MediaWiki REL1_32
CaptchaPreAuthenticationProvider.php
Go to the documentation of this file.
1<?php
2
3use MediaWiki\Auth\AbstractPreAuthenticationProvider;
4use MediaWiki\Auth\AuthenticationRequest;
5use MediaWiki\Auth\AuthenticationResponse;
6use MediaWiki\Auth\AuthManager;
7use MediaWiki\Logger\LoggerFactory;
8
9class CaptchaPreAuthenticationProvider extends AbstractPreAuthenticationProvider {
10 public function getAuthenticationRequests( $action, array $options ) {
11 $captcha = ConfirmEditHooks::getInstance();
12 $user = User::newFromName( $options['username'] );
13
14 $needed = false;
15 switch ( $action ) {
16 case AuthManager::ACTION_CREATE:
17 $needed = $captcha->needCreateAccountCaptcha( $user ?: new User() );
18 if ( $needed ) {
19 $captcha->setAction( 'accountcreate' );
20 LoggerFactory::getInstance( 'authevents' )
21 ->info( 'Captcha shown on account creation', [
22 'event' => 'captcha.display',
23 'eventType' => 'accountcreation',
24 ] );
25 }
26 break;
27 case AuthManager::ACTION_LOGIN:
28 // Captcha is shown on login when there were too many failed attempts from the
29 // current IP or user. The latter is a bit awkward because we don't know the
30 // username yet. The username from the last successful login is stored in a cookie,
31 // but we still must make sure to not lock out other usernames so we use a session
32 // flag. This will result in confusing error messages if the browser cannot persist
33 // the session, but then login would be impossible anyway so no big deal.
34
35 // If the username ends to be one that does not trigger the captcha, that will
36 // result in weird behavior (if the user leaves the captcha field open, they get
37 // a required field error, if they fill it with an invalid answer, it will pass)
38 // - again, not a huge deal.
39 $session = $this->manager->getRequest()->getSession();
40 $sessionFlag = $session->get( 'ConfirmEdit:loginCaptchaPerUserTriggered' );
41 $suggestedUsername = $session->suggestLoginUsername();
42 if (
43 $captcha->isBadLoginTriggered()
44 || $sessionFlag
45 || $suggestedUsername && $captcha->isBadLoginPerUserTriggered( $suggestedUsername )
46 ) {
47 $needed = true;
48 $captcha->setAction( 'badlogin' );
49 LoggerFactory::getInstance( 'authevents' )
50 ->info( 'Captcha shown on account creation', [
51 'event' => 'captcha.display',
52 'eventType' => 'accountcreation',
53 ] );
54 break;
55 }
56 break;
57 }
58
59 if ( $needed ) {
60 return [ $captcha->createAuthenticationRequest() ];
61 } else {
62 return [];
63 }
64 }
65
66 public function testForAuthentication( array $reqs ) {
67 $captcha = ConfirmEditHooks::getInstance();
68 $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
69 $success = true;
70 $isBadLoginPerUserTriggered = $username ?
71 $captcha->isBadLoginPerUserTriggered( $username ) : false;
72
73 if ( $captcha->isBadLoginTriggered() || $isBadLoginPerUserTriggered ) {
74 $captcha->setAction( 'badlogin' );
75 $captcha->setTrigger( "post-badlogin login '$username'" );
76 $success = $this->verifyCaptcha( $captcha, $reqs, new User() );
77 LoggerFactory::getInstance( 'authevents' )->info( 'Captcha submitted on login', [
78 'event' => 'captcha.submit',
79 'eventType' => 'login',
80 'successful' => $success,
81 ] );
82 }
83
84 if ( $isBadLoginPerUserTriggered || $isBadLoginPerUserTriggered === null ) {
85 $session = $this->manager->getRequest()->getSession();
86 $session->set( 'ConfirmEdit:loginCaptchaPerUserTriggered', true );
87 }
88
89 // Make brute force attacks harder by not telling whether the password or the
90 // captcha failed.
