/**
* Executes the log-in attempt using the parameters passed. If
* the log-in succeeds, it attaches a cookie to the session
* and outputs the user id, username, and session token. If a
* log-in fails, as the result of a bad password, a nonexistent
* user, or any other reason, the host is cached with an expiry
* and no log-in attempts will be accepted until that expiry
* is reached. The expiry is $this->mLoginThrottle.
*/
public function execute()
{
// If we're in a mode that breaks the same-origin policy, no tokens can
// be obtained
if ($this->lacksSameOriginSecurity()) {
$this->getResult()->addValue(null, 'login', ['result' => 'Aborted', 'reason' => 'Cannot log in when the same-origin policy is not applied']);
return;
}
try {
$this->requirePostedParameters(['password', 'token']);
} catch (UsageException $ex) {
// Make this a warning for now, upgrade to an error in 1.29.
$this->setWarning($ex->getMessage());
$this->logFeatureUsage('login-params-in-query-string');
}
$params = $this->extractRequestParams();
$result = [];
// Make sure session is persisted
$session = MediaWiki\Session\SessionManager::getGlobalSession();
$session->persist();
// Make sure it's possible to log in
if (!$session->canSetUser()) {
$this->getResult()->addValue(null, 'login', ['result' => 'Aborted', 'reason' => 'Cannot log in when using ' . $session->getProvider()->describe(Language::factory('en'))]);
return;
}
$authRes = false;
$context = new DerivativeContext($this->getContext());
$loginType = 'N/A';
// Check login token
$token = $session->getToken('', 'login');
if ($token->wasNew() || !$params['token']) {
$authRes = 'NeedToken';
} elseif (!$token->match($params['token'])) {
$authRes = 'WrongToken';
}
// Try bot passwords
if ($authRes === false && $this->getConfig()->get('EnableBotPasswords') && ($botLoginData = BotPassword::canonicalizeLoginData($params['name'], $params['password']))) {
$status = BotPassword::login($botLoginData[0], $botLoginData[1], $this->getRequest());
if ($status->isOK()) {
$session = $status->getValue();
$authRes = 'Success';
$loginType = 'BotPassword';
} elseif (!$botLoginData[2]) {
$authRes = 'Failed';
$message = $status->getMessage();
LoggerFactory::getInstance('authentication')->info('BotPassword login failed: ' . $status->getWikiText(false, false, 'en'));
}
}
if ($authRes === false) {
// Simplified AuthManager login, for backwards compatibility
$manager = AuthManager::singleton();
$reqs = AuthenticationRequest::loadRequestsFromSubmission($manager->getAuthenticationRequests(AuthManager::ACTION_LOGIN, $this->getUser()), ['username' => $params['name'], 'password' => $params['password'], 'domain' => $params['domain'], 'rememberMe' => true]);
$res = AuthManager::singleton()->beginAuthentication($reqs, 'null:');
switch ($res->status) {
case AuthenticationResponse::PASS:
if ($this->getConfig()->get('EnableBotPasswords')) {
$warn = 'Main-account login via action=login is deprecated and may stop working ' . 'without warning.';
$warn .= ' To continue login with action=login, see [[Special:BotPasswords]].';
$warn .= ' To safely continue using main-account login, see action=clientlogin.';
} else {
$warn = 'Login via action=login is deprecated and may stop working without warning.';
$warn .= ' To safely log in, see action=clientlogin.';
}
$this->setWarning($warn);
$authRes = 'Success';
$loginType = 'AuthManager';
break;
case AuthenticationResponse::FAIL:
// Hope it's not a PreAuthenticationProvider that failed...
