PageRenderTime 40ms CodeModel.GetById 16ms RepoModel.GetById 1ms app.codeStats 0ms

/mediawiki-1.21.2/includes/api/ApiLogin.php

https://gitlab.com/mcepl/dumpathome
PHP | 290 lines | 211 code | 35 blank | 44 comment | 4 complexity | 5c8adffffeee0d971ab5282adab4b97d MD5 | raw file
Possible License(s): GPL-2.0, Apache-2.0, LGPL-3.0 
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  *
    4. 

  4.  *
    5. 

  5.  * Created on Sep 19, 2006
    6. 

  6.  *
    7. 

  7.  * Copyright © 2006-2007 Yuri Astrakhan "<Firstname><Lastname>@gmail.com",
    8. 

  8.  * Daniel Cannon (cannon dot danielc at gmail dot com)
    9. 

  9.  *
    10. 

  10.  * This program is free software; you can redistribute it and/or modify
    11. 

  11.  * it under the terms of the GNU General Public License as published by
    12. 

  12.  * the Free Software Foundation; either version 2 of the License, or
    13. 

  13.  * (at your option) any later version.
    14. 

  14.  *
    15. 

  15.  * This program is distributed in the hope that it will be useful,
    16. 

  16.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    17. 

  17.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    18. 

  18.  * GNU General Public License for more details.
    19. 

  19.  *
    20. 

  20.  * You should have received a copy of the GNU General Public License along
    21. 

  21.  * with this program; if not, write to the Free Software Foundation, Inc.,
    22. 

  22.  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
    23. 

  23.  * http://www.gnu.org/copyleft/gpl.html
    24. 

  24.  *
    25. 

  25.  * @file
    26. 

  26.  */
    27. 

  27. 

  28. /**
    29. 

  29.  * Unit to authenticate log-in attempts to the current wiki.
    30. 

  30.  *
    31. 

  31.  * @ingroup API
    32. 

  32.  */
    33. 

  33. class ApiLogin extends ApiBase {
    34. 

  34. 

  35. 	public function __construct( $main, $action ) {
    36. 

  36. 		parent::__construct( $main, $action, 'lg' );
    37. 

  37. 	}
    38. 

  38. 

  39. 	/**
    40. 

  40. 	 * Executes the log-in attempt using the parameters passed. If
    41. 

  41. 	 * the log-in succeeds, it attaches a cookie to the session
    42. 

  42. 	 * and outputs the user id, username, and session token. If a
    43. 

  43. 	 * log-in fails, as the result of a bad password, a nonexistent
    44. 

  44. 	 * user, or any other reason, the host is cached with an expiry
    45. 

  45. 	 * and no log-in attempts will be accepted until that expiry
    46. 

  46. 	 * is reached. The expiry is $this->mLoginThrottle.
    47. 

  47. 	 */
    48. 

  48. 	public function execute() {
    49. 

  49. 		// If we're in JSON callback mode, no tokens can be obtained
    50. 

  50. 		if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
    51. 

  51. 			$this->getResult()->addValue( null, 'login', array(
    52. 

  52. 				'result' => 'Aborted',
    53. 

  53. 				'reason' => 'Cannot log in when using a callback',
    54. 

  54. 			) );
    55. 

  55. 			return;
    56. 

  56. 		}
    57. 

  57. 

  58. 		$params = $this->extractRequestParams();
    59. 

  59. 

  60. 		$result = array();
    61. 

  61. 

  62. 		// Init session if necessary
    63. 

  63. 		if ( session_id() == '' ) {
    64. 

  64. 			wfSetupSession();
    65. 

  65. 		}
    66. 

  66. 

  67. 		$context = new DerivativeContext( $this->getContext() );
    68. 

  68. 		$context->setRequest( new DerivativeRequest(
    69. 

  69. 			$this->getContext()->getRequest(),
    70. 

  70. 			array(
    71. 

  71. 				'wpName' => $params['name'],
    72. 

