Session provider for bot passwords. More...

Inherits MediaWiki\Session\ImmutableSessionProviderWithCookie.

Collaboration diagram for MediaWiki\Session\BotPasswordSessionProvider:

[legend]

Public Member Functions

__construct (GrantsInfo $grantsInfo, array $params=[])

getAllowedUserRights (SessionBackend $backend)

Fetch the rights allowed the user when the specified session is active.

newSessionForRequest (User $user, BotPassword $bp, WebRequest $request)

Create a new session for a request.

newSessionInfo ( $id=null)

Provide session info for a new, empty session.

preventSessionsForUser ( $username)

Prevent future sessions for the user.If the provider is capable of returning a SessionInfo with a verified UserInfo for the named user in some manner other than by validating against $user->getToken(), steps must be taken to prevent that from occurring in the future. This might add the username to a list, or it might just delete whatever authentication credentials would allow such a session in the first place (e.g. remove all OAuth grants or delete record of the SSL client certificate).The intention is that the named account will never again be usable for normal login (i.e. there is no way to undo the prevention of access).Note that the passed user name might not exist locally (i.e. UserIdentity::getId() === 0); the name should still be prevented, if applicable.

Stability: stable: to override

Note: For use by \MediaWiki\Session\SessionManager only

Parameters

string $username

provideSessionInfo (WebRequest $request)

Provide session info for a request.

refreshSessionInfo (SessionInfo $info, WebRequest $request, &$metadata)

Validate a loaded SessionInfo and refresh provider metadata.This is similar in purpose to the 'SessionCheckInfo' hook, and also allows for updating the provider metadata. On failure, the provider is expected to write an appropriate message to its logger.

Stability: stable: to override

Note: For use by \MediaWiki\Session\SessionManager only

Parameters

SessionInfo	$info	Any changes by mergeMetadata() will already be reflected here.
WebRequest	$request
array \| null	&$metadata	Provider metadata, may be altered.

Returns: bool Return false to reject the SessionInfo after all.

Public Member Functions inherited from MediaWiki\Session\ImmutableSessionProviderWithCookie

__construct ( $params=[])

canChangeUser ()

Indicate whether the user associated with the request can be changed.If false, any session passed to self::persistSession() will have a user that was originally provided by self::provideSessionInfo(). Further, self::provideSessionInfo() may only provide sessions that have a user already set.If true, the provider may be passed sessions with arbitrary users, and will be expected to manipulate the request in such a way that future requests will cause self::provideSessionInfo() to provide a SessionInfo with that ID. This can be as simple as not passing any 'userInfo' into SessionInfo's constructor, in which case SessionInfo will load the user from the saved session's metadata.For example, a session provider for OAuth or SSL client certificates would function by matching the OAuth headers or certificate to a particular user, and thus would return false here since it can't arbitrarily assign those OAuth credentials or that certificate to a different user. A session provider that shoves information into cookies, on the other hand, could easily do so.

Note: For use by \MediaWiki\Session\SessionBackend only

Returns: bool

getVaryCookies ()

Return the list of cookies that need varying on.

Stability: stable: to override

Note: For use by \MediaWiki\Session\SessionManager only

Returns: string[]

persistSession (SessionBackend $session, WebRequest $request)

Persist a session into a request/response.For example, you might set cookies for the session's ID, user ID, user name, and user token on the passed request.To correctly persist a user independently of the session ID, the provider should persist both the user ID (or name, but preferably the ID) and the user token. When reading the data from the request, it should construct a User object from the ID/name and then verify that the User object's token matches the token included in the request. Should the tokens not match, an anonymous user must be passed to SessionInfo::__construct().When persisting a user independently of the session ID, $session->shouldRememberUser() should be checked first. If this returns false, the user token must not be saved to cookies. The user name and/or ID may be persisted, and should be used to construct an unverified UserInfo to pass to SessionInfo::__construct().A backend that cannot persist session ID or user info should implement this as a no-op.

Note: For use by \MediaWiki\Session\SessionBackend only

Parameters

SessionBackend	$session	Session to persist
WebRequest	$request	Request into which to persist the session

persistsSessionId ()

Indicate whether self::persistSession() can save arbitrary session IDs.If false, any session passed to self::persistSession() will have an ID that was originally provided by self::provideSessionInfo().If true, the provider may be passed sessions with arbitrary session IDs, and will be expected to manipulate the request in such a way that future requests will cause self::provideSessionInfo() to provide a SessionInfo with that ID.For example, a session provider for OAuth would function by matching the OAuth headers to a particular user, and then would use self::hashToSessionId() to turn the user and OAuth client ID (and maybe also the user token and client secret) into a session ID, and therefore can't easily assign that user+client a different ID. Similarly, a session provider for SSL client certificates would function by matching the certificate to a particular user, and then would use self::hashToSessionId() to turn the user and certificate fingerprint into a session ID, and therefore can't easily assign a different ID either. On the other hand, a provider that saves the session ID into a cookie can easily just set the cookie to a different value.

