includes/api/ApiLogin.php

   1 <?php
   2 /**
   3  *
   4  *
   5  * Created on Sep 19, 2006
   6  *
   7  * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
   8  * Daniel Cannon (cannon dot danielc at gmail dot com)
   9  *
  10  * This program is free software; you can redistribute it and/or modify
  11  * it under the terms of the GNU General Public License as published by
  12  * the Free Software Foundation; either version 2 of the License, or
  13  * (at your option) any later version.
  14  *
  15  * This program is distributed in the hope that it will be useful,
  16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  18  * GNU General Public License for more details.
  19  *
  20  * You should have received a copy of the GNU General Public License along
  21  * with this program; if not, write to the Free Software Foundation, Inc.,
  22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  23  * http://www.gnu.org/copyleft/gpl.html
  24  *
  25  * @file
  26  */
  27
  28 use MediaWiki\Auth\AuthManager;
  29 use MediaWiki\Auth\AuthenticationRequest;
  30 use MediaWiki\Auth\AuthenticationResponse;
  31 use MediaWiki\Logger\LoggerFactory;
  32
  33 /**
  34  * Unit to authenticate log-in attempts to the current wiki.
  35  *
  36  * @ingroup API
  37  */
  38 class ApiLogin extends ApiBase {
  39
  40         public function __construct( ApiMain $main, $action ) {
  41                 parent::__construct( $main, $action, 'lg' );
  42         }
  43
  44         protected function getExtendedDescription() {
  45                 if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
  46                         return 'apihelp-login-extended-description';
  47                 } else {
  48                         return 'apihelp-login-extended-description-nobotpasswords';
  49                 }
  50         }
  51
  52         /**
  53          * Format a message for the response
  54          * @param Message|string|array $message
  55          * @return string|array
  56          */
  57         private function formatMessage( $message ) {
  58                 $message = Message::newFromSpecifier( $message );
  59                 $errorFormatter = $this->getErrorFormatter();
  60                 if ( $errorFormatter instanceof ApiErrorFormatter_BackCompat ) {
  61                         return ApiErrorFormatter::stripMarkup(
  62                                 $message->useDatabase( false )->inLanguage( 'en' )->text()
  63                         );
  64                 } else {
  65                         return $errorFormatter->formatMessage( $message );
  66                 }
  67         }
  68
  69         /**
  70          * Executes the log-in attempt using the parameters passed. If
  71          * the log-in succeeds, it attaches a cookie to the session
  72          * and outputs the user id, username, and session token. If a
  73          * log-in fails, as the result of a bad password, a nonexistent
  74          * user, or any other reason, the host is cached with an expiry
  75          * and no log-in attempts will be accepted until that expiry
  76          * is reached. The expiry is $this->mLoginThrottle.
  77          */
  78         public function execute() {
  79                 // If we're in a mode that breaks the same-origin policy, no tokens can
  80                 // be obtained
  81                 if ( $this->lacksSameOriginSecurity() ) {
  82                         $this->getResult()->addValue( null, 'login', [
  83                                 'result' => 'Aborted',
  84                                 'reason' => $this->formatMessage( 'api-login-fail-sameorigin' ),
  85                         ] );
  86
  87                         return;
  88                 }
  89
  90                 $this->requirePostedParameters( [ 'password', 'token' ] );
  91
  92                 $params = $this->extractRequestParams();
  93
  94                 $result = [];
  95
  96                 // Make sure session is persisted
  97                 $session = MediaWiki\Session\SessionManager::getGlobalSession();
  98                 $session->persist();
  99
 100                 // Make sure it's possible to log in
 101                 if ( !$session->canSetUser() ) {
 102                         $this->getResult()->addValue( null, 'login', [
 103                                 'result' => 'Aborted',