  72. 				'wpPassword' => $params['password'],
    73. 

  73. 				'wpDomain' => $params['domain'],
    74. 

  74. 				'wpLoginToken' => $params['token'],
    75. 

  75. 				'wpRemember' => ''
    76. 

  76. 			)
    77. 

  77. 		) );
    78. 

  78. 		$loginForm = new LoginForm();
    79. 

  79. 		$loginForm->setContext( $context );
    80. 

  80. 

  81. 		global $wgCookiePrefix, $wgPasswordAttemptThrottle;
    82. 

  82. 

  83. 		$authRes = $loginForm->authenticateUserData();
    84. 

  84. 		switch ( $authRes ) {
    85. 

  85. 			case LoginForm::SUCCESS:
    86. 

  86. 				$user = $context->getUser();
    87. 

  87. 				$this->getContext()->setUser( $user );
    88. 

  88. 				$user->setOption( 'rememberpassword', 1 );
    89. 

  89. 				$user->setCookies( $this->getRequest() );
    90. 

  90. 

  91. 				ApiQueryInfo::resetTokenCache();
    92. 

  92. 

  93. 				// Run hooks.
    94. 

  94. 				// @todo FIXME: Split back and frontend from this hook.
    95. 

  95. 				// @todo FIXME: This hook should be placed in the backend
    96. 

  96. 				$injected_html = '';
    97. 

  97. 				wfRunHooks( 'UserLoginComplete', array( &$user, &$injected_html ) );
    98. 

  98. 

  99. 				$result['result'] = 'Success';
    100. 

  100. 				$result['lguserid'] = intval( $user->getId() );
    101. 

  101. 				$result['lgusername'] = $user->getName();
    102. 

  102. 				$result['lgtoken'] = $user->getToken();
    103. 

  103. 				$result['cookieprefix'] = $wgCookiePrefix;
    104. 

  104. 				$result['sessionid'] = session_id();
    105. 

  105. 				break;
    106. 

  106. 

  107. 			case LoginForm::NEED_TOKEN:
    108. 

  108. 				$result['result'] = 'NeedToken';
    109. 

  109. 				$result['token'] = $loginForm->getLoginToken();
    110. 

  110. 				$result['cookieprefix'] = $wgCookiePrefix;
    111. 

  111. 				$result['sessionid'] = session_id();
    112. 

  112. 				break;
    113. 

  113. 

  114. 			case LoginForm::WRONG_TOKEN:
    115. 

  115. 				$result['result'] = 'WrongToken';
    116. 

  116. 				break;
    117. 

  117. 

  118. 			case LoginForm::NO_NAME:
    119. 

  119. 				$result['result'] = 'NoName';
    120. 

  120. 				break;
    121. 

  121. 

  122. 			case LoginForm::ILLEGAL:
    123. 

  123. 				$result['result'] = 'Illegal';
    124. 

  124. 				break;
    125. 

  125. 

  126. 			case LoginForm::WRONG_PLUGIN_PASS:
    127. 

  127. 				$result['result'] = 'WrongPluginPass';
    128. 

  128. 				break;
    129. 

  129. 

  130. 			case LoginForm::NOT_EXISTS:
    131. 

  131. 				$result['result'] = 'NotExists';
    132. 

  132. 				break;
    133. 

  133. 

  134. 			case LoginForm::RESET_PASS: // bug 20223 - Treat a temporary password as wrong. Per SpecialUserLogin - "The e-mailed temporary password should not be used for actual logins;"
    135. 

  135. 			case LoginForm::WRONG_PASS:
    136. 

  136. 				$result['result'] = 'WrongPass';
    137. 

  137. 				break;
    138. 

  138. 

  139. 			case LoginForm::EMPTY_PASS:
    140. 

  140. 				$result['result'] = 'EmptyPass';
    141. 

  141. 				break;
    142. 

  142. 

  143. 			case LoginForm::CREATE_BLOCKED:
    144. 

