MediaWiki
1.34.0
|
A secondary provider mostly acts when the submitted authentication data has already been associated to a MediaWiki user account. More...
Public Member Functions | |
autoCreatedAccount ( $user, $source) | |
Post-auto-creation callback. More... | |
beginSecondaryAccountCreation ( $user, $creator, array $reqs) | |
Start an account creation flow. More... | |
beginSecondaryAuthentication ( $user, array $reqs) | |
Start an authentication flow. More... | |
continueSecondaryAccountCreation ( $user, $creator, array $reqs) | |
Continue an authentication flow. More... | |
continueSecondaryAuthentication ( $user, array $reqs) | |
Continue an authentication flow. More... | |
postAccountCreation ( $user, $creator, AuthenticationResponse $response) | |
Post-creation callback. More... | |
postAuthentication ( $user, AuthenticationResponse $response) | |
Post-login callback. More... | |
providerAllowsAuthenticationDataChange (AuthenticationRequest $req, $checkData=true) | |
Validate a change of authentication data (e.g. More... | |
providerAllowsPropertyChange ( $property) | |
Determine whether a property can change. More... | |
providerChangeAuthenticationData (AuthenticationRequest $req) | |
Change or remove authentication data (e.g. More... | |
providerRevokeAccessForUser ( $username) | |
Revoke the user's credentials. More... | |
testForAccountCreation ( $user, $creator, array $reqs) | |
Determine whether an account creation may begin. More... | |
testUserForCreation ( $user, $autocreate, array $options=[]) | |
Determine whether an account may be created. More... | |
Public Member Functions inherited from MediaWiki\Auth\AuthenticationProvider | |
getAuthenticationRequests ( $action, array $options) | |
Return the applicable list of AuthenticationRequests. More... | |
getUniqueId () | |
Return a unique identifier for this instance. More... | |
setConfig (Config $config) | |
Set configuration. More... | |
setManager (AuthManager $manager) | |
Set AuthManager. More... | |
A secondary provider mostly acts when the submitted authentication data has already been associated to a MediaWiki user account.
For login, a secondary provider performs additional authentication steps after a PrimaryAuthenticationProvider has identified which MediaWiki user is trying to log in. For example, it might implement a password reset, request the second factor for two-factor auth, or prevent the login if the account is blocked.
For account creation, a secondary provider performs optional extra steps after a PrimaryAuthenticationProvider has created the user; for example, it can collect further user information such as a biography.
(For account linking, secondary providers are not involved.)
This interface also provides methods for changing authentication data such as a second-factor token, and callbacks that are invoked after login / account creation succeeded or failed.
Definition at line 52 of file SecondaryAuthenticationProvider.php.
MediaWiki\Auth\SecondaryAuthenticationProvider::autoCreatedAccount | ( | $user, | |
$source | |||
) |
Post-auto-creation callback.
User | $user | User being created (has been added to the database now). This may become a "UserValue" in the future, or User may be refactored into such. |
string | $source | The source of the auto-creation passed to AuthManager::autoCreateUser(). |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::beginSecondaryAccountCreation | ( | $user, | |
$creator, | |||
array | $reqs | ||
) |
Start an account creation flow.
User | $user | User being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such. |
User | $creator | User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such. |
AuthenticationRequest[] | $reqs |
Implemented in MediaWiki\Extension\OATHAuth\Auth\TOTPSecondaryAuthenticationProvider, MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider, MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider, and MediaWiki\Extension\OATHAuth\Auth\SecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::beginSecondaryAuthentication | ( | $user, | |
array | $reqs | ||
) |
Start an authentication flow.
Note that this may be called for a user even if beginSecondaryAccountCreation() was never called. The module should take the opportunity to do any necessary setup in that case.
User | $user | User being authenticated. This may become a "UserValue" in the future, or User may be refactored into such. |
AuthenticationRequest[] | $reqs |
Implemented in MediaWiki\Extension\OATHAuth\Auth\TOTPSecondaryAuthenticationProvider, MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider, MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, MediaWiki\Extension\OATHAuth\Auth\SecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::continueSecondaryAccountCreation | ( | $user, | |
$creator, | |||
array | $reqs | ||
) |
Continue an authentication flow.
