master/php/ApiLogin_8php_source.html

<?php

namespace MediaWiki\Api;


use MediaWiki\Auth\AuthenticationRequest;

use MediaWiki\Auth\AuthenticationResponse;

use MediaWiki\Auth\AuthManager;

use MediaWiki\Logger\LoggerFactory;

use MediaWiki\MainConfigNames;

use MediaWiki\Message\Message;

use MediaWiki\User\BotPassword;

use MediaWiki\User\UserIdentityUtils;

use Wikimedia\ParamValidator\ParamValidator;


class ApiLogin extends ApiBase {


    private AuthManager $authManager;


    private UserIdentityUtils $identityUtils;


    public function __construct(

        ApiMain $main,

        string $action,

        AuthManager $authManager,

        UserIdentityUtils $identityUtils

    ) {

        parent::__construct( $main, $action, 'lg' );

        $this->authManager = $authManager;

        $this->identityUtils = $identityUtils;

    }


    protected function getExtendedDescription() {

        if ( $this->getConfig()->get( MainConfigNames::EnableBotPasswords ) ) {

            return 'apihelp-login-extended-description';

        } else {

            return 'apihelp-login-extended-description-nobotpasswords';

        }

    }


    private function formatMessage( $message ) {

        $message = Message::newFromSpecifier( $message );

        $errorFormatter = $this->getErrorFormatter();

        if ( $errorFormatter instanceof ApiErrorFormatter_BackCompat ) {

            return ApiErrorFormatter::stripMarkup(

                $message->useDatabase( false )->inLanguage( 'en' )->text()

            );

        } else {

            return $errorFormatter->formatMessage( $message );

        }

    }


    private function getErrorCode( $message ) {

        $message = Message::newFromSpecifier( $message );

        if ( $message instanceof ApiMessage ) {

            return $message->getApiCode();

        } else {

            return $message->getKey();

        }

    }


    public function execute() {

        // If we're in a mode that breaks the same-origin policy, no tokens can

        // be obtained

        if ( $this->lacksSameOriginSecurity() ) {

            $this->getResult()->addValue( null, 'login', [

                'result' => 'Aborted',

                'reason' => $this->formatMessage( 'api-login-fail-sameorigin' ),

            ] );


            return;

        }


        $this->requirePostedParameters( [ 'password', 'token' ] );


        $params = $this->extractRequestParams();


        $result = [];


        // Make sure session is persisted

        $session = $this->getRequest()->getSession();

        $session->persist();


        // Make sure it's possible to log in

        if ( !$session->canSetUser() ) {

            $this->getResult()->addValue( null, 'login', [

                'result' => 'Aborted',

                'reason' => $this->formatMessage( [

                    'api-login-fail-badsessionprovider',

                    $session->getProvider()->describe( $this->getErrorFormatter()->getLanguage() ),

                ] )

            ] );


            return;

        }


        $authRes = false;

        $loginType = 'N/A';

        $performer = $this->getUser();


        // Check login token

        $token = $session->getToken( '', 'login' );

        if ( !$params['token'] ) {

            $authRes = 'NeedToken';

        } elseif ( $token->wasNew() ) {

            $authRes = 'Failed';

            $message = ApiMessage::create( 'authpage-cannot-login-continue', 'sessionlost' );

        } elseif ( !$token->match( $params['token'] ) ) {

            $authRes = 'WrongToken';

        }


        // Try bot passwords

        if ( $authRes === false && $this->getConfig()->get( MainConfigNames::EnableBotPasswords ) ) {

            $botLoginData = BotPassword::canonicalizeLoginData( $params['name'] ?? '', $params['password'] ?? '' );

            if ( $botLoginData ) {

                $status = BotPassword::login(

                    $botLoginData[0], $botLoginData[1], $this->getRequest()

                );

                if ( $status->isOK() ) {

                    $session = $status->getValue();

                    $authRes = 'Success';

                    $loginType = 'BotPassword';

                } elseif (

                    $status->hasMessage( 'login-throttled' ) ||

                    $status->hasMessage( 'botpasswords-needs-reset' ) ||

                    $status->hasMessage( 'botpasswords-locked' )

                ) {

                    $authRes = 'Failed';

                    $message = $status->getMessage();

                    LoggerFactory::getInstance( 'authentication' )->info(

                        'BotPassword login failed: ' . $status->getWikiText( false, false, 'en' )

                    );

                }

            }

            // For other errors, let's see if it's a valid non-bot login

        }


        if ( $authRes === false ) {

            // Simplified AuthManager login, for backwards compatibility

            $reqs = AuthenticationRequest::loadRequestsFromSubmission(

                $this->authManager->getAuthenticationRequests(

                    AuthManager::ACTION_LOGIN,

                    $this->getUser()

                ),

                [

                    'username' => $params['name'],

                    'password' => $params['password'],

                    'domain' => $params['domain'],

                    'rememberMe' => true,

                ]

            );

            $res = $this->authManager->beginAuthentication( $reqs, 'null:' );

            switch ( $res->status ) {

                case AuthenticationResponse::PASS:

                    if ( $this->getConfig()->get( MainConfigNames::EnableBotPasswords ) ) {

                        $this->addDeprecation( 'apiwarn-deprecation-login-botpw', 'main-account-login' );

                    } else {

                        $this->addDeprecation( 'apiwarn-deprecation-login-nobotpw', 'main-account-login' );

                    }

                    $authRes = 'Success';

                    $loginType = 'AuthManager';

                    break;


                case AuthenticationResponse::FAIL:

                    // Hope it's not a PreAuthenticationProvider that failed...