  144. 				$result['result'] = 'CreateBlocked';
    145. 

  145. 				$result['details'] = 'Your IP address is blocked from account creation';
    146. 

  146. 				break;
    147. 

  147. 

  148. 			case LoginForm::THROTTLED:
    149. 

  149. 				$result['result'] = 'Throttled';
    150. 

  150. 				$result['wait'] = intval( $wgPasswordAttemptThrottle['seconds'] );
    151. 

  151. 				break;
    152. 

  152. 

  153. 			case LoginForm::USER_BLOCKED:
    154. 

  154. 				$result['result'] = 'Blocked';
    155. 

  155. 				break;
    156. 

  156. 

  157. 			case LoginForm::ABORTED:
    158. 

  158. 				$result['result'] = 'Aborted';
    159. 

  159. 				$result['reason'] = $loginForm->mAbortLoginErrorMsg;
    160. 

  160. 				break;
    161. 

  161. 

  162. 			default:
    163. 

  163. 				ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );
    164. 

  164. 		}
    165. 

  165. 

  166. 		$this->getResult()->addValue( null, 'login', $result );
    167. 

  167. 	}
    168. 

  168. 

  169. 	public function mustBePosted() {
    170. 

  170. 		return true;
    171. 

  171. 	}
    172. 

  172. 

  173. 	public function isReadMode() {
    174. 

  174. 		return false;
    175. 

  175. 	}
    176. 

  176. 

  177. 	public function getAllowedParams() {
    178. 

  178. 		return array(
    179. 

  179. 			'name' => null,
    180. 

  180. 			'password' => null,
    181. 

  181. 			'domain' => null,
    182. 

  182. 			'token' => null,
    183. 

  183. 		);
    184. 

  184. 	}
    185. 

  185. 

  186. 	public function getParamDescription() {
    187. 

  187. 		return array(
    188. 

  188. 			'name' => 'User Name',
    189. 

  189. 			'password' => 'Password',
    190. 

  190. 			'domain' => 'Domain (optional)',
    191. 

  191. 			'token' => 'Login token obtained in first request',
    192. 

  192. 		);
    193. 

  193. 	}
    194. 

  194. 

  195. 	public function getResultProperties() {
    196. 

  196. 		return array(
    197. 

  197. 			'' => array(
    198. 

  198. 				'result' => array(
    199. 

  199. 					ApiBase::PROP_TYPE => array(
    200. 

  200. 						'Success',
    201. 

  201. 						'NeedToken',
    202. 

  202. 						'WrongToken',
    203. 

  203. 						'NoName',
    204. 

  204. 						'Illegal',
    205. 

  205. 						'WrongPluginPass',
    206. 

  206. 						'NotExists',
    207. 

  207. 						'WrongPass',
    208. 

  208. 						'EmptyPass',
    209. 

  209. 						'CreateBlocked',
    210. 

  210. 						'Throttled',
    211. 

  211. 						'Blocked',
    212. 

  212. 						'Aborted'
    213. 

  213. 					)
    214. 

  214. 				),
    215. 

  215. 				'lguserid' => array(
    216. 

  216. 					ApiBase::PROP_TYPE => 'integer',
    217. 

  217. 					ApiBase::PROP_NULLABLE => true
    218. 

  218. 				),
    219. 

  219. 				'lgusername' => array(
    220. 

  220. 					ApiBase::PROP_TYPE => 'string',
    221. 

  221. 					ApiBase::PROP_NULLABLE => true
    222. 

  222. 				),
    223. 

  223. 				'lgtoken' => array(
    224. 

  224. 					ApiBase::PROP_TYPE => 'string',
    225. 

  225. 					ApiBase::PROP_NULLABLE => true
    226. 

  226. 				),
    227. 

  227. 				'cookieprefix' => array(
    228. 

  228. 					ApiBase::PROP_TYPE => 'string',
    229. 

  229. 					ApiBase::PROP_NULLABLE => true
    230. 

  230. 				),
    231. 