$authRes = 'Failed';
$message = $res->message;
\MediaWiki\Logger\LoggerFactory::getInstance('authentication')->info(__METHOD__ . ': Authentication failed: ' . $message->inLanguage('en')->plain());
break;
default:
\MediaWiki\Logger\LoggerFactory::getInstance('authentication')->info(__METHOD__ . ': Authentication failed due to unsupported response type: ' . $res->status, $this->getAuthenticationResponseLogData($res));
$authRes = 'Aborted';
break;
}
}
$result['result'] = $authRes;
switch ($authRes) {
case 'Success':
$user = $session->getUser();
ApiQueryInfo::resetTokenCache();
// Deprecated hook
$injected_html = '';
Hooks::run('UserLoginComplete', [&$user, &$injected_html, true]);
$result['lguserid'] = intval($user->getId());
$result['lgusername'] = $user->getName();
break;
case 'NeedToken':
$result['token'] = $token->toString();
$this->setWarning('Fetching a token via action=login is deprecated. ' . 'Use action=query&meta=tokens&type=login instead.');
$this->logFeatureUsage('action=login&!lgtoken');
break;
case 'WrongToken':
break;
case 'Failed':
$result['reason'] = $message->useDatabase('false')->inLanguage('en')->text();
break;
case 'Aborted':
$result['reason'] = 'Authentication requires user interaction, ' . 'which is not supported by action=login.';
if ($this->getConfig()->get('EnableBotPasswords')) {
$result['reason'] .= ' To be able to login with action=login, see [[Special:BotPasswords]].';
$result['reason'] .= ' To continue using main-account login, see action=clientlogin.';
} else {
$result['reason'] .= ' To log in, see action=clientlogin.';
}
break;
default:
ApiBase::dieDebug(__METHOD__, "Unhandled case value: {$authRes}");
}
$this->getResult()->addValue(null, 'login', $result);
if ($loginType === 'LoginForm' && isset(LoginForm::$statusCodes[$authRes])) {
$authRes = LoginForm::$statusCodes[$authRes];
}
LoggerFactory::getInstance('authevents')->info('Login attempt', ['event' => 'login', 'successful' => $authRes === 'Success', 'loginType' => $loginType, 'status' => $authRes]);
}
/**
* Submit handler callback for HTMLForm
* @private
* @param $data array Submitted data
* @return Status
*/
public function handleFormSubmit($data)
{
$requests = AuthenticationRequest::loadRequestsFromSubmission($this->authRequests, $data);
$response = $this->performAuthenticationStep($this->authAction, $requests);
// we can't handle FAIL or similar as failure here since it might require changing the form
return Status::newGood($response);
}
/**
* Fetch and load the AuthenticationRequests for an action
* @param string $action One of the AuthManager::ACTION_* constants
* @return AuthenticationRequest[]
*/
public function loadAuthenticationRequests($action)
{
$params = $this->module->extractRequestParams();
$manager = AuthManager::singleton();
$reqs = $manager->getAuthenticationRequests($action, $this->module->getUser());
// Filter requests, if requested to do so
$wantedRequests = null;
if (isset($params['requests'])) {
$wantedRequests = array_flip($params['requests']);
} elseif (isset($params['request'])) {
$wantedRequests = [$params['request'] => true];
}
if ($wantedRequests !== null) {
$reqs = array_filter($reqs, function ($req) use($wantedRequests) {
return isset($wantedRequests[$req->getUniqueId()]);
});
}
// Collect the fields for all the requests
$fields = [];
$sensitive = [];
foreach ($reqs as $req) {
$info = (array) $req->getFieldInfo();
$fields += $info;
$sensitive += array_filter($info, function ($opts) {
return !empty($opts['sensitive']);
});
}
// Extract the request data for the fields and mark those request
// parameters as used
$data = array_intersect_key($this->module->getRequest()->getValues(), $fields);
$this->module->getMain()->markParamsUsed(array_keys($data));
if ($sensitive) {
try {
$this->module->requirePostedParameters(array_keys($sensitive), 'noprefix');
} catch (UsageException $ex) {
// Make this a warning for now, upgrade to an error in 1.29.