91 return $success ? Status::newGood() : $this->makeError( 'wrongpassword', $captcha );
92 }
93
94 public function testForAccountCreation( $user, $creator, array $reqs ) {
95 $captcha = ConfirmEditHooks::getInstance();
96
97 if ( $captcha->needCreateAccountCaptcha( $creator ) ) {
98 $username = $user->getName();
99 $captcha->setAction( 'accountcreate' );
100 $captcha->setTrigger( "new account '$username'" );
101 $success = $this->verifyCaptcha( $captcha, $reqs, $user );
102 LoggerFactory::getInstance( 'authevents' )->info( 'Captcha submitted on account creation', [
103 'event' => 'captcha.submit',
104 'eventType' => 'accountcreation',
105 'successful' => $success,
106 ] );
107 if ( !$success ) {
108 return $this->makeError( 'captcha-createaccount-fail', $captcha );
109 }
110 }
111 return Status::newGood();
112 }
113
114 public function postAuthentication( $user, AuthenticationResponse $response ) {
115 $captcha = ConfirmEditHooks::getInstance();
116 switch ( $response->status ) {
117 case AuthenticationResponse::PASS:
118 case AuthenticationResponse::RESTART:
119 $session = $this->manager->getRequest()->getSession();
120 $session->remove( 'ConfirmEdit:loginCaptchaPerUserTriggered' );
121 $captcha->resetBadLoginCounter( $user ? $user->getName() : null );
122 break;
123 case AuthenticationResponse::FAIL:
124 $captcha->increaseBadLoginCounter( $user ? $user->getName() : null );
125 break;
126 }
127 }
128
137 protected function verifyCaptcha( SimpleCaptcha $captcha, array $reqs, User $user ) {
139 $req = AuthenticationRequest::getRequestByClass( $reqs,
140 CaptchaAuthenticationRequest::class, true );
141 if ( !$req ) {
142 return false;
143 }
144 return $captcha->passCaptchaLimited( $req->captchaId, $req->captchaWord, $user );
145 }
146
152 protected function makeError( $message, SimpleCaptcha $captcha ) {
153 $error = $captcha->getError();
154 if ( $error ) {
155 return Status::newFatal( wfMessage( 'captcha-error', $error ) );
156 }
157 return Status::newFatal( $message );
158 }
159}
CaptchaPreAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.
Definition CaptchaPreAuthenticationProvider.php:94
CaptchaPreAuthenticationProvider\getAuthenticationRequests
getAuthenticationRequests( $action, array $options)
Return the applicable list of AuthenticationRequests.
Definition CaptchaPreAuthenticationProvider.php:10
CaptchaPreAuthenticationProvider\makeError
makeError( $message, SimpleCaptcha $captcha)
Definition CaptchaPreAuthenticationProvider.php:152
CaptchaPreAuthenticationProvider\verifyCaptcha
verifyCaptcha(SimpleCaptcha $captcha, array $reqs, User $user)
Verify submitted captcha.
Definition CaptchaPreAuthenticationProvider.php:137
CaptchaPreAuthenticationProvider\postAuthentication
postAuthentication( $user, AuthenticationResponse $response)
Post-login callback.
Definition CaptchaPreAuthenticationProvider.php:114
CaptchaPreAuthenticationProvider\testForAuthentication
testForAuthentication(array $reqs)
Determine whether an authentication may begin.
Definition CaptchaPreAuthenticationProvider.php:66
ConfirmEditHooks\getInstance
static getInstance()
Get the global Captcha instance.
Definition ConfirmEditHooks.php:11
MediaWiki\Auth\AbstractPreAuthenticationProvider
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
Definition AbstractPreAuthenticationProvider.php:31
MediaWiki\Auth\AuthManager
This serves as the entry point to the authentication system.
Definition AuthManager.php:83
MediaWiki\Auth\AuthenticationRequest
This is a value object for authentication requests.
Definition AuthenticationRequest.php:37
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:37
MediaWiki\Logger\LoggerFactory
PSR-3 logger instance factory.
Definition LoggerFactory.php:45
SimpleCaptcha
Demo CAPTCHA (not for production usage) and base class for real CAPTCHAs.
Definition SimpleCaptcha.php:8
User
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition User.php:47
User\newFromName
static newFromName( $name, $validate='valid')
Static factory method for creation from username.
Definition User.php:592
$req
this hook is for auditing only $req
Definition hooks.txt:1018
$options
null means default in associative array with keys and values unescaped Should be merged with default with a value of false meaning to suppress the attribute in associative array with keys and values unescaped & $options
Definition hooks.txt:2050
wfMessage
either a unescaped string or a HtmlArmor object after in associative array form externallinks including delete and has completed for all link tables whether this was an auto creation use $formDescriptor instead default is conds Array Extra conditions for the No matching items in log is displayed if loglist is empty msgKey Array If you want a nice box with a set this to the key of the message First element is the message additional optional elements are parameters for the key that are processed with wfMessage() -> params() ->parseAsBlock() - offset Set to overwrite offset parameter in $wgRequest set to '' to unset offset - wrap String Wrap the message in html(usually something like "&lt;div ...>$1&lt;/div>"). - flags Integer display flags(NO_ACTION_LINK, NO_EXTRA_USER_LINKS) 'LogException':Called before an exception(or PHP error) is logged. This is meant for integration with external error aggregation services
$username
this hook is for auditing only or null if authentication failed before getting that far $username
Definition hooks.txt:815
$response
this hook is for auditing only $response
Definition hooks.txt:813
array
The wiki should then use memcached to cache various data To use multiple just add more items to the array To increase the weight of a make its entry a array("192.168.0.1:11211", 2))