Note: For use by \MediaWiki\Session\SessionBackend only

Returns: bool

unpersistSession (WebRequest $request)

Remove any persisted session from a request/response.For example, blank and expire any cookies set by self::persistSession().A backend that cannot persist session ID or user info should implement this as a no-op.

Note: For use by \MediaWiki\Session\SessionManager only

Parameters

WebRequest $request Request from which to remove any session data

whyNoSession ()

Return a Message for why sessions might not be being persisted.For example, "check whether you're blocking our cookies".

Returns: Message|null

Stability: stable: to override

Public Member Functions inherited from MediaWiki\Session\SessionProvider

__construct ()

__toString ()

describe (Language $lang)

Return an identifier for this session type.

Parameters

Language $lang Language to use.

Returns: string

getManager ()

Get the session manager.

getRememberUserDuration ()

Returns the duration (in seconds) for which users will be remembered when Session::setRememberUser() is set.

getVaryHeaders ()

Return the HTTP headers that need varying on.

init (LoggerInterface $logger, Config $config, SessionManager $manager, HookContainer $hookContainer, UserNameUtils $userNameUtils)

Initialise with dependencies of a SessionProvider.

invalidateSessionsForUser (User $user)

Invalidate existing sessions for a user.

mergeMetadata (array $savedMetadata, array $providedMetadata)

Merge saved session provider metadata.

safeAgainstCsrf ()

Most session providers require protection against CSRF attacks (usually via CSRF tokens)

sessionIdWasReset (SessionBackend $session, $oldId)

Notification that the session ID was reset.

setConfig (Config $config)

Set configuration.

setHookContainer ( $hookContainer)

setLogger (LoggerInterface $logger)

Sets a logger instance on the object.

setManager (SessionManager $manager)

Set the session manager.

suggestLoginUsername (WebRequest $request)

Get a suggested username for the login form.

Additional Inherited Members
Protected Member Functions inherited from MediaWiki\Session\ImmutableSessionProviderWithCookie
	getSessionIdFromCookie (WebRequest $request)
	Get the session ID from the cookie, if any.

Protected Member Functions inherited from MediaWiki\Session\SessionProvider
	describeMessage ()
	Return a Message identifying this session type.

	getConfig ()
	Get the config.

	getHookContainer ()
	Get the HookContainer.

	getHookRunner ()
	Get the HookRunner.

	hashToSessionId ( $data, $key=null)
	Hash data as a session ID.

	postInitSetup ()
	A provider can override this to do any necessary setup after init() is called.

Protected Attributes inherited from MediaWiki\Session\ImmutableSessionProviderWithCookie
string null	$sessionCookieName = null

mixed[]	$sessionCookieOptions = []

Protected Attributes inherited from MediaWiki\Session\SessionProvider
Config	$config

LoggerInterface	$logger

SessionManager	$manager

int	$priority
	Session priority.

UserNameUtils	$userNameUtils

Detailed Description

Session provider for bot passwords.

Since: 1.27

Definition at line 36 of file BotPasswordSessionProvider.php.

Constructor & Destructor Documentation

◆ __construct()

MediaWiki\Session\BotPasswordSessionProvider::__construct	(	GrantsInfo	$grantsInfo,
		array	$params = [] )

Parameters

GrantsInfo	$grantsInfo
array	$params	Keys include: priority: (required) Set the priority sessionCookieName: Session cookie name. Default is '_BPsession'. sessionCookieOptions: Options to pass to WebResponse::setCookie(). isApiRequest: Whether the current request is an API request. Should be only set in tests.

Definition at line 51 of file BotPasswordSessionProvider.php.

References MediaWiki\Session\SessionInfo\MAX_PRIORITY, and MediaWiki\Session\SessionInfo\MIN_PRIORITY.

Member Function Documentation

◆ getAllowedUserRights()

MediaWiki\Session\BotPasswordSessionProvider::getAllowedUserRights ( SessionBackend $backend )

Fetch the rights allowed the user when the specified session is active.

This is mainly meant for allowing the user to restrict access to the account by certain methods; you probably want to use this with GrantsInfo. The returned rights will be intersected with the user's actual rights.

Stability: stable: to override

Parameters

SessionBackend $backend

Returns: null|string[] Allowed user rights, or null to allow all.

Reimplemented from MediaWiki\Session\SessionProvider.

Definition at line 194 of file BotPasswordSessionProvider.php.

References MediaWiki\Session\SessionBackend\getProvider(), and MediaWiki\Session\SessionBackend\getProviderMetadata().

