3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
13 * You should have received a copy of the GNU General Public License along
14 * with this program; if not, write to the Free Software Foundation, Inc.,
15 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 * http://www.gnu.org/copyleft/gpl.html
22 namespace MediaWiki\Auth
;
29 * Basic framework for a primary authentication provider that uses passwords
33 abstract class AbstractPasswordPrimaryAuthenticationProvider
34 extends AbstractPrimaryAuthenticationProvider
36 /** @var bool Whether this provider should ABSTAIN (false) or FAIL (true) on password failure */
37 protected $authoritative;
39 private $passwordFactory = null;
42 * @param array $params Settings
43 * - authoritative: Whether this provider should ABSTAIN (false) or FAIL
44 * (true) on password failure
46 public function __construct( array $params = [] ) {
47 $this->authoritative
= !isset( $params['authoritative'] ) ||
(bool)$params['authoritative'];
51 * Get the PasswordFactory
52 * @return PasswordFactory
54 protected function getPasswordFactory() {
55 if ( $this->passwordFactory
=== null ) {
56 $this->passwordFactory
= new PasswordFactory(
57 $this->config
->get( 'PasswordConfig' ),
58 $this->config
->get( 'PasswordDefault' )
61 return $this->passwordFactory
;
65 * Get a Password object from the hash
69 protected function getPassword( $hash ) {
70 $passwordFactory = $this->getPasswordFactory();
72 return $passwordFactory->newFromCiphertext( $hash );
73 } catch ( \PasswordError
$e ) {
74 $class = static::class;
75 $this->logger
->debug( "Invalid password hash in {$class}::getPassword()" );
76 return $passwordFactory->newFromCiphertext( null );
81 * Return the appropriate response for failure
82 * @param PasswordAuthenticationRequest $req
83 * @return AuthenticationResponse
85 protected function failResponse( PasswordAuthenticationRequest
$req ) {
86 if ( $this->authoritative
) {
87 return AuthenticationResponse
::newFail(
88 wfMessage( $req->password
=== '' ?
'wrongpasswordempty' : 'wrongpassword' )
91 return AuthenticationResponse
::newAbstain();
96 * Check that the password is valid
98 * This should be called *before* validating the password. If the result is
99 * not ok, login should fail immediately.
101 * @param string $username
102 * @param string $password
105 protected function checkPasswordValidity( $username, $password ) {
106 return \User
::newFromName( $username )->checkPasswordValidity( $password );
110 * Check if the password should be reset
112 * This should be called after a successful login. It sets 'reset-pass'
113 * authentication data if necessary, see
114 * ResetPassSecondaryAuthenticationProvider.
116 * @param string $username
117 * @param Status $status From $this->checkPasswordValidity()
118 * @param mixed|null $data Passed through to $this->getPasswordResetData()
120 protected function setPasswordResetFlag( $username, Status
$status, $data = null ) {
121 $reset = $this->getPasswordResetData( $username, $data );
123 if ( !$reset && $this->config
->get( 'InvalidPasswordReset' ) && !$status->isGood() ) {
124 $hard = $status->getValue()['forceChange'] ??
false;
126 if ( $hard ||
!empty( $status->getValue()['suggestChangeOnLogin'] ) ) {
128 'msg' => $status->getMessage( $hard ?
'resetpass-validity' : 'resetpass-validity-soft' ),
135 $this->manager
->setAuthenticationSessionData( 'reset-pass', $reset );
140 * Get password reset data, if any
142 * @param string $username
144 * @return object|null { 'hard' => bool, 'msg' => Message }
146 protected function getPasswordResetData( $username, $data ) {
151 * Get expiration date for a new password, if any
153 * @param string $username
154 * @return string|null
156 protected function getNewPasswordExpiry( $username ) {
157 $days = $this->config
->get( 'PasswordExpirationDays' );
158 $expires = $days ?
wfTimestamp( TS_MW
, time() +
$days * 86400 ) : null;
160 // Give extensions a chance to force an expiration
161 \Hooks
::run( 'ResetPasswordExpiration', [ \User
::newFromName( $username ), &$expires ] );
166 public function getAuthenticationRequests( $action, array $options ) {
168 case AuthManager
::ACTION_LOGIN
:
169 case AuthManager
::ACTION_REMOVE
:
170 case AuthManager
::ACTION_CREATE
:
171 case AuthManager
::ACTION_CHANGE
:
172 return [ new PasswordAuthenticationRequest() ];