search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
API: Add support for documenting dynamic parameters
[mediawiki.git] / includes / api / ApiLogin.php
blob860e3b205f06798e47cda371e1688c4cd98f5def
1 <?php
2 /**
3 *
4 *
5 * Created on Sep 19, 2006
6 *
7 * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
8 * Daniel Cannon (cannon dot danielc at gmail dot com)
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 * http://www.gnu.org/copyleft/gpl.html
24 *
25 * @file
26 */
27
28 use MediaWiki\Logger\LoggerFactory;
29
30 /**
31 * Unit to authenticate log-in attempts to the current wiki.
32 *
33 * @ingroup API
34 */
35 class ApiLogin extends ApiBase {
36
37 public function __construct( ApiMain $main, $action ) {
38 parent::__construct( $main, $action, 'lg' );
39 }
40
41 /**
42 * Executes the log-in attempt using the parameters passed. If
43 * the log-in succeeds, it attaches a cookie to the session
44 * and outputs the user id, username, and session token. If a
45 * log-in fails, as the result of a bad password, a nonexistent
46 * user, or any other reason, the host is cached with an expiry
47 * and no log-in attempts will be accepted until that expiry
48 * is reached. The expiry is $this->mLoginThrottle.
49 */
50 public function execute() {
51 // If we're in a mode that breaks the same-origin policy, no tokens can
52 // be obtained
53 if ( $this->lacksSameOriginSecurity() ) {
54 $this->getResult()->addValue( null, 'login', array(
55 'result' => 'Aborted',
56 'reason' => 'Cannot log in when the same-origin policy is not applied',
57 ) );
58
59 return;
60 }
61
62 $params = $this->extractRequestParams();
63
64 $result = array();
65
66 // Make sure session is persisted
67 $session = MediaWiki\Session\SessionManager::getGlobalSession();
68 $session->persist();
69
70 // Make sure it's possible to log in
71 if ( !$session->canSetUser() ) {
72 $this->getResult()->addValue( null, 'login', array(
73 'result' => 'Aborted',
74 'reason' => 'Cannot log in when using ' .
75 $session->getProvider()->describe( Language::factory( 'en' ) ),
76 ) );
77
78 return;
79 }
80
81 $authRes = false;
82 $context = new DerivativeContext( $this->getContext() );
83 $loginType = 'N/A';
84
85 // Check login token
86 $token = LoginForm::getLoginToken();
87 if ( !$token ) {
88 LoginForm::setLoginToken();
89 $authRes = LoginForm::NEED_TOKEN;
90 } elseif ( !$params['token'] ) {
91 $authRes = LoginForm::NEED_TOKEN;
92 } elseif ( $token !== $params['token'] ) {
93 $authRes = LoginForm::WRONG_TOKEN;
94 }
95
96 // Try bot passwords
97 if ( $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
98 strpos( $params['name'], BotPassword::getSeparator() ) !== false
99 ) {
100 $status = BotPassword::login(
101 $params['name'], $params['password'], $this->getRequest()
102 );
103 if ( $status->isOk() ) {
104 $session = $status->getValue();
105 $authRes = LoginForm::SUCCESS;
106 $loginType = 'BotPassword';
107 } else {
108 LoggerFactory::getInstance( 'authmanager' )->info(
109 'BotPassword login failed: ' . $status->getWikiText()
110 );
111 }
112 }
113
114 // Normal login
115 if ( $authRes === false ) {
116 $context->setRequest( new DerivativeRequest(
117 $this->getContext()->getRequest(),
118 array(
119 'wpName' => $params['name'],
120 'wpPassword' => $params['password'],
121 'wpDomain' => $params['domain'],
122 'wpLoginToken' => $params['token'],
123 'wpRemember' => ''
124 )
125 ) );
126 $loginForm = new LoginForm();
127 $loginForm->setContext( $context );
128 $authRes = $loginForm->authenticateUserData();
129 $loginType = 'LoginForm';
130 }
131
132 switch ( $authRes ) {
133 case LoginForm::SUCCESS:
134 $user = $context->getUser();
135 $this->getContext()->setUser( $user );
136 $user->setCookies( $this->getRequest(), null, true );
137
138 ApiQueryInfo::resetTokenCache();
139
140 // Run hooks.
141 // @todo FIXME: Split back and frontend from this hook.
