MediaWiki  1.34.0
ThrottlePreAuthenticationProvider.php
Go to the documentation of this file.
1 <?php
22 namespace MediaWiki\Auth;
23 
24 use BagOStuff;
25 use Config;
26 
37 class ThrottlePreAuthenticationProvider extends AbstractPreAuthenticationProvider {
39  protected $throttleSettings;
40 
42  protected $accountCreationThrottle;
43 
45  protected $passwordAttemptThrottle;
46 
48  protected $cache;
49 
58  public function __construct( $params = [] ) {
59  $this->throttleSettings = array_intersect_key( $params,
60  [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );
61  $this->cache = $params['cache'] ?? \ObjectCache::getLocalClusterInstance();
62  }
63 
64  public function setConfig( Config $config ) {
65  parent::setConfig( $config );
66 
67  $accountCreationThrottle = $this->config->get( 'AccountCreationThrottle' );
68  // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)
69  if ( !is_array( $accountCreationThrottle ) ) {
70  $accountCreationThrottle = [ [
71  'count' => $accountCreationThrottle,
72  'seconds' => 86400,
73  ] ];
74  }
75 
76  // @codeCoverageIgnoreStart
77  $this->throttleSettings += [
78  // @codeCoverageIgnoreEnd
79  'accountCreationThrottle' => $accountCreationThrottle,
80  'passwordAttemptThrottle' => $this->config->get( 'PasswordAttemptThrottle' ),
81  ];
82 
83  if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {
84  $this->accountCreationThrottle = new Throttler(
85  $this->throttleSettings['accountCreationThrottle'], [
86  'type' => 'acctcreate',
87  'cache' => $this->cache,
88  ]
89  );
90  }
91  if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {
92  $this->passwordAttemptThrottle = new Throttler(
93  $this->throttleSettings['passwordAttemptThrottle'], [
94  'type' => 'password',
95  'cache' => $this->cache,
96  ]
97  );
98  }
99  }
100 
101  public function testForAccountCreation( $user, $creator, array $reqs ) {
102  if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {
103  return \StatusValue::newGood();
104  }
105 
106  $ip = $this->manager->getRequest()->getIP();
107 
108  if ( !\Hooks::run( 'ExemptFromAccountCreationThrottle', [ $ip ] ) ) {
109  $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle\n" );
110  return \StatusValue::newGood();
111  }
112 
113  $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );
114  if ( $result ) {
115  $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )
116  ->durationParams( $result['wait'] );
117  return \StatusValue::newFatal( $message );
118  }
119 
120  return \StatusValue::newGood();
121  }
122 
123  public function testForAuthentication( array $reqs ) {
124  if ( !$this->passwordAttemptThrottle ) {
125  return \StatusValue::newGood();
126  }
127 
128  $ip = $this->manager->getRequest()->getIP();
129  try {
130  $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
131  } catch ( \UnexpectedValueException $e ) {
132  $username = '';
133  }
134 
135  // Get everything this username could normalize to, and throttle each one individually.
136  // If nothing uses usernames, just throttle by IP.
137  $usernames = $this->manager->normalizeUsername( $username );
138  $result = false;
139  foreach ( $usernames as $name ) {
140  $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );
141  if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {
142  $result = $r;
143  }
144  }
145 
146  if ( $result ) {
147  $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
148  return \StatusValue::newFatal( $message );
149  } else {
150  $this->manager->setAuthenticationSessionData( 'LoginThrottle',
151  [ 'users' => $usernames, 'ip' => $ip ] );
152  return \StatusValue::newGood();
153  }
154  }
155 
160  public function postAuthentication( $user, AuthenticationResponse $response ) {
161  if ( $response->status !== AuthenticationResponse::PASS ) {
162  return;
163  } elseif ( !$this->passwordAttemptThrottle ) {
164  return;
165  }
166 
167  $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );
168  if ( !$data ) {
169  // this can occur when login is happening via AuthenticationRequest::$loginRequest
170  // so testForAuthentication is skipped
171  $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );
172  return;
173  }
174 
175  foreach ( $data['users'] as $name ) {
176  $this->passwordAttemptThrottle->clear( $name, $data['ip'] );
177  }
178  }
179 }
MediaWiki\Auth\ThrottlePreAuthenticationProvider\$passwordAttemptThrottle
Throttler $passwordAttemptThrottle
Definition: ThrottlePreAuthenticationProvider.php:45
MediaWiki\Auth\ThrottlePreAuthenticationProvider\postAuthentication
postAuthentication( $user, AuthenticationResponse $response)
Definition: ThrottlePreAuthenticationProvider.php:160
MediaWiki\Auth\ThrottlePreAuthenticationProvider\$throttleSettings
array $throttleSettings
Definition: ThrottlePreAuthenticationProvider.php:39
ObjectCache\getLocalClusterInstance
static getLocalClusterInstance()
Get the main cluster-local cache object.
Definition: ObjectCache.php:342
$response
$response
Definition: opensearch_desc.php:38
MediaWiki\Auth\ThrottlePreAuthenticationProvider\$accountCreationThrottle
Throttler $accountCreationThrottle
Definition: ThrottlePreAuthenticationProvider.php:42
MediaWiki\Auth\ThrottlePreAuthenticationProvider\setConfig
setConfig(Config $config)
Set configuration.
Definition: ThrottlePreAuthenticationProvider.php:64
BagOStuff
Class representing a cache/ephemeral data store.
Definition: BagOStuff.php:63
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition: GlobalFunctions.php:1264
MediaWiki\Auth\Throttler
Definition: Throttler.php:37
MediaWiki\Auth\ThrottlePreAuthenticationProvider\$cache
BagOStuff $cache
Definition: ThrottlePreAuthenticationProvider.php:48
Config
Interface for configuration instances.
Definition: Config.php:28
MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition: AuthenticationRequest.php:283
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition: AuthenticationResponse.php:37
MediaWiki\Auth\ThrottlePreAuthenticationProvider\__construct
__construct( $params=[])
Definition: ThrottlePreAuthenticationProvider.php:58
MediaWiki\Auth\ThrottlePreAuthenticationProvider
A pre-authentication provider to throttle authentication actions.
Definition: ThrottlePreAuthenticationProvider.php:37
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAuthentication
testForAuthentication(array $reqs)
Determine whether an authentication may begin.
Definition: ThrottlePreAuthenticationProvider.php:123
MediaWiki\Auth\AbstractPreAuthenticationProvider
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
Definition: AbstractPreAuthenticationProvider.php:29
MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition: AuthenticationResponse.php:39
Hooks\run
static run( $event, array $args=[], $deprecatedVersion=null)
Call hook functions defined in Hooks::register and $wgHooks.
Definition: Hooks.php:200
MediaWiki\Auth
Definition: AbstractAuthenticationProvider.php:22
MediaWiki\Auth\AbstractAuthenticationProvider\$config
Config $config
Definition: AbstractAuthenticationProvider.php:38
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.
Definition: ThrottlePreAuthenticationProvider.php:101