$this->module->setWarning($ex->getMessage());
$this->module->logFeatureUsage($this->module->getModuleName() . '-params-in-query-string');
}
}
return AuthenticationRequest::loadRequestsFromSubmission($reqs, $data);
}
/**
* Fetch and load the AuthenticationRequests for an action
* @param string $action One of the AuthManager::ACTION_* constants
* @return AuthenticationRequest[]
*/
public function loadAuthenticationRequests($action)
{
$params = $this->module->extractRequestParams();
$manager = AuthManager::singleton();
$reqs = $manager->getAuthenticationRequests($action, $this->module->getUser());
// Filter requests, if requested to do so
$wantedRequests = null;
if (isset($params['requests'])) {
$wantedRequests = array_flip($params['requests']);
} elseif (isset($params['request'])) {
$wantedRequests = [$params['request'] => true];
}
if ($wantedRequests !== null) {
$reqs = array_filter($reqs, function ($req) use($wantedRequests) {
return isset($wantedRequests[$req->getUniqueId()]);
});
}
// Collect the fields for all the requests
$fields = [];
foreach ($reqs as $req) {
$fields += (array) $req->getFieldInfo();
}
// Extract the request data for the fields and mark those request
// parameters as used
$data = array_intersect_key($this->module->getRequest()->getValues(), $fields);
$this->module->getMain()->markParamsUsed(array_keys($data));
return AuthenticationRequest::loadRequestsFromSubmission($reqs, $data);
}
public function addUser($user, $password, $email = '', $realname = '')
{
global $wgUser;
$data = ['username' => $user->getName(), 'password' => $password, 'retype' => $password, 'email' => $email, 'realname' => $realname];
if ($this->domain !== null && $this->domain !== '') {
$data['domain'] = $this->domain;
}
$reqs = AuthManager::singleton()->getAuthenticationRequests(AuthManager::ACTION_CREATE);
$reqs = AuthenticationRequest::loadRequestsFromSubmission($reqs, $data);
$res = AuthManager::singleton()->beginAccountCreation($wgUser, $reqs, 'null:');
switch ($res->status) {
case AuthenticationResponse::PASS:
return true;
case AuthenticationResponse::FAIL:
// Hope it's not a PreAuthenticationProvider that failed...
$msg = $res->message instanceof \Message ? $res->message : new \Message($res->message);
$this->logger->info(__METHOD__ . ': Authentication failed: ' . $msg->plain());
return false;
default:
throw new \BadMethodCallException('AuthManager does not support such simplified account creation');
}
}
/**
* Check to see if the given clear-text password is one of the accepted passwords
* @deprecated since 1.27, use AuthManager instead
* @param string $password User password
* @return bool True if the given password is correct, otherwise False
*/
public function checkPassword($password)
{
global $wgAuth, $wgLegacyEncoding, $wgDisableAuthManager;
if ($wgDisableAuthManager) {
$this->load();
// Some passwords will give a fatal Status, which means there is
// some sort of technical or security reason for this password to
// be completely invalid and should never be checked (e.g., T64685)
if (!$this->checkPasswordValidity($password)->isOK()) {
return false;
}
// Certain authentication plugins do NOT want to save
// domain passwords in a mysql database, so we should
// check this (in case $wgAuth->strict() is false).