 104                                 'reason' => $this->formatMessage( [
 105                                         'api-login-fail-badsessionprovider',
 106                                         $session->getProvider()->describe( $this->getErrorFormatter()->getLanguage() ),
 107                                 ] )
 108                         ] );
 109
 110                         return;
 111                 }
 112
 113                 $authRes = false;
 114                 $context = new DerivativeContext( $this->getContext() );
 115                 $loginType = 'N/A';
 116
 117                 // Check login token
 118                 $token = $session->getToken( '', 'login' );
 119                 if ( $token->wasNew() || !$params['token'] ) {
 120                         $authRes = 'NeedToken';
 121                 } elseif ( !$token->match( $params['token'] ) ) {
 122                         $authRes = 'WrongToken';
 123                 }
 124
 125                 // Try bot passwords
 126                 if (
 127                         $authRes === false && $this->getConfig()->get( 'EnableBotPasswords' ) &&
 128                         ( $botLoginData = BotPassword::canonicalizeLoginData( $params['name'], $params['password'] ) )
 129                 ) {
 130                         $status = BotPassword::login(
 131                                 $botLoginData[0], $botLoginData[1], $this->getRequest()
 132                         );
 133                         if ( $status->isOK() ) {
 134                                 $session = $status->getValue();
 135                                 $authRes = 'Success';
 136                                 $loginType = 'BotPassword';
 137                         } elseif ( !$botLoginData[2] ||
 138                                 $status->hasMessage( 'login-throttled' ) ||
 139                                 $status->hasMessage( 'botpasswords-needs-reset' ) ||
 140                                 $status->hasMessage( 'botpasswords-locked' )
 141                         ) {
 142                                 $authRes = 'Failed';
 143                                 $message = $status->getMessage();
 144                                 LoggerFactory::getInstance( 'authentication' )->info(
 145                                         'BotPassword login failed: ' . $status->getWikiText( false, false, 'en' )
 146                                 );
 147                         }
 148                 }
 149
 150                 if ( $authRes === false ) {
 151                         // Simplified AuthManager login, for backwards compatibility
 152                         $manager = AuthManager::singleton();
 153                         $reqs = AuthenticationRequest::loadRequestsFromSubmission(
 154                                 $manager->getAuthenticationRequests( AuthManager::ACTION_LOGIN, $this->getUser() ),
 155                                 [
 156                                         'username' => $params['name'],
 157                                         'password' => $params['password'],
 158                                         'domain' => $params['domain'],
 159                                         'rememberMe' => true,
 160                                 ]
 161                         );
 162                         $res = AuthManager::singleton()->beginAuthentication( $reqs, 'null:' );
 163                         switch ( $res->status ) {
 164                                 case AuthenticationResponse::PASS:
 165                                         if ( $this->getConfig()->get( 'EnableBotPasswords' ) ) {
 166                                                 $this->addDeprecation( 'apiwarn-deprecation-login-botpw', 'main-account-login' );
 167                                         } else {
 168                                                 $this->addDeprecation( 'apiwarn-deprecation-login-nobotpw', 'main-account-login' );
 169                                         }
 170                                         $authRes = 'Success';
 171                                         $loginType = 'AuthManager';
 172                                         break;
 173
 174                                 case AuthenticationResponse::FAIL:
 175                                         // Hope it's not a PreAuthenticationProvider that failed...
