MediaWiki REL1_34
ThrottlePreAuthenticationProvider.php
Go to the documentation of this file.
1<?php
22namespace MediaWiki\Auth;
23
24use BagOStuff;
25use Config;
26
37class ThrottlePreAuthenticationProvider extends AbstractPreAuthenticationProvider {
39 protected $throttleSettings;
40
42 protected $accountCreationThrottle;
43
45 protected $passwordAttemptThrottle;
46
48 protected $cache;
49
58 public function __construct( $params = [] ) {
59 $this->throttleSettings = array_intersect_key( $params,
60 [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );
61 $this->cache = $params['cache'] ?? \ObjectCache::getLocalClusterInstance();
62 }
63
64 public function setConfig( Config $config ) {
65 parent::setConfig( $config );
66
67 $accountCreationThrottle = $this->config->get( 'AccountCreationThrottle' );
68 // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)
69 if ( !is_array( $accountCreationThrottle ) ) {
70 $accountCreationThrottle = [ [
71 'count' => $accountCreationThrottle,
72 'seconds' => 86400,
73 ] ];
74 }
75
76 // @codeCoverageIgnoreStart
77 $this->throttleSettings += [
78 // @codeCoverageIgnoreEnd
79 'accountCreationThrottle' => $accountCreationThrottle,
80 'passwordAttemptThrottle' => $this->config->get( 'PasswordAttemptThrottle' ),
81 ];
82
83 if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {
84 $this->accountCreationThrottle = new Throttler(
85 $this->throttleSettings['accountCreationThrottle'], [
86 'type' => 'acctcreate',
87 'cache' => $this->cache,
88 ]
89 );
90 }
91 if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {
92 $this->passwordAttemptThrottle = new Throttler(
93 $this->throttleSettings['passwordAttemptThrottle'], [
94 'type' => 'password',
95 'cache' => $this->cache,
96 ]
97 );
98 }
99 }
100
101 public function testForAccountCreation( $user, $creator, array $reqs ) {
102 if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {
103 return \StatusValue::newGood();
104 }
105
106 $ip = $this->manager->getRequest()->getIP();
107
108 if ( !\Hooks::run( 'ExemptFromAccountCreationThrottle', [ $ip ] ) ) {
109 $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle\n" );
110 return \StatusValue::newGood();
111 }
112
113 $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );
114 if ( $result ) {
115 $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )
116 ->durationParams( $result['wait'] );
117 return \StatusValue::newFatal( $message );
118 }
119
120 return \StatusValue::newGood();
121 }
122
123 public function testForAuthentication( array $reqs ) {
124 if ( !$this->passwordAttemptThrottle ) {
125 return \StatusValue::newGood();
126 }
127
128 $ip = $this->manager->getRequest()->getIP();
129 try {
130 $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
131 } catch ( \UnexpectedValueException $e ) {
132 $username = '';
133 }
134
135 // Get everything this username could normalize to, and throttle each one individually.
136 // If nothing uses usernames, just throttle by IP.
137 $usernames = $this->manager->normalizeUsername( $username );
138 $result = false;
139 foreach ( $usernames as $name ) {
140 $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );
141 if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {
142 $result = $r;
143 }
144 }
145
146 if ( $result ) {
147 $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
148 return \StatusValue::newFatal( $message );
149 } else {
150 $this->manager->setAuthenticationSessionData( 'LoginThrottle',
151 [ 'users' => $usernames, 'ip' => $ip ] );
152 return \StatusValue::newGood();
153 }
154 }
155
160 public function postAuthentication( $user, AuthenticationResponse $response ) {
161 if ( $response->status !== AuthenticationResponse::PASS ) {
162 return;
163 } elseif ( !$this->passwordAttemptThrottle ) {
164 return;
165 }
166
167 $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );
168 if ( !$data ) {
169 // this can occur when login is happening via AuthenticationRequest::$loginRequest
170 // so testForAuthentication is skipped
171 $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );
172 return;
173 }
174
175 foreach ( $data['users'] as $name ) {
176 $this->passwordAttemptThrottle->clear( $name, $data['ip'] );
177 }
178 }
179}
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:1263
BagOStuff
Class representing a cache/ephemeral data store.
Definition BagOStuff.php:63
MediaWiki\Auth\AbstractPreAuthenticationProvider
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
Definition AbstractPreAuthenticationProvider.php:31
MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition AuthenticationRequest.php:283
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:37
MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition AuthenticationResponse.php:39
MediaWiki\Auth\ThrottlePreAuthenticationProvider
A pre-authentication provider to throttle authentication actions.
Definition ThrottlePreAuthenticationProvider.php:37
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.
Definition ThrottlePreAuthenticationProvider.php:101
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAuthentication
testForAuthentication(array $reqs)
Determine whether an authentication may begin.
Definition ThrottlePreAuthenticationProvider.php:123
Config
Interface for configuration instances.
Definition Config.php:28
$response
$response
Definition opensearch_desc.php:38