                    $authRes = 'Failed';

                    $message = $res->message;

                    LoggerFactory::getInstance( 'authentication' )

                        ->info( __METHOD__ . ': Authentication failed: '

                        . $message->inLanguage( 'en' )->plain() );

                    break;


                default:

                    LoggerFactory::getInstance( 'authentication' )

                        ->info( __METHOD__ . ': Authentication failed due to unsupported response type: '

                        . $res->status, $this->getAuthenticationResponseLogData( $res ) );

                    $authRes = 'Aborted';

                    break;

            }

        }


        $result['result'] = $authRes;

        switch ( $authRes ) {

            case 'Success':

                $user = $session->getUser();

                $user->debouncedDBTouch();


                // Deprecated hook

                $injected_html = '';

                $this->getHookRunner()->onUserLoginComplete( $user, $injected_html, true );


                $result['lguserid'] = $user->getId();

                $result['lgusername'] = $user->getName();

                break;


            case 'NeedToken':

                $result['token'] = $token->toString();

                $this->addDeprecation( 'apiwarn-deprecation-login-token', 'action=login&!lgtoken' );

                break;


            case 'WrongToken':

                break;


            case 'Failed':

                // @phan-suppress-next-next-line PhanTypeMismatchArgumentNullable,PhanPossiblyUndeclaredVariable

                // message set on error

                $result['reason'] = $this->formatMessage( $message );

                break;


            case 'Aborted':

                $result['reason'] = $this->formatMessage(

                    $this->getConfig()->get( MainConfigNames::EnableBotPasswords )

                        ? 'api-login-fail-aborted'

                        : 'api-login-fail-aborted-nobotpw'

                );

                break;


            // @codeCoverageIgnoreStart

            // Unreachable

            default:

                ApiBase::dieDebug( __METHOD__, "Unhandled case value: {$authRes}" );

            // @codeCoverageIgnoreEnd

        }


        $this->getResult()->addValue( null, 'login', $result );


        LoggerFactory::getInstance( 'authevents' )->info( 'Login attempt', [

            'event' => 'login',

            'successful' => $authRes === 'Success',

            'accountType' => $this->identityUtils->getShortUserTypeInternal( $performer ),

            'loginType' => $loginType,

            'status' => ( $authRes === 'Failed' && isset( $message ) ) ? $this->getErrorCode( $message ) : $authRes,

            'full_message' => isset( $message ) ? $this->formatMessage( $message ) : '',

        ] );

    }


    public function isDeprecated() {

        return !$this->getConfig()->get( MainConfigNames::EnableBotPasswords );

    }


    public function mustBePosted() {

        return true;

    }


    public function isReadMode() {

        return false;

    }


    public function isWriteMode() {

        // (T283394) Logging in triggers some database writes, so should be marked appropriately.

        return true;

    }


    public function getAllowedParams() {

        return [

            'name' => null,

            'password' => [

                ParamValidator::PARAM_TYPE => 'password',

            ],

            'domain' => null,

            'token' => [

                ParamValidator::PARAM_TYPE => 'string',

                ParamValidator::PARAM_REQUIRED => false, // for BC

                ParamValidator::PARAM_SENSITIVE => true,

                ApiBase::PARAM_HELP_MSG => [ 'api-help-param-token', 'login' ],

            ],

        ];

    }


    protected function getExamplesMessages() {

        return [

            'action=login&lgname=user&lgpassword=password&lgtoken=123ABC'

                => 'apihelp-login-example-login',

        ];

    }


    public function getHelpUrls() {

        return 'https://www.mediawiki.org/wiki/Special:MyLanguage/API:Login';

    }


    protected function getAuthenticationResponseLogData( AuthenticationResponse $response ) {

        $ret = [

            'status' => $response->status,

        ];

        if ( $response->message ) {

            $ret['responseMessage'] = $response->message->inLanguage( 'en' )->plain();

        }

        $reqs = [

            'neededRequests' => $response->neededRequests,

            'createRequest' => $response->createRequest,

            'linkRequest' => $response->linkRequest,

        ];

        foreach ( $reqs as $k => $v ) {

            if ( $v ) {

                $v = is_array( $v ) ? $v : [ $v ];

                $reqClasses = array_unique( array_map( 'get_class', $v ) );

                sort( $reqClasses );

                $ret[$k] = implode( ', ', $reqClasses );

            }

        }

        return $ret;

    }


}


class_alias( ApiLogin::class, 'ApiLogin' );