◆ newSessionForRequest()

MediaWiki\Session\BotPasswordSessionProvider::newSessionForRequest	(	User	$user,
		BotPassword	$bp,
		WebRequest	$request )

Create a new session for a request.

Parameters

User	$user
BotPassword	$bp
WebRequest	$request

Returns: Session

Definition at line 110 of file BotPasswordSessionProvider.php.

References BotPassword\getAppId(), BotPassword\getGrants(), MediaWiki\Session\SessionProvider\getManager(), MediaWiki\Session\ImmutableSessionProviderWithCookie\getSessionIdFromCookie(), BotPassword\getToken(), BotPassword\getUserCentralId(), MediaWiki\Session\SessionInfo\MAX_PRIORITY, and MediaWiki\Session\UserInfo\newFromUser().

◆ newSessionInfo()

MediaWiki\Session\BotPasswordSessionProvider::newSessionInfo ( $id = null )

Provide session info for a new, empty session.

Return null if such a session cannot be created. This base implementation assumes that it only makes sense if a session ID can be persisted and changing users is allowed.

Stability: stable: to override

Note: For use by \MediaWiki\Session\SessionManager only

Parameters

string | null $id ID to force for the new session

Returns: SessionInfo|null If non-null, must return true for $info->isIdSafe(); pass true for $data['idIsSafe'] to ensure this.

Reimplemented from MediaWiki\Session\SessionProvider.

Definition at line 98 of file BotPasswordSessionProvider.php.

◆ preventSessionsForUser()

MediaWiki\Session\BotPasswordSessionProvider::preventSessionsForUser ( $username )

Prevent future sessions for the user.If the provider is capable of returning a SessionInfo with a verified UserInfo for the named user in some manner other than by validating against $user->getToken(), steps must be taken to prevent that from occurring in the future. This might add the username to a list, or it might just delete whatever authentication credentials would allow such a session in the first place (e.g. remove all OAuth grants or delete record of the SSL client certificate).The intention is that the named account will never again be usable for normal login (i.e. there is no way to undo the prevention of access).Note that the passed user name might not exist locally (i.e. UserIdentity::getId() === 0); the name should still be prevented, if applicable.

Stability: stable: to override

Note: For use by \MediaWiki\Session\SessionManager only

Parameters

string $username

Reimplemented from MediaWiki\Session\SessionProvider.

Definition at line 190 of file BotPasswordSessionProvider.php.

◆ provideSessionInfo()

MediaWiki\Session\BotPasswordSessionProvider::provideSessionInfo ( WebRequest $request )

Provide session info for a request.

If no session exists for the request, return null. Otherwise return an SessionInfo object identifying the session.

If multiple SessionProviders provide sessions, the one with highest priority wins. In case of a tie, an exception is thrown. SessionProviders are encouraged to make priorities user-configurable unless only max-priority makes sense.

Warning: This will be called early in the MediaWiki setup process, before $wgUser, $wgLang, $wgOut, $wgTitle, the global parser, and corresponding pieces of the main RequestContext are set up! If you try to use these, things will break.

Note: The SessionProvider must not attempt to auto-create users. MediaWiki will do this later (when it's safe) if the chosen session has a user with a valid name but no ID.; For use by \MediaWiki\Session\SessionManager only

Parameters

WebRequest $request

Returns: SessionInfo|null

Reimplemented from MediaWiki\Session\SessionProvider.

Definition at line 74 of file BotPasswordSessionProvider.php.

References MediaWiki\MainConfigNames\EnableBotPasswords, MediaWiki\Session\SessionProvider\getConfig(), and MediaWiki\Session\ImmutableSessionProviderWithCookie\getSessionIdFromCookie().

◆ refreshSessionInfo()

MediaWiki\Session\BotPasswordSessionProvider::refreshSessionInfo	(	SessionInfo	$info,
		WebRequest	$request,
		&	$metadata )

Validate a loaded SessionInfo and refresh provider metadata.This is similar in purpose to the 'SessionCheckInfo' hook, and also allows for updating the provider metadata. On failure, the provider is expected to write an appropriate message to its logger.

Stability: stable: to override

Note: For use by \MediaWiki\Session\SessionManager only

Parameters

SessionInfo	$info	Any changes by mergeMetadata() will already be reflected here.
WebRequest	$request
array \| null	&$metadata	Provider metadata, may be altered.

Returns: bool Return false to reject the SessionInfo after all.

Reimplemented from MediaWiki\Session\SessionProvider.

Definition at line 133 of file BotPasswordSessionProvider.php.

References MediaWiki\Session\SessionInfo\__toString().

The documentation for this class was generated from the following file:

includes/session/BotPasswordSessionProvider.php

Public Member Functions

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ getAllowedUserRights()

◆ newSessionForRequest()

◆ newSessionInfo()

◆ preventSessionsForUser()

◆ provideSessionInfo()

◆ refreshSessionInfo()