*/
public static function canonicalizeLoginData( $username, $password ) {
$sep = BotPassword::getSeparator();
- if ( strpos( $username, $sep ) !== false ) {
- // the separator is not valid in usernames so this must be a bot login
- return [ $username, $password, false ];
+ // the strlen check helps minimize the password information obtainable from timing
+ if ( strlen( $password ) >= 32 && strpos( $username, $sep ) !== false ) {
+ // the separator is not valid in new usernames but might appear in legacy ones
+ if ( preg_match( '/^[0-9a-w]{32,}$/', $password ) ) {
+ return [ $username, $password, true ];
+ }
} elseif ( strlen( $password ) > 32 && strpos( $password, $sep ) !== false ) {
- // the strlen check helps minimize the password information obtainable from timing
$segments = explode( $sep, $password );
$password = array_pop( $segments );
$appId = implode( $sep, $segments );
$centralId = CentralIdLookup::factory()->centralIdFromLocalUser( $user->getUser() );
$this->assertNotEquals( 0, $centralId, 'sanity check' );
+ $password = 'ngfhmjm64hv0854493hsj5nncjud2clk';
$passwordFactory = new PasswordFactory();
$passwordFactory->init( RequestContext::getMain()->getConfig() );
// A is unsalted MD5 (thus fast) ... we don't care about security here, this is test only
- $passwordHash = $passwordFactory->newFromPlaintext( 'foobaz' );
+ $passwordHash = $passwordFactory->newFromPlaintext( $password );
$dbw = wfGetDB( DB_MASTER );
$dbw->insert(
$ret = $this->doApiRequest( [
'action' => 'login',
'lgname' => $lgName,
- 'lgpassword' => 'foobaz',
+ 'lgpassword' => $password,
] );
$result = $ret[0];
'action' => 'login',
'lgtoken' => $token,
'lgname' => $lgName,
- 'lgpassword' => 'foobaz',
+ 'lgpassword' => $password,
], $ret[2] );
$result = $ret[0];
return [
[ 'user', 'pass', false ],
[ 'user', 'abc@def', false ],
+ [ 'legacy@user', 'pass', false ],
[ 'user@bot', '12345678901234567890123456789012',
- [ 'user@bot', '12345678901234567890123456789012', false ] ],
+ [ 'user@bot', '12345678901234567890123456789012', true ] ],
[ 'user', 'bot@12345678901234567890123456789012',
[ 'user@bot', '12345678901234567890123456789012', true ] ],
[ 'user', 'bot@12345678901234567890123456789012345',