5 * Created on Sep 19, 2006
7 * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
8 * Daniel Cannon (cannon dot danielc at gmail dot com)
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
23 * http://www.gnu.org/copyleft/gpl.html
28 use MediaWiki\Auth\AuthManager;
29 use MediaWiki\Auth\AuthenticationRequest;
30 use MediaWiki\Auth\AuthenticationResponse;
31 use MediaWiki\Logger\LoggerFactory;
34 * Unit to authenticate log-in attempts to the current wiki.
38 class ApiLogin extends ApiBase {
40 public function __construct( ApiMain $main, $action ) {
41 parent::__construct( $main, $action, 'lg' );
44 protected function getExtendedDescription() {
45 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
46 return 'apihelp-login-extended-description';
48 return 'apihelp-login-extended-description-nobotpasswords';
53 * Format a message for the response
54 * @param Message|string|array $message
55 * @return string|array
57 private function formatMessage( $message ) {
58 $message = Message::newFromSpecifier( $message );
59 $errorFormatter = $this->getErrorFormatter();
60 if ( $errorFormatter instanceof ApiErrorFormatter_BackCompat ) {
61 return ApiErrorFormatter::stripMarkup(
62 $message->useDatabase( false )->inLanguage( 'en' )->text()
65 return $errorFormatter->formatMessage( $message );
70 * Executes the log-in attempt using the parameters passed. If
71 * the log-in succeeds, it attaches a cookie to the session
72 * and outputs the user id, username, and session token. If a
73 * log-in fails, as the result of a bad password, a nonexistent
74 * user, or any other reason, the host is cached with an expiry
75 * and no log-in attempts will be accepted until that expiry
76 * is reached. The expiry is $this->mLoginThrottle.
78 public function execute() {
79 // If we're in a mode that breaks the same-origin policy, no tokens can
81 if ( $this->lacksSameOriginSecurity() ) {
82 $this->getResult()->addValue( null, 'login', [
83 'result' => 'Aborted',
84 'reason' => $this->formatMessage( 'api-login-fail-sameorigin' ),
90 $this->requirePostedParameters( [ 'password', 'token' ] );
92 $params = $this->extractRequestParams();
96 // Make sure session is persisted
97 $session = MediaWiki\Session\SessionManager::getGlobalSession();
100 // Make sure it's possible to log in
101 if ( !$session->canSetUser() ) {
102 $this->getResult()->addValue( null, 'login', [
103 'result' => 'Aborted',
104 'reason' => $this->formatMessage( [
105 'api-login-fail-badsessionprovider',
106 $session->getProvider()->describe( $this->getErrorFormatter()->getLanguage() ),
114 $context = new DerivativeContext( $this->getContext() );
118 $token = $session->getToken( '', 'login' );
119 if ( $token->wasNew() || !$params['token'] ) {
120 $authRes = 'NeedToken';
121 } elseif ( !$token->match( $params['token'] ) ) {
122 $authRes = 'WrongToken';
127 $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
128 ( $botLoginData = BotPassword::canonicalizeLoginData( $params['name'], $params['password'] ) )
130 $status = BotPassword::login(
131 $botLoginData[0], $botLoginData[1], $this->getRequest()
133 if ( $status->isOK() ) {
134 $session = $status->getValue();
135 $authRes = 'Success';
136 $loginType = 'BotPassword';
137 } elseif ( !$botLoginData[2] ||
138 $status->hasMessage( 'login-throttled' ) ||
139 $status->hasMessage( 'botpasswords-needs-reset' ) ||
140 $status->hasMessage( 'botpasswords-locked' )
143 $message = $status->getMessage();
144 LoggerFactory::getInstance( 'authentication' )->info(
145 'BotPassword login failed: ' . $status->getWikiText( false, false, 'en' )
150 if ( $authRes === false ) {
151 // Simplified AuthManager login, for backwards compatibility
152 $manager = AuthManager::singleton();
153 $reqs = AuthenticationRequest::loadRequestsFromSubmission(
154 $manager->getAuthenticationRequests( AuthManager::ACTION_LOGIN, $this->getUser() ),
156 'username' => $params['name'],
157 'password' => $params['password'],
158 'domain' => $params['domain'],
159 'rememberMe' => true,
162 $res = AuthManager::singleton()->beginAuthentication( $reqs, 'null:' );
163 switch ( $res->status ) {
164 case AuthenticationResponse::PASS:
165 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
166 $this->addDeprecation( 'apiwarn-deprecation-login-botpw', 'main-account-login' );
168 $this->addDeprecation( 'apiwarn-deprecation-login-nobotpw', 'main-account-login' );
170 $authRes = 'Success';
171 $loginType = 'AuthManager';
174 case AuthenticationResponse::FAIL:
175 // Hope it's not a PreAuthenticationProvider that failed...