if ($wgAuth->authenticate($this->getName(), $password)) {
return true;
} elseif ($wgAuth->strict()) {
// Auth plugin doesn't allow local authentication
return false;
} elseif ($wgAuth->strictUserAuth($this->getName())) {
// Auth plugin doesn't allow local authentication for this user name
return false;
}
$passwordFactory = new PasswordFactory();
$passwordFactory->init(RequestContext::getMain()->getConfig());
$db = $this->queryFlagsUsed & self::READ_LATEST ? wfGetDB(DB_MASTER) : wfGetDB(DB_SLAVE);
try {
$mPassword = $passwordFactory->newFromCiphertext($db->selectField('user', 'user_password', ['user_id' => $this->getId()], __METHOD__));
} catch (PasswordError $e) {
wfDebug('Invalid password hash found in database.');
$mPassword = PasswordFactory::newInvalidPassword();
}
if (!$mPassword->equals($password)) {
if ($wgLegacyEncoding) {
// Some wikis were converted from ISO 8859-1 to UTF-8, the passwords can't be converted
// Check for this with iconv
$cp1252Password = iconv('UTF-8', 'WINDOWS-1252//TRANSLIT', $password);
if ($cp1252Password === $password || !$mPassword->equals($cp1252Password)) {
return false;
}
} else {
return false;
}
}
if ($passwordFactory->needsUpdate($mPassword) && !wfReadOnly()) {
$this->setPasswordInternal($password);
}
return true;
} else {
$manager = AuthManager::singleton();
$reqs = AuthenticationRequest::loadRequestsFromSubmission($manager->getAuthenticationRequests(AuthManager::ACTION_LOGIN), ['username' => $this->getName(), 'password' => $password]);
$res = AuthManager::singleton()->beginAuthentication($reqs, 'null:');
switch ($res->status) {
case AuthenticationResponse::PASS:
return true;
case AuthenticationResponse::FAIL:
// Hope it's not a PreAuthenticationProvider that failed...
\MediaWiki\Logger\LoggerFactory::getInstance('authentication')->info(__METHOD__ . ': Authentication failed: ' . $res->message->plain());
return false;
default:
throw new BadMethodCallException('AuthManager returned a response unsupported by ' . __METHOD__);
}
}
}
/**
* Executes the log-in attempt using the parameters passed. If
* the log-in succeeds, it attaches a cookie to the session
* and outputs the user id, username, and session token. If a
* log-in fails, as the result of a bad password, a nonexistent
* user, or any other reason, the host is cached with an expiry
* and no log-in attempts will be accepted until that expiry
* is reached. The expiry is $this->mLoginThrottle.
*/
public function execute()
{
// If we're in a mode that breaks the same-origin policy, no tokens can
// be obtained
if ($this->lacksSameOriginSecurity()) {
$this->getResult()->addValue(null, 'login', ['result' => 'Aborted', 'reason' => 'Cannot log in when the same-origin policy is not applied']);
return;
}
$params = $this->extractRequestParams();
$result = [];
// Make sure session is persisted
$session = MediaWiki\Session\SessionManager::getGlobalSession();
$session->persist();
// Make sure it's possible to log in
if (!$session->canSetUser()) {
$this->getResult()->addValue(null, 'login', ['result' => 'Aborted', 'reason' => 'Cannot log in when using ' . $session->getProvider()->describe(Language::factory('en'))]);
return;
}
$authRes = false;
$context = new DerivativeContext($this->getContext());
$loginType = 'N/A';
// Check login token
$token = $session->getToken('', 'login');
if ($token->wasNew() || !$params['token']) {
$authRes = 'NeedToken';
} elseif (!$token->match($params['token'])) {
$authRes = 'WrongToken';
}
// Try bot passwords
if ($authRes === false && $this->getConfig()->get('EnableBotPasswords') && strpos($params['name'], BotPassword::getSeparator()) !== false) {
$status = BotPassword::login($params['name'], $params['password'], $this->getRequest());
if ($status->isOK()) {
$session = $status->getValue();
$authRes = 'Success';
$loginType = 'BotPassword';
} else {
$authRes = 'Failed';
$message = $status->getMessage();
LoggerFactory::getInstance('authmanager')->info('BotPassword login failed: ' . $status->getWikiText(false, false, 'en'));
}
}
if ($authRes === false) {
if ($this->getConfig()->get('DisableAuthManager')) {
// Non-AuthManager login
$context->setRequest(new DerivativeRequest($this->getContext()->getRequest(), ['wpName' => $params['name'], 'wpPassword' => $params['password'], 'wpDomain' => $params['domain'], 'wpLoginToken' => $params['token'], 'wpRemember' => '']));
