Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
72.73% |
8 / 11 |
|
0.00% |
0 / 2 |
CRAP | |
0.00% |
0 / 1 |
| CentralAuthHeaderSessionProvider | |
72.73% |
8 / 11 |
|
0.00% |
0 / 2 |
5.51 | |
0.00% |
0 / 1 |
| getTokenDataFromRequest | |
80.00% |
8 / 10 |
|
0.00% |
0 / 1 |
4.13 | |||
| safeAgainstCsrf | |
0.00% |
0 / 1 |
|
0.00% |
0 / 1 |
2 | |||
| 1 | <?php |
| 2 | |
| 3 | use MediaWiki\Extension\CentralAuth\Config\CAMainConfigNames; |
| 4 | use MediaWiki\Request\WebRequest; |
| 5 | |
| 6 | /** |
| 7 | * Session provider for CentralAuth Authorization header for use in REST APIs. |
| 8 | * |
| 9 | * This session provider looks for an Authorization header using the MWCentralAuth |
| 10 | * authentication type, and checks that the token provided in the header |
| 11 | * corresponds to an existing token set up by ApiCentralAuthToken. |
| 12 | * If the header is present but invalid, it returns a |
| 13 | * bogus SessionInfo to prevent other SessionProviders from establishing a session. |
| 14 | * |
| 15 | * @see \MediaWiki\Extension\CentralAuth\Api\ApiCentralAuthToken |
| 16 | */ |
| 17 | class CentralAuthHeaderSessionProvider extends CentralAuthTokenSessionProvider { |
| 18 | |
| 19 | /** @inheritDoc */ |
| 20 | protected function getTokenDataFromRequest( WebRequest $request ) { |
| 21 | $authHeader = $request->getHeader( 'Authorization' ); |
| 22 | if ( $authHeader === null ) { |
| 23 | return null; |
| 24 | } |
| 25 | |
| 26 | if ( !preg_match( '/^CentralAuthToken\s+(\w+)/is', $authHeader, $match ) ) { |
| 27 | return null; |
| 28 | } |
| 29 | |
| 30 | $oneTimeToken = $match[1]; |
| 31 | if ( $oneTimeToken === null ) { |
| 32 | return null; |
| 33 | } |
| 34 | |
| 35 | $timeout = $this->getConfig()->get( CAMainConfigNames::CentralAuthTokenSessionTimeout ); |
| 36 | return $this->tokenManager->detokenizeAndDelete( $oneTimeToken, 'api-token', [ 'timeout' => $timeout ] ); |
| 37 | } |
| 38 | |
| 39 | /** |
| 40 | * This session provider is based on a header, so it's safe against CSRF attacks. |
| 41 | * @return true |
| 42 | */ |
| 43 | public function safeAgainstCsrf() { |
| 44 | return true; |
| 45 | } |
| 46 | |
| 47 | } |