177 $message = $res->message;
178 \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
179 ->info( __METHOD__ . ': Authentication failed: '
180 . $message->inLanguage( 'en' )->plain() );
184 \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
185 ->info( __METHOD__ . ': Authentication failed due to unsupported response type: '
186 . $res->status, $this->getAuthenticationResponseLogData( $res ) );
187 $authRes = 'Aborted';
192 $result['result'] = $authRes;
193 switch ( $authRes ) {
195 $user = $session->getUser();
197 ApiQueryInfo::resetTokenCache();
201 Hooks::run( 'UserLoginComplete', [ &$user, &$injected_html, true ] );
203 $result['lguserid'] = intval( $user->getId() );
204 $result['lgusername'] = $user->getName();
208 $result['token'] = $token->toString();
209 $this->addDeprecation( 'apiwarn-deprecation-login-token', 'action=login&!lgtoken' );
216 $result['reason'] = $this->formatMessage( $message );
220 $result['reason'] = $this->formatMessage(
221 $this->getConfig()->get( 'EnableBotPasswords' )
222 ? 'api-login-fail-aborted'
223 : 'api-login-fail-aborted-nobotpw'
228 ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
231 $this->getResult()->addValue( null, 'login', $result );
233 if ( $loginType === 'LoginForm' && isset( LoginForm::$statusCodes[$authRes] ) ) {
234 $authRes = LoginForm::$statusCodes[$authRes];
236 LoggerFactory::getInstance( 'authevents' )->info( 'Login attempt', [
238 'successful' => $authRes === 'Success',
239 'loginType' => $loginType,
240 'status' => $authRes,
244 public function isDeprecated() {
245 return !$this->getConfig()->get( 'EnableBotPasswords' );
248 public function mustBePosted() {
252 public function isReadMode() {
256 public function getAllowedParams() {
260 ApiBase::PARAM_TYPE => 'password',
264 ApiBase::PARAM_TYPE => 'string',
265 ApiBase::PARAM_REQUIRED => false, // for BC
266 ApiBase::PARAM_SENSITIVE => true,
267 ApiBase::PARAM_HELP_MSG => [ 'api-help-param-token', 'login' ],
272 protected function getExamplesMessages() {
274 'action=login&lgname=user&lgpassword=password'
275 => 'apihelp-login-example-gettoken',
276 'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
277 => 'apihelp-login-example-login',
281 public function getHelpUrls() {
282 return 'https://www.mediawiki.org/wiki/Special:MyLanguage/API:Login';
286 * Turns an AuthenticationResponse into a hash suitable for passing to Logger
287 * @param AuthenticationResponse $response
290 protected function getAuthenticationResponseLogData( AuthenticationResponse $response ) {
292 'status' => $response->status,
294 if ( $response->message ) {
295 $ret['message'] = $response->message->inLanguage( 'en' )->plain();
298 'neededRequests' => $response->neededRequests,
299 'createRequest' => $response->createRequest,
300 'linkRequest' => $response->linkRequest,
302 foreach ( $reqs as $k => $v ) {
304 $v = is_array( $v ) ? $v : [ $v ];
305 $reqClasses = array_unique( array_map( 'get_class', $v ) );
307 $ret[$k] = implode( ', ', $reqClasses );