dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Revert "API: Remove deprecated response values from action=login"
[lhc/web/wiklou.git] / includes / api / ApiLogin.php
1 <?php
2 /**
3 *
4 *
5 * Created on Sep 19, 2006
6 *
7 * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
8 * Daniel Cannon (cannon dot danielc at gmail dot com)
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 * http://www.gnu.org/copyleft/gpl.html
24 *
25 * @file
26 */
27
28 use MediaWiki\Auth\AuthManager;
29 use MediaWiki\Auth\AuthenticationRequest;
30 use MediaWiki\Auth\AuthenticationResponse;
31 use MediaWiki\Logger\LoggerFactory;
32
33 /**
34 * Unit to authenticate log-in attempts to the current wiki.
35 *
36 * @ingroup API
37 */
38 class ApiLogin extends ApiBase {
39
40 public function __construct( ApiMain $main, $action ) {
41 parent::__construct( $main, $action, 'lg' );
42 }
43
44 protected function getDescriptionMessage() {
45 if ( $this->getConfig()->get( 'DisableAuthManager' ) ) {
46 return 'apihelp-login-description-nonauthmanager';
47 } elseif ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
48 return 'apihelp-login-description';
49 } else {
50 return 'apihelp-login-description-nobotpasswords';
51 }
52 }
53
54 /**
55 * Executes the log-in attempt using the parameters passed. If
56 * the log-in succeeds, it attaches a cookie to the session
57 * and outputs the user id, username, and session token. If a
58 * log-in fails, as the result of a bad password, a nonexistent
59 * user, or any other reason, the host is cached with an expiry
60 * and no log-in attempts will be accepted until that expiry
61 * is reached. The expiry is $this->mLoginThrottle.
62 */
63 public function execute() {
64 // If we're in a mode that breaks the same-origin policy, no tokens can
65 // be obtained
66 if ( $this->lacksSameOriginSecurity() ) {
67 $this->getResult()->addValue( null, 'login', [
68 'result' => 'Aborted',
69 'reason' => 'Cannot log in when the same-origin policy is not applied',
70 ] );
71
72 return;
73 }
74
75 $params = $this->extractRequestParams();
76
77 $result = [];
78
79 // Make sure session is persisted
80 $session = MediaWiki\Session\SessionManager::getGlobalSession();
81 $session->persist();
82
83 // Make sure it's possible to log in
84 if ( !$session->canSetUser() ) {
85 $this->getResult()->addValue( null, 'login', [
86 'result' => 'Aborted',
87 'reason' => 'Cannot log in when using ' .
88 $session->getProvider()->describe( Language::factory( 'en' ) ),
89 ] );
90
91 return;
92 }
93
94 $authRes = false;
95 $context = new DerivativeContext( $this->getContext() );
96 $loginType = 'N/A';
97
98 // Check login token
99 $token = $session->getToken( '', 'login' );
100 if ( $token->wasNew() || !$params['token'] ) {
101 $authRes = 'NeedToken';
102 } elseif ( !$token->match( $params['token'] ) ) {
103 $authRes = 'WrongToken';
104 }
105
106 // Try bot passwords
107 if ( $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
108 strpos( $params['name'], BotPassword::getSeparator() ) !== false
109 ) {
110 $status = BotPassword::login(
111 $params['name'], $params['password'], $this->getRequest()
112 );
113 if ( $status->isOK() ) {
114 $session = $status->getValue();
115 $authRes = 'Success';
116 $loginType = 'BotPassword';
117 } else {
118 $authRes = 'Failed';
119 $message = $status->getMessage();
120 LoggerFactory::getInstance( 'authmanager' )->info(
121 'BotPassword login failed: ' . $status->getWikiText( false, false, 'en' )
122 );
123 }
124 }
125
126 if ( $authRes === false ) {
127 if ( $this->getConfig()->get( 'DisableAuthManager' ) ) {
128 // Non-AuthManager login
129 $context->setRequest( new DerivativeRequest(
130 $this->getContext()->getRequest(),
131 [
132 'wpName' => $params['name'],