User | $user | User being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such. |
User | $creator | User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such. |
AuthenticationRequest[] | $reqs |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::continueSecondaryAuthentication | ( | $user, | |
array | $reqs | ||
) |
Continue an authentication flow.
User | $user | User being authenticated. This may become a "UserValue" in the future, or User may be refactored into such. |
AuthenticationRequest[] | $reqs |
Implemented in MediaWiki\Extension\OATHAuth\Auth\TOTPSecondaryAuthenticationProvider, MediaWiki\Extension\OATHAuth\Auth\SecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::postAccountCreation | ( | $user, | |
$creator, | |||
AuthenticationResponse | $response | ||
) |
Post-creation callback.
This will be called at the end of an account creation attempt. It will not be called if the account creation process results in a session timeout (possibly after a successful user creation, while a secondary provider is waiting for a response).
User | $user | User that was attempted to be created. This may become a "UserValue" in the future, or User may be refactored into such. |
User | $creator | User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such. |
AuthenticationResponse | $response | Authentication response that will be returned (PASS or FAIL) |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::postAuthentication | ( | $user, | |
AuthenticationResponse | $response | ||
) |
Post-login callback.
This will be called at the end of a login attempt. It will not be called for unfinished login attempts that fail by the session timing out.
User | null | $user | User that was attempted to be logged in, if known. This may become a "UserValue" in the future, or User may be refactored into such. |
AuthenticationResponse | $response | Authentication response that will be returned (PASS or FAIL) |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::providerAllowsAuthenticationDataChange | ( | AuthenticationRequest | $req, |
$checkData = true |
|||
) |
Validate a change of authentication data (e.g.
passwords)
Return StatusValue::newGood( 'ignored' ) if you don't support this AuthenticationRequest type.
AuthenticationRequest | $req | |
bool | $checkData | If false, $req hasn't been loaded from the submission so checks on user-submitted fields should be skipped. $req->username is considered user-submitted for this purpose, even if it cannot be changed via $req->loadFromSubmission. |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::providerAllowsPropertyChange | ( | $property | ) |
Determine whether a property can change.
string | $property |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::providerChangeAuthenticationData | ( | AuthenticationRequest | $req | ) |
Change or remove authentication data (e.g.
passwords)
If $req was returned for AuthManager::ACTION_CHANGE, the corresponding credentials should result in a successful login in the future.
If $req was returned for AuthManager::ACTION_REMOVE, the corresponding credentials should no longer result in a successful login.
It can be assumed that providerAllowsAuthenticationDataChange with $checkData === true was called before this, and passed. This method should never fail (other than throwing an exception).
AuthenticationRequest | $req |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::providerRevokeAccessForUser | ( | $username | ) |
Revoke the user's credentials.
This may cause the user to no longer exist for the provider, or the user may continue to exist in a "disabled" state.
The intention is that the named account will never again be usable for normal login (i.e. there is no way to undo the revocation of access).
string | $username |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::testForAccountCreation | ( | $user, | |
$creator, | |||
array | $reqs | ||
) |
Determine whether an account creation may begin.
Called from AuthManager::beginAccountCreation()
User | $user | User being created (not added to the database yet). This may become a "UserValue" in the future, or User may be refactored into such. |
User | $creator | User doing the creation. This may become a "UserValue" in the future, or User may be refactored into such. |
AuthenticationRequest[] | $reqs |
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.
MediaWiki\Auth\SecondaryAuthenticationProvider::testUserForCreation | ( | $user, | |
$autocreate, | |||
array | $options = [] |
||
) |
Determine whether an account may be created.
User | $user | User being created (not added to the database yet). This may become a "UserValue" in the future, or User may be refactored into such. |
bool | string | $autocreate | False if this is not an auto-creation, or the source of the auto-creation passed to AuthManager::autoCreateUser(). |
array | $options |
|
Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, and MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider.