3 * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
4 * Daniel Cannon (cannon dot danielc at gmail dot com)
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19 * http://www.gnu.org/copyleft/gpl.html
24 use MediaWiki\Auth\AuthManager
;
25 use MediaWiki\Auth\AuthenticationRequest
;
26 use MediaWiki\Auth\AuthenticationResponse
;
27 use MediaWiki\Logger\LoggerFactory
;
30 * Unit to authenticate log-in attempts to the current wiki.
34 class ApiLogin
extends ApiBase
{
36 public function __construct( ApiMain
$main, $action ) {
37 parent
::__construct( $main, $action, 'lg' );
40 protected function getExtendedDescription() {
41 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
42 return 'apihelp-login-extended-description';
44 return 'apihelp-login-extended-description-nobotpasswords';
49 * Format a message for the response
50 * @param Message|string|array $message
51 * @return string|array
53 private function formatMessage( $message ) {
54 $message = Message
::newFromSpecifier( $message );
55 $errorFormatter = $this->getErrorFormatter();
56 if ( $errorFormatter instanceof ApiErrorFormatter_BackCompat
) {
57 return ApiErrorFormatter
::stripMarkup(
58 $message->useDatabase( false )->inLanguage( 'en' )->text()
61 return $errorFormatter->formatMessage( $message );
66 * Executes the log-in attempt using the parameters passed. If
67 * the log-in succeeds, it attaches a cookie to the session
68 * and outputs the user id, username, and session token. If a
69 * log-in fails, as the result of a bad password, a nonexistent
70 * user, or any other reason, the host is cached with an expiry
71 * and no log-in attempts will be accepted until that expiry
72 * is reached. The expiry is $this->mLoginThrottle.
74 public function execute() {
75 // If we're in a mode that breaks the same-origin policy, no tokens can
77 if ( $this->lacksSameOriginSecurity() ) {
78 $this->getResult()->addValue( null, 'login', [
79 'result' => 'Aborted',
80 'reason' => $this->formatMessage( 'api-login-fail-sameorigin' ),
86 $this->requirePostedParameters( [ 'password', 'token' ] );
88 $params = $this->extractRequestParams();
92 // Make sure session is persisted
93 $session = MediaWiki\Session\SessionManager
::getGlobalSession();
96 // Make sure it's possible to log in
97 if ( !$session->canSetUser() ) {
98 $this->getResult()->addValue( null, 'login', [
99 'result' => 'Aborted',
100 'reason' => $this->formatMessage( [
101 'api-login-fail-badsessionprovider',
102 $session->getProvider()->describe( $this->getErrorFormatter()->getLanguage() ),
113 $token = $session->getToken( '', 'login' );
114 if ( $token->wasNew() ||
!$params['token'] ) {
115 $authRes = 'NeedToken';
116 } elseif ( !$token->match( $params['token'] ) ) {
117 $authRes = 'WrongToken';
122 $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
123 ( $botLoginData = BotPassword
::canonicalizeLoginData( $params['name'], $params['password'] ) )
125 $status = BotPassword
::login(
126 $botLoginData[0], $botLoginData[1], $this->getRequest()
128 if ( $status->isOK() ) {
129 $session = $status->getValue();
130 $authRes = 'Success';
131 $loginType = 'BotPassword';
133 $status->hasMessage( 'login-throttled' ) ||
134 $status->hasMessage( 'botpasswords-needs-reset' ) ||
135 $status->hasMessage( 'botpasswords-locked' )
138 $message = $status->getMessage();
139 LoggerFactory
::getInstance( 'authentication' )->info(
140 'BotPassword login failed: ' . $status->getWikiText( false, false, 'en' )
143 // For other errors, let's see if it's a valid non-bot login
146 if ( $authRes === false ) {
147 // Simplified AuthManager login, for backwards compatibility
148 $manager = AuthManager
::singleton();
149 $reqs = AuthenticationRequest
::loadRequestsFromSubmission(
150 $manager->getAuthenticationRequests( AuthManager
::ACTION_LOGIN
, $this->getUser() ),
152 'username' => $params['name'],
153 'password' => $params['password'],
154 'domain' => $params['domain'],
155 'rememberMe' => true,
158 $res = AuthManager
::singleton()->beginAuthentication( $reqs, 'null:' );
159 switch ( $res->status
) {
160 case AuthenticationResponse
::PASS
:
161 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
162 $this->addDeprecation( 'apiwarn-deprecation-login-botpw', 'main-account-login' );
164 $this->addDeprecation( 'apiwarn-deprecation-login-nobotpw', 'main-account-login' );
166 $authRes = 'Success';
167 $loginType = 'AuthManager';
170 case AuthenticationResponse
::FAIL
:
171 // Hope it's not a PreAuthenticationProvider that failed...
173 $message = $res->message
;
174 \MediaWiki\Logger\LoggerFactory
::getInstance( 'authentication' )
175 ->info( __METHOD__
. ': Authentication failed: '
176 . $message->inLanguage( 'en' )->plain() );
180 \MediaWiki\Logger\LoggerFactory
::getInstance( 'authentication' )
181 ->info( __METHOD__
. ': Authentication failed due to unsupported response type: '
182 . $res->status
, $this->getAuthenticationResponseLogData( $res ) );
183 $authRes = 'Aborted';
188 $result['result'] = $authRes;
189 switch ( $authRes ) {
191 $user = $session->getUser();
193 ApiQueryInfo
::resetTokenCache();
197 Hooks
::run( 'UserLoginComplete', [ &$user, &$injected_html, true ] );
199 $result['lguserid'] = (int)$user->getId();
200 $result['lgusername'] = $user->getName();
204 $result['token'] = $token->toString();
205 $this->addDeprecation( 'apiwarn-deprecation-login-token', 'action=login&!lgtoken' );
212 $result['reason'] = $this->formatMessage( $message );
216 $result['reason'] = $this->formatMessage(
217 $this->getConfig()->get( 'EnableBotPasswords' )
218 ?
'api-login-fail-aborted'
219 : 'api-login-fail-aborted-nobotpw'
223 // @codeCoverageIgnoreStart
226 ApiBase
::dieDebug( __METHOD__
, "Unhandled case value: {$authRes}" );
227 // @codeCoverageIgnoreEnd
230 $this->getResult()->addValue( null, 'login', $result );
232 LoggerFactory
::getInstance( 'authevents' )->info( 'Login attempt', [
234 'successful' => $authRes === 'Success',
235 'loginType' => $loginType,
236 'status' => $authRes,
240 public function isDeprecated() {
241 return !$this->getConfig()->get( 'EnableBotPasswords' );
244 public function mustBePosted() {
248 public function isReadMode() {
252 public function getAllowedParams() {
256 ApiBase
::PARAM_TYPE
=> 'password',
260 ApiBase
::PARAM_TYPE
=> 'string',
261 ApiBase
::PARAM_REQUIRED
=> false, // for BC
262 ApiBase
::PARAM_SENSITIVE
=> true,
263 ApiBase
::PARAM_HELP_MSG
=> [ 'api-help-param-token', 'login' ],
268 protected function getExamplesMessages() {
270 'action=login&lgname=user&lgpassword=password'
271 => 'apihelp-login-example-gettoken',
272 'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
273 => 'apihelp-login-example-login',
277 public function getHelpUrls() {
278 return 'https://www.mediawiki.org/wiki/Special:MyLanguage/API:Login';
282 * Turns an AuthenticationResponse into a hash suitable for passing to Logger
283 * @param AuthenticationResponse $response
286 protected function getAuthenticationResponseLogData( AuthenticationResponse
$response ) {
288 'status' => $response->status
,
290 if ( $response->message
) {
291 $ret['message'] = $response->message
->inLanguage( 'en' )->plain();
294 'neededRequests' => $response->neededRequests
,
295 'createRequest' => $response->createRequest
,
296 'linkRequest' => $response->linkRequest
,
298 foreach ( $reqs as $k => $v ) {
300 $v = is_array( $v ) ?
$v : [ $v ];
301 $reqClasses = array_unique( array_map( 'get_class', $v ) );
303 $ret[$k] = implode( ', ', $reqClasses );