142 // @todo FIXME: This hook should be placed in the backend
143 $injected_html = '';
144 Hooks::run( 'UserLoginComplete', array( &$user, &$injected_html ) );
145
146 $result['result'] = 'Success';
147 $result['lguserid'] = intval( $user->getId() );
148 $result['lgusername'] = $user->getName();
149
150 // @todo: These are deprecated, and should be removed at some
151 // point (1.28 at the earliest, and see T121527). They were ok
152 // when the core cookie-based login was the only thing, but
153 // CentralAuth broke that a while back and
154 // SessionManager/AuthManager are *really* going to break it.
155 $result['lgtoken'] = $user->getToken();
156 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
157 $result['sessionid'] = $session->getId();
158 break;
159
160 case LoginForm::NEED_TOKEN:
161 $result['result'] = 'NeedToken';
162 $result['token'] = LoginForm::getLoginToken();
163
164 // @todo: See above about deprecation
165 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
166 $result['sessionid'] = $session->getId();
167 break;
168
169 case LoginForm::WRONG_TOKEN:
170 $result['result'] = 'WrongToken';
171 break;
172
173 case LoginForm::NO_NAME:
174 $result['result'] = 'NoName';
175 break;
176
177 case LoginForm::ILLEGAL:
178 $result['result'] = 'Illegal';
179 break;
180
181 case LoginForm::WRONG_PLUGIN_PASS:
182 $result['result'] = 'WrongPluginPass';
183 break;
184
185 case LoginForm::NOT_EXISTS:
186 $result['result'] = 'NotExists';
187 break;
188
189 // bug 20223 - Treat a temporary password as wrong. Per SpecialUserLogin:
190 // The e-mailed temporary password should not be used for actual logins.
191 case LoginForm::RESET_PASS:
192 case LoginForm::WRONG_PASS:
193 $result['result'] = 'WrongPass';
194 break;
195
196 case LoginForm::EMPTY_PASS:
197 $result['result'] = 'EmptyPass';
198 break;
199
200 case LoginForm::CREATE_BLOCKED:
201 $result['result'] = 'CreateBlocked';
202 $result['details'] = 'Your IP address is blocked from account creation';
203 $block = $context->getUser()->getBlock();
204 if ( $block ) {
205 $result = array_merge( $result, ApiQueryUserInfo::getBlockInfo( $block ) );
206 }
207 break;
208
209 case LoginForm::THROTTLED:
210 $result['result'] = 'Throttled';
211 $throttle = $this->getConfig()->get( 'PasswordAttemptThrottle' );
212 $result['wait'] = intval( $throttle['seconds'] );
213 break;
214
215 case LoginForm::USER_BLOCKED:
216 $result['result'] = 'Blocked';
217 $block = User::newFromName( $params['name'] )->getBlock();
218 if ( $block ) {
219 $result = array_merge( $result, ApiQueryUserInfo::getBlockInfo( $block ) );
220 }
221 break;
222
223 case LoginForm::ABORTED:
224 $result['result'] = 'Aborted';
225 $result['reason'] = $loginForm->mAbortLoginErrorMsg;
226 break;
227
228 default:
229 ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
230 }
231
232 $this->getResult()->addValue( null, 'login', $result );
233
234 LoggerFactory::getInstance( 'authmanager' )->info( 'Login attempt', array(
235 'event' => 'login',
236 'successful' => $authRes === LoginForm::SUCCESS,
237 'loginType' => $loginType,
238 'status' => LoginForm::$statusCodes[$authRes],
239 ) );
240 }
241
242 public function mustBePosted() {
243 return true;
244 }
245
246 public function isReadMode() {
247 return false;
248 }
249
250 public function getAllowedParams() {
251 return array(
252 'name' => null,
253 'password' => array(
254 ApiBase::PARAM_TYPE => 'password',
255 ),
256 'domain' => null,
257 'token' => null,
258 );
259 }
260
261 protected function getExamplesMessages() {
262 return array(
263 'action=login&lgname=user&lgpassword=password'
264 => 'apihelp-login-example-gettoken',
265 'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
266 => 'apihelp-login-example-login',
267 );
268 }
269
270 public function getHelpUrls() {
271 return 'https://www.mediawiki.org/wiki/API:Login';
272 }
273 }
MediaWiki Core