133 'wpPassword' => $params['password'],
134 'wpDomain' => $params['domain'],
135 'wpLoginToken' => $params['token'],
136 'wpRemember' => ''
137 ]
138 ) );
139 $loginForm = new LoginForm();
140 $loginForm->setContext( $context );
141 $authRes = $loginForm->authenticateUserData();
142 $loginType = 'LoginForm';
143
144 switch ( $authRes ) {
145 case LoginForm::SUCCESS:
146 $authRes = 'Success';
147 break;
148 case LoginForm::NEED_TOKEN:
149 $authRes = 'NeedToken';
150 break;
151 }
152 } else {
153 // Simplified AuthManager login, for backwards compatibility
154 $manager = AuthManager::singleton();
155 $reqs = AuthenticationRequest::loadRequestsFromSubmission(
156 $manager->getAuthenticationRequests( AuthManager::ACTION_LOGIN, $this->getUser() ),
157 [
158 'username' => $params['name'],
159 'password' => $params['password'],
160 'domain' => $params['domain'],
161 'rememberMe' => true,
162 ]
163 );
164 $res = AuthManager::singleton()->beginAuthentication( $reqs, 'null:' );
165 switch ( $res->status ) {
166 case AuthenticationResponse::PASS:
167 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
168 $warn = 'Main-account login via action=login is deprecated and may stop working ' .
169 'without warning.';
170 $warn .= ' To continue login with action=login, see [[Special:BotPasswords]].';
171 $warn .= ' To safely continue using main-account login, see action=clientlogin.';
172 } else {
173 $warn = 'Login via action=login is deprecated and may stop working without warning.';
174 $warn .= ' To safely log in, see action=clientlogin.';
175 }
176 $this->setWarning( $warn );
177 $authRes = 'Success';
178 $loginType = 'AuthManager';
179 break;
180
181 case AuthenticationResponse::FAIL:
182 // Hope it's not a PreAuthenticationProvider that failed...
183 $authRes = 'Failed';
184 $message = $res->message;
185 \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
186 ->info( __METHOD__ . ': Authentication failed: ' . $message->plain() );
187 break;
188
189 default:
190 $authRes = 'Aborted';
191 break;
192 }
193 }
194 }
195
196 $result['result'] = $authRes;
197 switch ( $authRes ) {
198 case 'Success':
199 if ( $this->getConfig()->get( 'DisableAuthManager' ) ) {
200 $user = $context->getUser();
201 $this->getContext()->setUser( $user );
202 $user->setCookies( $this->getRequest(), null, true );
203 } else {
204 $user = $session->getUser();
205 }
206
207 ApiQueryInfo::resetTokenCache();
208
209 // Deprecated hook
210 $injected_html = '';
211 Hooks::run( 'UserLoginComplete', [ &$user, &$injected_html, true ] );
212
213 $result['lguserid'] = intval( $user->getId() );
214 $result['lgusername'] = $user->getName();
215
216 // @todo: These are deprecated, and should be removed at some
217 // point (1.28 at the earliest, and see T121527). They were ok
218 // when the core cookie-based login was the only thing, but
219 // CentralAuth broke that a while back and
220 // SessionManager/AuthManager *really* break it.
221 $result['lgtoken'] = $user->getToken();
222 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
223 $result['sessionid'] = $session->getId();
224 break;
225
226 case 'NeedToken':
227 $result['token'] = $token->toString();
228 $this->setWarning( 'Fetching a token via action=login is deprecated. ' .
229 'Use action=query&meta=tokens&type=login instead.' );
230 $this->logFeatureUsage( 'action=login&!lgtoken' );
231
232 // @todo: See above about deprecation
233 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
234 $result['sessionid'] = $session->getId();
235 break;
236
237 case 'WrongToken':
238 break;
239
240 case 'Failed':
241 $result['reason'] = $message->useDatabase( 'false' )->inLanguage( 'en' )->text();
242 break;
243
244 case 'Aborted':
245 $result['reason'] = 'Authentication requires user interaction, ' .