$loginForm = new LoginForm();
$loginForm->setContext($context);
$authRes = $loginForm->authenticateUserData();
$loginType = 'LoginForm';
switch ($authRes) {
case LoginForm::SUCCESS:
$authRes = 'Success';
break;
case LoginForm::NEED_TOKEN:
$authRes = 'NeedToken';
break;
}
} else {
// Simplified AuthManager login, for backwards compatibility
$manager = AuthManager::singleton();
$reqs = AuthenticationRequest::loadRequestsFromSubmission($manager->getAuthenticationRequests(AuthManager::ACTION_LOGIN, $this->getUser()), ['username' => $params['name'], 'password' => $params['password'], 'domain' => $params['domain'], 'rememberMe' => true]);
$res = AuthManager::singleton()->beginAuthentication($reqs, 'null:');
switch ($res->status) {
case AuthenticationResponse::PASS:
if ($this->getConfig()->get('EnableBotPasswords')) {
$warn = 'Main-account login via action=login is deprecated and may stop working ' . 'without warning.';
$warn .= ' To continue login with action=login, see [[Special:BotPasswords]].';
$warn .= ' To safely continue using main-account login, see action=clientlogin.';
} else {
$warn = 'Login via action=login is deprecated and may stop working without warning.';
$warn .= ' To safely log in, see action=clientlogin.';
}
$this->setWarning($warn);
$authRes = 'Success';
$loginType = 'AuthManager';
break;
case AuthenticationResponse::FAIL:
// Hope it's not a PreAuthenticationProvider that failed...
$authRes = 'Failed';
$message = $res->message;
\MediaWiki\Logger\LoggerFactory::getInstance('authentication')->info(__METHOD__ . ': Authentication failed: ' . $message->plain());
break;
default:
$authRes = 'Aborted';
break;
}
}
}
$result['result'] = $authRes;
switch ($authRes) {
case 'Success':
if ($this->getConfig()->get('DisableAuthManager')) {
$user = $context->getUser();
$this->getContext()->setUser($user);
$user->setCookies($this->getRequest(), null, true);
} else {
$user = $session->getUser();
}
ApiQueryInfo::resetTokenCache();
// Deprecated hook
$injected_html = '';
Hooks::run('UserLoginComplete', [&$user, &$injected_html]);
$result['lguserid'] = intval($user->getId());
$result['lgusername'] = $user->getName();
// @todo: These are deprecated, and should be removed at some
// point (1.28 at the earliest, and see T121527). They were ok
// when the core cookie-based login was the only thing, but
// CentralAuth broke that a while back and
// SessionManager/AuthManager *really* break it.
$result['lgtoken'] = $user->getToken();
$result['cookieprefix'] = $this->getConfig()->get('CookiePrefix');
$result['sessionid'] = $session->getId();
break;
case 'NeedToken':
$result['token'] = $token->toString();
$this->setWarning('Fetching a token via action=login is deprecated. ' . 'Use action=query&meta=tokens&type=login instead.');
$this->logFeatureUsage('action=login&!lgtoken');
// @todo: See above about deprecation
$result['cookieprefix'] = $this->getConfig()->get('CookiePrefix');
$result['sessionid'] = $session->getId();
break;
case 'WrongToken':
break;
case 'Failed':
$result['reason'] = $message->useDatabase('false')->inLanguage('en')->text();
break;
case 'Aborted':
$result['reason'] = 'Authentication requires user interaction, ' . 'which is not supported by action=login.';
if ($this->getConfig()->get('EnableBotPasswords')) {
$result['reason'] .= ' To be able to login with action=login, see [[Special:BotPasswords]].';
$result['reason'] .= ' To continue using main-account login, see action=clientlogin.';
} else {
$result['reason'] .= ' To log in, see action=clientlogin.';
}
break;
// Results from LoginForm for when $wgDisableAuthManager is true
// Results from LoginForm for when $wgDisableAuthManager is true
case LoginForm::WRONG_TOKEN:
$result['result'] = 'WrongToken';
break;
case LoginForm::NO_NAME:
$result['result'] = 'NoName';
break;
case LoginForm::ILLEGAL:
$result['result'] = 'Illegal';
break;
case LoginForm::WRONG_PLUGIN_PASS:
$result['result'] = 'WrongPluginPass';
break;
case LoginForm::NOT_EXISTS:
$result['result'] = 'NotExists';
break;
// bug 20223 - Treat a temporary password as wrong. Per SpecialUserLogin:
// The e-mailed temporary password should not be used for actual logins.
