MediaWiki REL1_39
ThrottlePreAuthenticationProvider.php
Go to the documentation of this file.
1<?php
22namespace MediaWiki\Auth;
23
24use BagOStuff;
25use MediaWiki\MainConfigNames;
26
37class ThrottlePreAuthenticationProvider extends AbstractPreAuthenticationProvider {
39 protected $throttleSettings;
40
42 protected $accountCreationThrottle;
43
45 protected $passwordAttemptThrottle;
46
48 protected $cache;
49
58 public function __construct( $params = [] ) {
59 $this->throttleSettings = array_intersect_key( $params,
60 [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );
61 $this->cache = $params['cache'] ?? \ObjectCache::getLocalClusterInstance();
62 }
63
64 protected function postInitSetup() {
65 $accountCreationThrottle = $this->config->get( MainConfigNames::AccountCreationThrottle );
66 // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)
67 if ( !is_array( $accountCreationThrottle ) ) {
68 $accountCreationThrottle = [ [
69 'count' => $accountCreationThrottle,
70 'seconds' => 86400,
71 ] ];
72 }
73
74 // @codeCoverageIgnoreStart
75 $this->throttleSettings += [
76 // @codeCoverageIgnoreEnd
77 'accountCreationThrottle' => $accountCreationThrottle,
78 'passwordAttemptThrottle' =>
79 $this->config->get( MainConfigNames::PasswordAttemptThrottle ),
80 ];
81
82 if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {
83 $this->accountCreationThrottle = new Throttler(
84 $this->throttleSettings['accountCreationThrottle'], [
85 'type' => 'acctcreate',
86 'cache' => $this->cache,
87 ]
88 );
89 }
90 if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {
91 $this->passwordAttemptThrottle = new Throttler(
92 $this->throttleSettings['passwordAttemptThrottle'], [
93 'type' => 'password',
94 'cache' => $this->cache,
95 ]
96 );
97 }
98 }
99
100 public function testForAccountCreation( $user, $creator, array $reqs ) {
101 if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {
102 return \StatusValue::newGood();
103 }
104
105 $ip = $this->manager->getRequest()->getIP();
106
107 if ( !$this->getHookRunner()->onExemptFromAccountCreationThrottle( $ip ) ) {
108 $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle" );
109 return \StatusValue::newGood();
110 }
111
112 $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );
113 if ( $result ) {
114 $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )
115 ->durationParams( $result['wait'] );
116 return \StatusValue::newFatal( $message );
117 }
118
119 return \StatusValue::newGood();
120 }
121
122 public function testForAuthentication( array $reqs ) {
123 if ( !$this->passwordAttemptThrottle ) {
124 return \StatusValue::newGood();
125 }
126
127 $ip = $this->manager->getRequest()->getIP();
128 try {
129 $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
130 } catch ( \UnexpectedValueException $e ) {
131 $username = null;
132 }
133
134 // Get everything this username could normalize to, and throttle each one individually.
135 // If nothing uses usernames, just throttle by IP.
136 if ( $username !== null ) {
137 $usernames = $this->manager->normalizeUsername( $username );
138 } else {
139 $usernames = [ null ];
140 }
141 $result = false;
142 foreach ( $usernames as $name ) {
143 $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );
144 if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {
145 $result = $r;
146 }
147 }
148
149 if ( $result ) {
150 $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
151 return \StatusValue::newFatal( $message );
152 } else {
153 $this->manager->setAuthenticationSessionData( 'LoginThrottle',
154 [ 'users' => $usernames, 'ip' => $ip ] );
155 return \StatusValue::newGood();
156 }
157 }
158
163 public function postAuthentication( $user, AuthenticationResponse $response ) {
164 if ( $response->status !== AuthenticationResponse::PASS ) {
165 return;
166 } elseif ( !$this->passwordAttemptThrottle ) {
167 return;
168 }
169
170 $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );
171 if ( !$data ) {
172 // this can occur when login is happening via AuthenticationRequest::$loginRequest
173 // so testForAuthentication is skipped
174 $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );
175 return;
176 }
177
178 foreach ( $data['users'] as $name ) {
179 $this->passwordAttemptThrottle->clear( $name, $data['ip'] );
180 }
181 }
182}
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:934
BagOStuff
Class representing a cache/ephemeral data store.
Definition BagOStuff.php:85
MediaWiki\Auth\AbstractPreAuthenticationProvider
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
Definition AbstractPreAuthenticationProvider.php:33
MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition AuthenticationRequest.php:301
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:37
MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition AuthenticationResponse.php:39
MediaWiki\Auth\ThrottlePreAuthenticationProvider
A pre-authentication provider to throttle authentication actions.
Definition ThrottlePreAuthenticationProvider.php:37
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.Called from AuthManager::beginAccountCreation()No nee...
Definition ThrottlePreAuthenticationProvider.php:100
MediaWiki\Auth\ThrottlePreAuthenticationProvider\postInitSetup
postInitSetup()
A provider can override this to do any necessary setup after init() is called.
Definition ThrottlePreAuthenticationProvider.php:64
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAuthentication
testForAuthentication(array $reqs)
Determine whether an authentication may begin.Called from AuthManager::beginAuthentication()StatusVal...
Definition ThrottlePreAuthenticationProvider.php:122
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:23
MediaWiki\MainConfigNames\AccountCreationThrottle
const AccountCreationThrottle
Name constant for the AccountCreationThrottle setting, for use with Config::get()
Definition MainConfigNames.php:2853
MediaWiki\MainConfigNames\PasswordAttemptThrottle
const PasswordAttemptThrottle
Name constant for the PasswordAttemptThrottle setting, for use with Config::get()
Definition MainConfigNames.php:2931