TOTPSecondaryAuthenticationProvider.php

Go to the documentation of this file.

<?php
namespace MediaWiki\Extension\OATHAuth\Auth;
 
use MediaWiki\Auth\AbstractSecondaryAuthenticationProvider;
use MediaWiki\Auth\AuthenticationRequest;
use MediaWiki\Auth\AuthenticationResponse;
use MediaWiki\Auth\AuthManager;
use MediaWiki\MediaWikiServices;
use MediaWiki\Extension\OATHAuth\Module\TOTP;
use Message;
use User;
 
class TOTPSecondaryAuthenticationProvider extends AbstractSecondaryAuthenticationProvider {
 
    public function getAuthenticationRequests( $action, array $options ) {
        switch ( $action ) {
            case AuthManager::ACTION_LOGIN:
                // don't ask for anything initially so the second factor is on a separate screen
                return [];
            default:
                return [];
        }
    }
 
    public function beginSecondaryAuthentication( $user, array $reqs ) {
        $userRepo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' );
        $authUser = $userRepo->findByUser( $user );
 
        if ( !( $authUser->getModule() instanceof TOTP ) ) {
            return AuthenticationResponse::newAbstain();
        } else {
            return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
                wfMessage( 'oathauth-auth-ui' ), 'warning' );
        }
    }
 
    public function continueSecondaryAuthentication( $user, array $reqs ) {
        $request = AuthenticationRequest::getRequestByClass( $reqs, TOTPAuthenticationRequest::class );
        if ( !$request ) {
            return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
                wfMessage( 'oathauth-login-failed' ), 'error' );
        }
 
        $userRepo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' );
        $authUser = $userRepo->findByUser( $user );
        $token = $request->OATHToken;
 
        if ( !( $authUser->getModule() instanceof TOTP ) ) {
            $this->logger->warning( 'Two-factor authentication was disabled mid-authentication for '
                . $user->getName() );
            return AuthenticationResponse::newAbstain();
        }
 
        // Don't increase pingLimiter, just check for limit exceeded.
        if ( $user->pingLimiter( 'badoath', 0 ) ) {
            return AuthenticationResponse::newUI(
                [ new TOTPAuthenticationRequest() ],
                new Message(
                    'oathauth-throttled',
                    // Arbitrary duration given here
                    [ Message::durationParam( 60 ) ]
                ), 'error' );
        }
 
        if ( $authUser->getModule()->verify( $authUser, [ 'token' => $token ] ) ) {
            return AuthenticationResponse::newPass();
        } else {
            return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
                wfMessage( 'oathauth-login-failed' ), 'error' );
        }
    }
 
    public function beginSecondaryAccountCreation( $user, $creator, array $reqs ) {
        return AuthenticationResponse::newAbstain();
    }
}