// bug 20223 - Treat a temporary password as wrong. Per SpecialUserLogin:
// The e-mailed temporary password should not be used for actual logins.
case LoginForm::RESET_PASS:
case LoginForm::WRONG_PASS:
$result['result'] = 'WrongPass';
break;
case LoginForm::EMPTY_PASS:
$result['result'] = 'EmptyPass';
break;
case LoginForm::CREATE_BLOCKED:
$result['result'] = 'CreateBlocked';
$result['details'] = 'Your IP address is blocked from account creation';
$block = $context->getUser()->getBlock();
if ($block) {
$result = array_merge($result, ApiQueryUserInfo::getBlockInfo($block));
}
break;
case LoginForm::THROTTLED:
$result['result'] = 'Throttled';
$result['wait'] = intval($loginForm->mThrottleWait);
break;
case LoginForm::USER_BLOCKED:
$result['result'] = 'Blocked';
$block = User::newFromName($params['name'])->getBlock();
if ($block) {
$result = array_merge($result, ApiQueryUserInfo::getBlockInfo($block));
}
break;
case LoginForm::ABORTED:
$result['result'] = 'Aborted';
$result['reason'] = $loginForm->mAbortLoginErrorMsg;
break;
default:
ApiBase::dieDebug(__METHOD__, "Unhandled case value: {$authRes}");
}
$this->getResult()->addValue(null, 'login', $result);
if ($loginType === 'LoginForm' && isset(LoginForm::$statusCodes[$authRes])) {
$authRes = LoginForm::$statusCodes[$authRes];
}
LoggerFactory::getInstance('authmanager')->info('Login attempt', ['event' => 'login', 'successful' => $authRes === 'Success', 'loginType' => $loginType, 'status' => $authRes]);
}
public function setPassword($user, $password)
{
$data = ['username' => $user->getName(), 'password' => $password];
if ($this->domain !== null && $this->domain !== '') {
$data['domain'] = $this->domain;
}
$reqs = AuthManager::singleton()->getAuthenticationRequests(AuthManager::ACTION_CHANGE);
$reqs = AuthenticationRequest::loadRequestsFromSubmission($reqs, $data);
foreach ($reqs as $req) {
$status = AuthManager::singleton()->allowsAuthenticationDataChange($req);
if (!$status->isGood()) {
$this->logger->info(__METHOD__ . ': Password change rejected: {reason}', ['username' => $data['username'], 'reason' => $status->getWikiText(null, null, 'en')]);
return false;
}
}
foreach ($reqs as $req) {
AuthManager::singleton()->changeAuthenticationData($req);
}
return true;
}
/**
* Check to see if the given clear-text password is one of the accepted passwords
* @deprecated since 1.27, use AuthManager instead
* @param string $password User password
* @return bool True if the given password is correct, otherwise False
*/
public function checkPassword($password)
{
$manager = AuthManager::singleton();
$reqs = AuthenticationRequest::loadRequestsFromSubmission($manager->getAuthenticationRequests(AuthManager::ACTION_LOGIN), ['username' => $this->getName(), 'password' => $password]);
$res = AuthManager::singleton()->beginAuthentication($reqs, 'null:');
switch ($res->status) {
case AuthenticationResponse::PASS:
return true;
case AuthenticationResponse::FAIL:
// Hope it's not a PreAuthenticationProvider that failed...
\MediaWiki\Logger\LoggerFactory::getInstance('authentication')->info(__METHOD__ . ': Authentication failed: ' . $res->message->plain());
return false;
default:
throw new BadMethodCallException('AuthManager returned a response unsupported by ' . __METHOD__);
}
}