  231. 				'sessionid' => array(
    232. 

  232. 					ApiBase::PROP_TYPE => 'string',
    233. 

  233. 					ApiBase::PROP_NULLABLE => true
    234. 

  234. 				),
    235. 

  235. 				'token' => array(
    236. 

  236. 					ApiBase::PROP_TYPE => 'string',
    237. 

  237. 					ApiBase::PROP_NULLABLE => true
    238. 

  238. 				),
    239. 

  239. 				'details' => array(
    240. 

  240. 					ApiBase::PROP_TYPE => 'string',
    241. 

  241. 					ApiBase::PROP_NULLABLE => true
    242. 

  242. 				),
    243. 

  243. 				'wait' => array(
    244. 

  244. 					ApiBase::PROP_TYPE => 'integer',
    245. 

  245. 					ApiBase::PROP_NULLABLE => true
    246. 

  246. 				),
    247. 

  247. 				'reason' => array(
    248. 

  248. 					ApiBase::PROP_TYPE => 'string',
    249. 

  249. 					ApiBase::PROP_NULLABLE => true
    250. 

  250. 				)
    251. 

  251. 			)
    252. 

  252. 		);
    253. 

  253. 	}
    254. 

  254. 

  255. 	public function getDescription() {
    256. 

  256. 		return array(
    257. 

  257. 			'Log in and get the authentication tokens. ',
    258. 

  258. 			'In the event of a successful log-in, a cookie will be attached',
    259. 

  259. 			'to your session. In the event of a failed log-in, you will not ',
    260. 

  260. 			'be able to attempt another log-in through this method for 5 seconds.',
    261. 

  261. 			'This is to prevent password guessing by automated password crackers'
    262. 

  262. 		);
    263. 

  263. 	}
    264. 

  264. 

  265. 	public function getPossibleErrors() {
    266. 

  266. 		return array_merge( parent::getPossibleErrors(), array(
    267. 

  267. 			array( 'code' => 'NeedToken', 'info' => 'You need to resubmit your login with the specified token. See https://bugzilla.wikimedia.org/show_bug.cgi?id=23076' ),
    268. 

  268. 			array( 'code' => 'WrongToken', 'info' => 'You specified an invalid token' ),
    269. 

  269. 			array( 'code' => 'NoName', 'info' => 'You didn\'t set the lgname parameter' ),
    270. 

  270. 			array( 'code' => 'Illegal', 'info' => ' You provided an illegal username' ),
    271. 

  271. 			array( 'code' => 'NotExists', 'info' => ' The username you provided doesn\'t exist' ),
    272. 

  272. 			array( 'code' => 'EmptyPass', 'info' => ' You didn\'t set the lgpassword parameter or you left it empty' ),
    273. 

  273. 			array( 'code' => 'WrongPass', 'info' => ' The password you provided is incorrect' ),
    274. 

  274. 			array( 'code' => 'WrongPluginPass', 'info' => 'Same as "WrongPass", returned when an authentication plugin rather than MediaWiki itself rejected the password' ),
    275. 

  275. 			array( 'code' => 'CreateBlocked', 'info' => 'The wiki tried to automatically create a new account for you, but your IP address has been blocked from account creation' ),
    276. 

  276. 			array( 'code' => 'Throttled', 'info' => 'You\'ve logged in too many times in a short time' ),
    277. 

  277. 			array( 'code' => 'Blocked', 'info' => 'User is blocked' ),
    278. 

  278. 		) );
    279. 

  279. 	}
    280. 

  280. 

  281. 	public function getExamples() {
    282. 

  282. 		return array(
    283. 

  283. 			'api.php?action=login&lgname=user&lgpassword=password'
    284. 

  284. 		);
    285. 

  285. 	}
    286. 

  286. 

  287. 	public function getHelpUrls() {
    288. 

  288. 		return 'https://www.mediawiki.org/wiki/API:Login';
    289. 

  289. 	}
    290. 

  290. }
    291. 

  291.