 176                                         $authRes = 'Failed';
 177                                         $message = $res->message;
 178                                         \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
 179                                                 ->info( __METHOD__ . ': Authentication failed: '
 180                                                 . $message->inLanguage( 'en' )->plain() );
 181                                         break;
 182
 183                                 default:
 184                                         \MediaWiki\Logger\LoggerFactory::getInstance( 'authentication' )
 185                                                 ->info( __METHOD__ . ': Authentication failed due to unsupported response type: '
 186                                                 . $res->status, $this->getAuthenticationResponseLogData( $res ) );
 187                                         $authRes = 'Aborted';
 188                                         break;
 189                         }
 190                 }
 191
 192                 $result['result'] = $authRes;
 193                 switch ( $authRes ) {
 194                         case 'Success':
 195                                 $user = $session->getUser();
 196
 197                                 ApiQueryInfo::resetTokenCache();
 198
 199                                 // Deprecated hook
 200                                 $injected_html = '';
 201                                 Hooks::run( 'UserLoginComplete', [ &$user, &$injected_html, true ] );
 202
 203                                 $result['lguserid'] = intval( $user->getId() );
 204                                 $result['lgusername'] = $user->getName();
 205                                 break;
 206
 207                         case 'NeedToken':
 208                                 $result['token'] = $token->toString();
 209                                 $this->addDeprecation( 'apiwarn-deprecation-login-token', 'action=login&!lgtoken' );
 210                                 break;
 211
 212                         case 'WrongToken':
 213                                 break;
 214
 215                         case 'Failed':
 216                                 $result['reason'] = $this->formatMessage( $message );
 217                                 break;
 218
 219                         case 'Aborted':
 220                                 $result['reason'] = $this->formatMessage(
 221                                         $this->getConfig()->get( 'EnableBotPasswords' )
 222                                                 ? 'api-login-fail-aborted'
 223                                                 : 'api-login-fail-aborted-nobotpw'
 224                                 );
 225                                 break;
 226
 227                         default:
 228                                 ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
 229                 }
 230
 231                 $this->getResult()->addValue( null, 'login', $result );
 232
 233                 if ( $loginType === 'LoginForm' && isset( LoginForm::$statusCodes[$authRes] ) ) {
 234                         $authRes = LoginForm::$statusCodes[$authRes];
 235                 }
 236                 LoggerFactory::getInstance( 'authevents' )->info( 'Login attempt', [
 237                         'event' => 'login',
 238                         'successful' => $authRes === 'Success',
 239                         'loginType' => $loginType,
 240                         'status' => $authRes,
 241                 ] );
 242         }
 243
 244         public function isDeprecated() {
 245                 return !$this->getConfig()->get( 'EnableBotPasswords' );
 246         }
 247
 248         public function mustBePosted() {
 249                 return true;
 250         }
 251
 252         public function isReadMode() {
 253                 return false;
 254         }
 255
 256         public function getAllowedParams() {
 257                 return [
 258                         'name' => null,
 259                         'password' => [
 260                                 ApiBase::PARAM_TYPE => 'password',
 261                         ],
 262                         'domain' => null,
 263                         'token' => [
 264                                 ApiBase::PARAM_TYPE => 'string',
 265                                 ApiBase::PARAM_REQUIRED => false, // for BC
 266                                 ApiBase::PARAM_SENSITIVE => true,
 267                                 ApiBase::PARAM_HELP_MSG => [ 'api-help-param-token', 'login' ],
 268                         ],
 269                 ];
 270         }
 271
 272         protected function getExamplesMessages() {
 273                 return [
 274                         'action=login&lgname=user&lgpassword=password'
 275                                 => 'apihelp-login-example-gettoken',
 276                         'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'
 277                                 => 'apihelp-login-example-login',
 278                 ];
 279         }
 280
 281         public function getHelpUrls() {
 282                 return 'https://www.mediawiki.org/wiki/Special:MyLanguage/API:Login';
 283         }
 284
 285         /**
 286          * Turns an AuthenticationResponse into a hash suitable for passing to Logger
 287          * @param AuthenticationResponse $response
 288          * @return array
 289          */
 290         protected function getAuthenticationResponseLogData( AuthenticationResponse $response ) {
 291                 $ret = [
 292                         'status' => $response->status,
 293                 ];
 294                 if ( $response->message ) {
 295                         $ret['message'] = $response->message->inLanguage( 'en' )->plain();
 296                 };
 297                 $reqs = [
 298                         'neededRequests' => $response->neededRequests,
 299                         'createRequest' => $response->createRequest,
 300                         'linkRequest' => $response->linkRequest,
 301                 ];
 302                 foreach ( $reqs as $k => $v ) {
 303                         if ( $v ) {
 304                                 $v = is_array( $v ) ? $v : [ $v ];
 305                                 $reqClasses = array_unique( array_map( 'get_class', $v ) );
 306                                 sort( $reqClasses );
 307                                 $ret[$k] = implode( ', ', $reqClasses );
 308                         }
 309                 }
 310                 return $ret;
 311         }
 312 }