5 * Created on Sep 19, 2006
7 * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
8 * Daniel Cannon (cannon dot danielc at gmail dot com)
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 * http://www.gnu.org/copyleft/gpl.html
28 use MediaWiki\Auth\AuthManager
;
29 use MediaWiki\Auth\AuthenticationRequest
;
30 use MediaWiki\Auth\AuthenticationResponse
;
31 use MediaWiki\Logger\LoggerFactory
;
34 * Unit to authenticate log-in attempts to the current wiki.
38 class ApiLogin
extends ApiBase
{
40 public function __construct( ApiMain
$main, $action ) {
41 parent
::__construct( $main, $action, 'lg' );
44 protected function getDescriptionMessage() {
45 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
46 return 'apihelp-login-description';
48 return 'apihelp-login-description-nobotpasswords';
53 * Executes the log-in attempt using the parameters passed. If
54 * the log-in succeeds, it attaches a cookie to the session
55 * and outputs the user id, username, and session token. If a
56 * log-in fails, as the result of a bad password, a nonexistent
57 * user, or any other reason, the host is cached with an expiry
58 * and no log-in attempts will be accepted until that expiry
59 * is reached. The expiry is $this->mLoginThrottle.
61 public function execute() {
62 // If we're in a mode that breaks the same-origin policy, no tokens can
64 if ( $this->lacksSameOriginSecurity() ) {
65 $this->getResult()->addValue( null, 'login', [
66 'result' => 'Aborted',
67 'reason' => 'Cannot log in when the same-origin policy is not applied',
74 $this->requirePostedParameters( [ 'password', 'token' ] );
75 } catch ( UsageException
$ex ) {
76 // Make this a warning for now, upgrade to an error in 1.29.
77 $this->setWarning( $ex->getMessage() );
78 $this->logFeatureUsage( 'login-params-in-query-string' );
81 $params = $this->extractRequestParams();
85 // Make sure session is persisted
86 $session = MediaWiki\Session\SessionManager
::getGlobalSession();
89 // Make sure it's possible to log in
90 if ( !$session->canSetUser() ) {
91 $this->getResult()->addValue( null, 'login', [
92 'result' => 'Aborted',
93 'reason' => 'Cannot log in when using ' .
94 $session->getProvider()->describe( Language
::factory( 'en' ) ),
101 $context = new DerivativeContext( $this->getContext() );
105 $token = $session->getToken( '', 'login' );
106 if ( $token->wasNew() ||
!$params['token'] ) {
107 $authRes = 'NeedToken';
108 } elseif ( !$token->match( $params['token'] ) ) {
109 $authRes = 'WrongToken';
113 if ( $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
114 strpos( $params['name'], BotPassword
::getSeparator() ) !== false
116 $status = BotPassword
::login(
117 $params['name'], $params['password'], $this->getRequest()
119 if ( $status->isOK() ) {
120 $session = $status->getValue();
121 $authRes = 'Success';
122 $loginType = 'BotPassword';
125 $message = $status->getMessage();
126 LoggerFactory
::getInstance( 'authentication' )->info(
127 'BotPassword login failed: ' . $status->getWikiText( false, false, 'en' )
132 if ( $authRes === false ) {
133 // Simplified AuthManager login, for backwards compatibility
134 $manager = AuthManager
::singleton();
135 $reqs = AuthenticationRequest
::loadRequestsFromSubmission(
136 $manager->getAuthenticationRequests( AuthManager
::ACTION_LOGIN
, $this->getUser() ),
138 'username' => $params['name'],
139 'password' => $params['password'],
140 'domain' => $params['domain'],
141 'rememberMe' => true,
144 $res = AuthManager
::singleton()->beginAuthentication( $reqs, 'null:' );
145 switch ( $res->status
) {
146 case AuthenticationResponse
::PASS
:
147 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
148 $warn = 'Main-account login via action=login is deprecated and may stop working ' .
150 $warn .= ' To continue login with action=login, see [[Special:BotPasswords]].';
151 $warn .= ' To safely continue using main-account login, see action=clientlogin.';
153 $warn = 'Login via action=login is deprecated and may stop working without warning.';
154 $warn .= ' To safely log in, see action=clientlogin.';
156 $this->setWarning( $warn );
157 $authRes = 'Success';
158 $loginType = 'AuthManager';
161 case AuthenticationResponse
::FAIL
:
162 // Hope it's not a PreAuthenticationProvider that failed...
164 $message = $res->message
;
165 \MediaWiki\Logger\LoggerFactory
::getInstance( 'authentication' )
166 ->info( __METHOD__
. ': Authentication failed: '
167 . $message->inLanguage( 'en' )->plain() );
171 \MediaWiki\Logger\LoggerFactory
::getInstance( 'authentication' )
172 ->info( __METHOD__
. ': Authentication failed due to unsupported response type: '
173 . $res->status
, $this->getAuthenticationResponseLogData( $res ) );
174 $authRes = 'Aborted';
179 $result['result'] = $authRes;
180 switch ( $authRes ) {
182 $user = $session->getUser();
184 ApiQueryInfo
::resetTokenCache();
188 Hooks
::run( 'UserLoginComplete', [ &$user, &$injected_html, true ] );
190 $result['lguserid'] = intval( $user->getId() );
191 $result['lgusername'] = $user->getName();
193 // @todo: These are deprecated, and should be removed at some
194 // point (1.28 at the earliest, and see T121527). They were ok
195 // when the core cookie-based login was the only thing, but
196 // CentralAuth broke that a while back and
197 // SessionManager/AuthManager *really* break it.
198 $result['lgtoken'] = $user->getToken();
199 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
200 $result['sessionid'] = $session->getId();
204 $result['token'] = $token->toString();
205 $this->setWarning( 'Fetching a token via action=login is deprecated. ' .
206 'Use action=query&meta=tokens&type=login instead.' );
207 $this->logFeatureUsage( 'action=login&!lgtoken' );
209 // @todo: See above about deprecation
210 $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
211 $result['sessionid'] = $session->getId();
218 $result['reason'] = $message->useDatabase( 'false' )->inLanguage( 'en' )->text();
222 $result['reason'] = 'Authentication requires user interaction, ' .
223 'which is not supported by action=login.';
224 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
225 $result['reason'] .= ' To be able to login with action=login, see [[Special:BotPasswords]].';
226 $result['reason'] .= ' To continue using main-account login, see action=clientlogin.';
228 $result['reason'] .= ' To log in, see action=clientlogin.';
233 ApiBase
::dieDebug( __METHOD__
, "Unhandled case value: {$authRes}" );
236 $this->getResult()->addValue( null, 'login', $result );
238 if ( $loginType === 'LoginForm' && isset( LoginForm
::$statusCodes[$authRes] ) ) {
239 $authRes = LoginForm
::$statusCodes[$authRes];
241 LoggerFactory
::getInstance( 'authevents' )->info( 'Login attempt', [
243 'successful' => $authRes === 'Success',
244 'loginType' => $loginType,
245 'status' => $authRes,
249 public function isDeprecated() {
250 return !$this->getConfig()->get( 'EnableBotPasswords' );
253 public function mustBePosted() {
257 public function isReadMode() {
261 public function getAllowedParams() {
265 ApiBase
::PARAM_TYPE
=> 'password',
269 ApiBase
::PARAM_TYPE
=> 'string',
270 ApiBase
::PARAM_REQUIRED
=> false, // for BC
271 ApiBase
::PARAM_HELP_MSG
=> [ 'api-help-param-token', 'login' ],
276 protected function getExamplesMessages() {
278 'action=login&lgname=user&lgpassword=password'
279 => 'apihelp-login-example-gettoken',
280 'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
281 => 'apihelp-login-example-login',
285 public function getHelpUrls() {
286 return 'https://www.mediawiki.org/wiki/API:Login';
290 * Turns an AuthenticationResponse into a hash suitable for passing to Logger
291 * @param AuthenticationResponse $response
294 protected function getAuthenticationResponseLogData( AuthenticationResponse
$response ) {
296 'status' => $response->status
,
298 if ( $response->message
) {
299 $ret['message'] = $response->message
->inLanguage( 'en' )->plain();
302 'neededRequests' => $response->neededRequests
,
303 'createRequest' => $response->createRequest
,
304 'linkRequest' => $response->linkRequest
,
306 foreach ( $reqs as $k => $v ) {
308 $v = is_array( $v ) ?
$v : [ $v ];
309 $reqClasses = array_unique( array_map( 'get_class', $v ) );
311 $ret[$k] = implode( ', ', $reqClasses );