MediaWiki  1.33.0
TOTPSecondaryAuthenticationProvider.php
Go to the documentation of this file.
1 <?php
23 
34 
41  public function getAuthenticationRequests( $action, array $options ) {
42  switch ( $action ) {
43  case AuthManager::ACTION_LOGIN:
44  // don't ask for anything initially so the second factor is on a separate screen
45  return [];
46  default:
47  return [];
48  }
49  }
50 
59  public function beginSecondaryAuthentication( $user, array $reqs ) {
60  $oathuser = OATHAuthHooks::getOATHUserRepository()->findByUser( $user );
61 
62  if ( $oathuser->getKey() === null ) {
63  return AuthenticationResponse::newAbstain();
64  } else {
65  return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
66  wfMessage( 'oathauth-auth-ui' ), 'warning' );
67  }
68  }
69 
74  public function continueSecondaryAuthentication( $user, array $reqs ) {
76  $request = AuthenticationRequest::getRequestByClass( $reqs, TOTPAuthenticationRequest::class );
77  if ( !$request ) {
78  return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
79  wfMessage( 'oathauth-login-failed' ), 'error' );
80  }
81 
82  $oathuser = OATHAuthHooks::getOATHUserRepository()->findByUser( $user );
83  // @phan-suppress-next-line PhanUndeclaredProperty
84  $token = $request->OATHToken;
85 
86  if ( $oathuser->getKey() === null ) {
87  $this->logger->warning( 'Two-factor authentication was disabled mid-authentication for '
88  . $user->getName() );
89  return AuthenticationResponse::newAbstain();
90  }
91 
92  // Don't increase pingLimiter, just check for limit exceeded.
93  if ( $user->pingLimiter( 'badoath', 0 ) ) {
94  return AuthenticationResponse::newUI(
95  [ new TOTPAuthenticationRequest() ],
96  new Message(
97  'oathauth-throttled',
98  // Arbitrary duration given here
99  [ Message::durationParam( 60 ) ]
100  ), 'error' );
101  }
102 
103  if ( $oathuser->getKey()->verifyToken( $token, $oathuser ) ) {
104  return AuthenticationResponse::newPass();
105  } else {
106  return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
107  wfMessage( 'oathauth-login-failed' ), 'error' );
108  }
109  }
110 
118  public function beginSecondaryAccountCreation( $user, $creator, array $reqs ) {
119  return AuthenticationResponse::newAbstain();
120  }
121 }
TOTPSecondaryAuthenticationProvider\beginSecondaryAccountCreation
beginSecondaryAccountCreation( $user, $creator, array $reqs)
Definition: TOTPSecondaryAuthenticationProvider.php:118
$user
return true to allow those checks to and false if checking is done & $user
Definition: hooks.txt:1476
TOTPSecondaryAuthenticationProvider
AuthManager secondary authentication provider for TOTP second-factor authentication.
Definition: TOTPSecondaryAuthenticationProvider.php:33
MediaWiki\Auth\AbstractSecondaryAuthenticationProvider
A base class that implements some of the boilerplate for a SecondaryAuthenticationProvider.
Definition: AbstractSecondaryAuthenticationProvider.php:30
TOTPSecondaryAuthenticationProvider\beginSecondaryAuthentication
beginSecondaryAuthentication( $user, array $reqs)
If the user has enabled two-factor authentication, request a second factor.
Definition: TOTPSecondaryAuthenticationProvider.php:59
TOTPSecondaryAuthenticationProvider\continueSecondaryAuthentication
continueSecondaryAuthentication( $user, array $reqs)
Verify the second factor.
Definition: TOTPSecondaryAuthenticationProvider.php:74
php
injection txt This is an overview of how MediaWiki makes use of dependency injection The design described here grew from the discussion of RFC T384 The term dependency this means that anything an object needs to operate should be injected from the the object itself should only know narrow no concrete implementation of the logic it relies on The requirement to inject everything typically results in an architecture that based on two main types of and essentially stateless service objects that use other service objects to operate on the value objects As of the beginning MediaWiki is only starting to use the DI approach Much of the code still relies on global state or direct resulting in a highly cyclical dependency which acts as the top level factory for services in MediaWiki which can be used to gain access to default instances of various services MediaWikiServices however also allows new services to be defined and default services to be redefined Services are defined or redefined by providing a callback the instantiator that will return a new instance of the service When it will create an instance of MediaWikiServices and populate it with the services defined in the files listed by thereby bootstrapping the DI framework Per $wgServiceWiringFiles lists includes ServiceWiring php
Definition: injection.txt:35
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition: AuthenticationResponse.php:37
use
as see the revision history and available at free of to any person obtaining a copy of this software and associated documentation to deal in the Software without including without limitation the rights to use
Definition: MIT-LICENSE.txt:10
array
The wiki should then use memcached to cache various data To use multiple just add more items to the array To increase the weight of a make its entry a array("192.168.0.1:11211", 2))
null
this hook is for auditing only or null if authentication failed before getting that far or null if we can t even determine that When $user is not null
Definition: hooks.txt:780
$request
do that in ParserLimitReportFormat instead use this to modify the parameters of the image all existing parser cache entries will be invalid To avoid you ll need to handle that somehow(e.g. with the RejectParserCacheValue hook) because MediaWiki won 't do it for you. & $defaults also a ContextSource after deleting those rows but within the same transaction you ll probably need to make sure the header is varied on $request
Definition: hooks.txt:2636
MediaWiki\Auth\AuthManager
This serves as the entry point to the authentication system.
Definition: AuthManager.php:84
TOTPAuthenticationRequest
AuthManager value object for the TOTP second factor of an authentication: a pseudorandom token that i...
Definition: TOTPAuthenticationRequest.php:26
$options
null means default in associative array with keys and values unescaped Should be merged with default with a value of false meaning to suppress the attribute in associative array with keys and values unescaped & $options
Definition: hooks.txt:1985
class
you have access to all of the normal MediaWiki so you can get a DB use the etc For full docs on the Maintenance class
Definition: maintenance.txt:52
OATHAuthHooks\getOATHUserRepository
static getOATHUserRepository()
Get the singleton OATH user repository.
Definition: OATHAuthHooks.php:34
wfMessage
either a unescaped string or a HtmlArmor object after in associative array form externallinks including delete and has completed for all link tables whether this was an auto creation use $formDescriptor instead default is conds Array Extra conditions for the No matching items in log is displayed if loglist is empty msgKey Array If you want a nice box with a set this to the key of the message First element is the message additional optional elements are parameters for the key that are processed with wfMessage() -> params() ->parseAsBlock() - offset Set to overwrite offset parameter in $wgRequest set to '' to unset offset - wrap String Wrap the message in html(usually something like "&lt
MediaWiki\Auth\AuthenticationRequest
This is a value object for authentication requests.
Definition: AuthenticationRequest.php:37
TOTPSecondaryAuthenticationProvider\getAuthenticationRequests
getAuthenticationRequests( $action, array $options)
Definition: TOTPSecondaryAuthenticationProvider.php:41