246 'which is not supported by action=login.';
247 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
248 $result['reason'] .= ' To be able to login with action=login, see [[Special:BotPasswords]].';
249 $result['reason'] .= ' To continue using main-account login, see action=clientlogin.';
250 } else {
251 $result['reason'] .= ' To log in, see action=clientlogin.';
252 }
253 break;
254
255 // Results from LoginForm for when $wgDisableAuthManager is true
256 case LoginForm::WRONG_TOKEN:
257 $result['result'] = 'WrongToken';
258 break;
259
260 case LoginForm::NO_NAME:
261 $result['result'] = 'NoName';
262 break;
263
264 case LoginForm::ILLEGAL:
265 $result['result'] = 'Illegal';
266 break;
267
268 case LoginForm::WRONG_PLUGIN_PASS:
269 $result['result'] = 'WrongPluginPass';
270 break;
271
272 case LoginForm::NOT_EXISTS:
273 $result['result'] = 'NotExists';
274 break;
275
276 // bug 20223 - Treat a temporary password as wrong. Per SpecialUserLogin:
277 // The e-mailed temporary password should not be used for actual logins.
278 case LoginForm::RESET_PASS:
279 case LoginForm::WRONG_PASS:
280 $result['result'] = 'WrongPass';
281 break;
282
283 case LoginForm::EMPTY_PASS:
284 $result['result'] = 'EmptyPass';
285 break;
286
287 case LoginForm::CREATE_BLOCKED:
288 $result['result'] = 'CreateBlocked';
289 $result['details'] = 'Your IP address is blocked from account creation';
290 $block = $context->getUser()->getBlock();
291 if ( $block ) {
292 $result = array_merge( $result, ApiQueryUserInfo::getBlockInfo( $block ) );
293 }
294 break;
295
296 case LoginForm::THROTTLED:
297 $result['result'] = 'Throttled';
298 $result['wait'] = intval( $loginForm->mThrottleWait );
299 break;
300
301 case LoginForm::USER_BLOCKED:
302 $result['result'] = 'Blocked';
303 $block = User::newFromName( $params['name'] )->getBlock();
304 if ( $block ) {
305 $result = array_merge( $result, ApiQueryUserInfo::getBlockInfo( $block ) );
306 }
307 break;
308
309 case LoginForm::ABORTED:
310 $result['result'] = 'Aborted';
311 $result['reason'] = $loginForm->mAbortLoginErrorMsg;
312 break;
313
314 default:
315 ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
316 }
317
318 $this->getResult()->addValue( null, 'login', $result );
319
320 if ( $loginType === 'LoginForm' && isset( LoginForm::$statusCodes[$authRes] ) ) {
321 $authRes = LoginForm::$statusCodes[$authRes];
322 }
323 LoggerFactory::getInstance( 'authmanager' )->info( 'Login attempt', [
324 'event' => 'login',
325 'successful' => $authRes === 'Success',
326 'loginType' => $loginType,
327 'status' => $authRes,
328 ] );
329 }
330
331 public function isDeprecated() {
332 return !$this->getConfig()->get( 'DisableAuthManager' ) &&
333 !$this->getConfig()->get( 'EnableBotPasswords' );
334 }
335
336 public function mustBePosted() {
337 return true;
338 }
339
340 public function isReadMode() {
341 return false;
342 }
343
344 public function getAllowedParams() {
345 return [
346 'name' => null,
347 'password' => [
348 ApiBase::PARAM_TYPE => 'password',
349 ],
350 'domain' => null,
351 'token' => [
352 ApiBase::PARAM_TYPE => 'string',
353 ApiBase::PARAM_REQUIRED => false, // for BC
354 ApiBase::PARAM_HELP_MSG => [ 'api-help-param-token', 'login' ],
355 ],
356 ];
357 }
358
359 protected function getExamplesMessages() {
360 return [
361 'action=login&lgname=user&lgpassword=password'
362 => 'apihelp-login-example-gettoken',
363 'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
364 => 'apihelp-login-example-login',
365 ];
366 }
367
368 public function getHelpUrls() {
369 return 'https://www.mediawiki.org/wiki/API:Login';
370 }
371 }
Wiklou, le Wiki du Wiklou