REL1_37/php/ThrottlePreAuthenticationProvider_8php_source.html

<?php

namespace MediaWiki\Auth;


use BagOStuff;


class ThrottlePreAuthenticationProvider extends AbstractPreAuthenticationProvider {

    protected $throttleSettings;


    protected $accountCreationThrottle;


    protected $passwordAttemptThrottle;


    protected $cache;


    public function __construct( $params = [] ) {

        $this->throttleSettings = array_intersect_key( $params,

            [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );

        $this->cache = $params['cache'] ?? \ObjectCache::getLocalClusterInstance();

    }


    protected function postInitSetup() {

        $accountCreationThrottle = $this->config->get( 'AccountCreationThrottle' );

        // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)

        if ( !is_array( $accountCreationThrottle ) ) {

            $accountCreationThrottle = [ [

                'count' => $accountCreationThrottle,

                'seconds' => 86400,

            ] ];

        }


        // @codeCoverageIgnoreStart

        $this->throttleSettings += [

        // @codeCoverageIgnoreEnd

            'accountCreationThrottle' => $accountCreationThrottle,

            'passwordAttemptThrottle' => $this->config->get( 'PasswordAttemptThrottle' ),

        ];


        if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {

            $this->accountCreationThrottle = new Throttler(

                $this->throttleSettings['accountCreationThrottle'], [

                    'type' => 'acctcreate',

                    'cache' => $this->cache,

                ]

            );

        }

        if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {

            $this->passwordAttemptThrottle = new Throttler(

                $this->throttleSettings['passwordAttemptThrottle'], [

                    'type' => 'password',

                    'cache' => $this->cache,

                ]

            );

        }

    }


    public function testForAccountCreation( $user, $creator, array $reqs ) {

        if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {

            return \StatusValue::newGood();

        }


        $ip = $this->manager->getRequest()->getIP();


        if ( !$this->getHookRunner()->onExemptFromAccountCreationThrottle( $ip ) ) {

            $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle" );

            return \StatusValue::newGood();

        }


        $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );

        if ( $result ) {

            $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )

                ->durationParams( $result['wait'] );

            return \StatusValue::newFatal( $message );

        }


        return \StatusValue::newGood();

    }


    public function testForAuthentication( array $reqs ) {

        if ( !$this->passwordAttemptThrottle ) {

            return \StatusValue::newGood();

        }


        $ip = $this->manager->getRequest()->getIP();

        try {

            $username = AuthenticationRequest::getUsernameFromRequests( $reqs );

        } catch ( \UnexpectedValueException $e ) {

            $username = null;

        }


        // Get everything this username could normalize to, and throttle each one individually.

        // If nothing uses usernames, just throttle by IP.

        if ( $username !== null ) {

            $usernames = $this->manager->normalizeUsername( $username );

        } else {

            $usernames = [ null ];

        }

        $result = false;

        foreach ( $usernames as $name ) {

            $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );

            if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {

                $result = $r;

            }

        }


        if ( $result ) {

            $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );

            return \StatusValue::newFatal( $message );

        } else {

            $this->manager->setAuthenticationSessionData( 'LoginThrottle',

                [ 'users' => $usernames, 'ip' => $ip ] );

            return \StatusValue::newGood();

        }

    }


    public function postAuthentication( $user, AuthenticationResponse $response ) {

        if ( $response->status !== AuthenticationResponse::PASS ) {

            return;

        } elseif ( !$this->passwordAttemptThrottle ) {

            return;

        }


        $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );

        if ( !$data ) {

            // this can occur when login is happening via AuthenticationRequest::$loginRequest

            // so testForAuthentication is skipped

            $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );

            return;

        }


        foreach ( $data['users'] as $name ) {

            $this->passwordAttemptThrottle->clear( $name, $data['ip'] );

        }

    }


}


wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:1182

BagOStuff
Class representing a cache/ephemeral data store.
Definition BagOStuff.php:86

MediaWiki\Auth\AbstractAuthenticationProvider\getHookRunner
getHookRunner()
Definition AbstractAuthenticationProvider.php:171

MediaWiki\Auth\AbstractPreAuthenticationProvider
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
Definition AbstractPreAuthenticationProvider.php:33

MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition AuthenticationRequest.php:292

MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:37

MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition AuthenticationResponse.php:39

MediaWiki\Auth\ThrottlePreAuthenticationProvider
A pre-authentication provider to throttle authentication actions.
Definition ThrottlePreAuthenticationProvider.php:36

MediaWiki\Auth\ThrottlePreAuthenticationProvider\$cache
BagOStuff $cache
Definition ThrottlePreAuthenticationProvider.php:47

MediaWiki\Auth\ThrottlePreAuthenticationProvider\$accountCreationThrottle
Throttler $accountCreationThrottle
Definition ThrottlePreAuthenticationProvider.php:41

MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.Called from AuthManager::beginAccountCreation()No nee...
Definition ThrottlePreAuthenticationProvider.php:98

MediaWiki\Auth\ThrottlePreAuthenticationProvider\postInitSetup
postInitSetup()
A provider can override this to do any necessary setup after init() is called.
Definition ThrottlePreAuthenticationProvider.php:63

MediaWiki\Auth\ThrottlePreAuthenticationProvider\$passwordAttemptThrottle
Throttler $passwordAttemptThrottle
Definition ThrottlePreAuthenticationProvider.php:44

MediaWiki\Auth\ThrottlePreAuthenticationProvider\postAuthentication
postAuthentication( $user, AuthenticationResponse $response)
Definition ThrottlePreAuthenticationProvider.php:161

MediaWiki\Auth\ThrottlePreAuthenticationProvider\$throttleSettings
array $throttleSettings
Definition ThrottlePreAuthenticationProvider.php:38

MediaWiki\Auth\ThrottlePreAuthenticationProvider\__construct
__construct( $params=[])
Definition ThrottlePreAuthenticationProvider.php:57

MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAuthentication
testForAuthentication(array $reqs)
Determine whether an authentication may begin.Called from AuthManager::beginAuthentication()StatusVal...
Definition ThrottlePreAuthenticationProvider.php:120

MediaWiki\Auth\Throttler
Definition Throttler.php:37

MediaWiki\Auth
Definition AbstractAuthenticationProvider.php:22