser() ),
139 [
140 'username' => $params['name'],
141 'password' => $params['password'],
142 'domain' => $params['domain'],
143 'rememberMe' => true,
144 ]
145 );
146 $res = AuthManager::singleton()->beginAuthentication( $reqs, 'null:' );
147 switch ( $res->status ) {
148 case AuthenticationResponse::PASS:
149 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
150 $this->addDeprecation( 'apiwarn-deprecation-login-botpw', 'main-account-login' );
151 } else {
152 $this->addDeprecation( 'apiwarn-deprecation-login-nobotpw', 'main-account-login' );
153 }
154 $authRes = 'Success';
155 $loginType = 'AuthManager';
156 break;
157
158 case AuthenticationResponse::FAIL:
159 // Hope it's not a PreAuthenticationProvider that failed...
160 $authRes = 'Failed';
161 $message = $res->message;
162 \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
163 ->info( __METHOD__ . ': Authentication failed: '
164 . $message->inLanguage( 'en' )->plain() );
165 break;
166
167 default:
168 \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
169 ->info( __METHOD__ . ': Authentication failed due to unsupported response type: '
170 . $res->status, $this->getAuthenticationResponseLogData( $res ) );
171 $authRes = 'Aborted';
172 break;
173 }
174 }
175
176 $result['result'] = $authRes;
177 switch ( $authRes ) {
178 case 'Success':
179 $user = $session->getUser();
180
181 ApiQueryInfo::resetTokenCache();
182
183 // Deprecated hook
184 $injected_html = '';
185 Hooks::run( 'UserLoginComplete', [ &$user, &$injected_html, true ] );
186
187 $result['lguserid'] = intval( $user->getId() );
188 $result['lgusername'] = $user->getName();
189 break;
190
191 case 'NeedToken':
192 $result['token'] = $token->toString();
193 $this->addDeprecation( 'apiwarn-deprecation-login-token', 'action=login&!lgtoken' );
194 break;
195
196 case 'WrongToken':
197 break;
198
199 case 'Failed':
200 $errorFormatter = $this->getErrorFormatter();
201 if ( $errorFormatter instanceof ApiErrorFormatter_BackCompat ) {
202 $result['reason'] = ApiErrorFormatter::stripMarkup(
203 $message->useDatabase( false )->inLanguage( 'en' )->text()
204 );
205 } else {
206 $result['reason'] = $errorFormatter->formatMessage( $message );
207 }
208 break;
209
210 case 'Aborted':
211 $result['reason'] = 'Authentication requires user interaction, ' .
212 'which is not supported by action=login.';
213 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
214 $result['reason'] .= ' To be able to login with action=login, see [[Special:BotPasswords]].';
215 $result['reason'] .= ' To continue using main-account login, see action=clientlogin.';
216 } else {
217 $result['reason'] .= ' To log in, see action=clientlogin.';
218 }
219 break;
220
221 default:
222 ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
223 }
224
225 $this->getResult()->addValue( null, 'login', $result );
226
227 if ( $loginType === 'LoginForm' && isset( LoginForm::$statusCodes[$authRes] ) ) {
228 $authRes = LoginForm::$statusCodes[$authRes];
229 }
230 LoggerFactory::getInstance( 'authevents' )->info( 'Login attempt', [
231 'event' => 'login',
232 'successful' => $authRes === 'Success',
233 'loginType' => $loginType,
234 'status' => $authRes,
235 ] );
236 }
237
238 public function isDeprecated() {
239 return !$this->getConfig()->get( 'EnableBotPasswords' );
240 }
241
242 public function mustBePosted() {
243 return true;
244 }
245
246 public function isReadMode() {
247 return false;
248 }
249
250 public function getAllowedParams() {
251 return [
252 'name' => null,
253 'password' => [
254 ApiBase::PARAM_TYPE => 'password',
255 ],
256 'domain' => null,
257 'token' => [
258 ApiBase::PARAM_TYPE => 'string',
259 ApiBase::PARAM_REQUIRED => false, // for BC
260 ApiBase::PARAM_HELP_MSG => [ 'api-help-param-token', 'login' ],
261 ],
262 ];
263 }
264
265 protected function getExamplesMessages() {
266 return [
267 'action=login&lgname=user&lgpassword=password'
268 => 'apihelp-login-example-gettoken',
269 'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
270 => 'apihelp-login-example-login',
271 ];
272 }
273
274 public function getHelpUrls() {
275 return 'https://www.mediawiki.org/wiki/API:Login';
276 }
277
278 /**
279 * Turns an AuthenticationResponse into a hash suitable for passing to Logger
280 * @param AuthenticationResponse $response
281 * @return array
282 */
283 protected function getAuthenticationResponseLogData( AuthenticationResponse $response ) {
284 $ret = [
285 'status' => $response->status,
286 ];
287 if ( $response->message ) {
288 $ret['message'] = $response->message->inLanguage( 'en' )->plain();
289 };
290 $reqs = [
291 'neededRequests' => $response->neededRequests,
292 'createRequest' => $response->createRequest,
293 'linkRequest' => $response->linkRequest,
294 ];
295 foreach ( $reqs as $k => $v ) {
296 if ( $v ) {
297 $v = is_array( $v ) ? $v : [ $v ];
298 $reqClasses = array_unique( array_map( 'get_class', $v ) );
299 sort( $reqClasses );
300 $ret[$k] = implode( ', ', $reqClasses );
301 }
302 }
303 return $ret;
304 }
305 }
MediaWiki Core