MediaWiki\Api\ApiBase
This abstract class implements many basic API functions, and is the base of all API classes.
Definition ApiBase.php:61

MediaWiki\Api\ApiBase\requirePostedParameters
requirePostedParameters( $params, $prefix='prefix')
Die if any of the specified parameters were found in the query part of the URL rather than the HTTP p...
Definition ApiBase.php:1087

MediaWiki\Api\ApiBase\getErrorFormatter
getErrorFormatter()
Definition ApiBase.php:693

MediaWiki\Api\ApiBase\getHookRunner
getHookRunner()
Get an ApiHookRunner for running core API hooks.
Definition ApiBase.php:767

MediaWiki\Api\ApiBase\getResult
getResult()
Get the result object.
Definition ApiBase.php:682

MediaWiki\Api\ApiBase\lacksSameOriginSecurity
lacksSameOriginSecurity()
Returns true if the current request breaks the same-origin policy.
Definition ApiBase.php:609

MediaWiki\Api\ApiBase\dieDebug
static dieDebug( $method, $message)
Internal code errors should be reported with this method.
Definition ApiBase.php:1748

MediaWiki\Api\ApiBase\PARAM_HELP_MSG
const PARAM_HELP_MSG
(string|array|Message) Specify an alternative i18n documentation message for this parameter.
Definition ApiBase.php:167

MediaWiki\Api\ApiBase\addDeprecation
addDeprecation( $msg, $feature, $data=[])
Add a deprecation warning for this module.
Definition ApiBase.php:1443

MediaWiki\Api\ApiBase\extractRequestParams
extractRequestParams( $options=[])
Using getAllowedParams(), this function makes an array of the values provided by the user,...
Definition ApiBase.php:823

MediaWiki\Api\ApiErrorFormatter_BackCompat
Format errors and warnings in the old style, for backwards compatibility.
Definition ApiErrorFormatter_BackCompat.php:20

MediaWiki\Api\ApiErrorFormatter\stripMarkup
static stripMarkup( $text)
Turn wikitext into something resembling plaintext.
Definition ApiErrorFormatter.php:308

MediaWiki\Api\ApiLogin
Unit to authenticate log-in attempts to the current wiki.
Definition ApiLogin.php:27

MediaWiki\Api\ApiLogin\getAllowedParams
getAllowedParams()
Returns an array of allowed parameters (parameter name) => (default value) or (parameter name) => (ar...
Definition ApiLogin.php:296

MediaWiki\Api\ApiLogin\getExamplesMessages
getExamplesMessages()
Returns usage examples for this module.Return value has query strings as keys, with values being eith...
Definition ApiLogin.php:313

MediaWiki\Api\ApiLogin\mustBePosted
mustBePosted()
Indicates whether this module must be called with a POST request.Implementations of this method must ...
Definition ApiLogin.php:280

MediaWiki\Api\ApiLogin\getExtendedDescription
getExtendedDescription()
Return the extended help text message.This is additional text to display at the top of the help secti...
Definition ApiLogin.php:51

MediaWiki\Api\ApiLogin\isWriteMode
isWriteMode()
Indicates whether this module requires write access to the wiki.API modules must override this method...
Definition ApiLogin.php:290

MediaWiki\Api\ApiLogin\isReadMode
isReadMode()
Indicates whether this module requires read rights.to override bool
Definition ApiLogin.php:285

MediaWiki\Api\ApiLogin\getHelpUrls
getHelpUrls()
Return links to more detailed help pages about the module.1.25, returning boolean false is deprecated...
Definition ApiLogin.php:321

MediaWiki\Api\ApiLogin\getAuthenticationResponseLogData
getAuthenticationResponseLogData(AuthenticationResponse $response)
Turns an AuthenticationResponse into a hash suitable for passing to Logger.
Definition ApiLogin.php:330

MediaWiki\Api\ApiLogin\isDeprecated
isDeprecated()
Indicates whether this module is deprecated.1.25 to override bool
Definition ApiLogin.php:275

MediaWiki\Api\ApiLogin\execute
execute()
Executes the log-in attempt using the parameters passed.
Definition ApiLogin.php:99

MediaWiki\Api\ApiLogin\__construct
__construct(ApiMain $main, string $action, AuthManager $authManager, UserIdentityUtils $identityUtils)
Definition ApiLogin.php:39

MediaWiki\Api\ApiMain
This is the main API class, used for both external and internal processing.
Definition ApiMain.php:66

MediaWiki\Api\ApiMessage\create
static create( $msg, $code=null, ?array $data=null)
Create an IApiMessage for the message.
Definition ApiMessage.php:35

MediaWiki\Auth\AuthManager
AuthManager is the authentication system in MediaWiki and serves entry point for authentication.
Definition AuthManager.php:109

MediaWiki\Auth\AuthenticationRequest
This is a value object for authentication requests.
Definition AuthenticationRequest.php:28

MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:21

MediaWiki\Context\ContextSource\getConfig
getConfig()
Definition ContextSource.php:73

MediaWiki\Logger\LoggerFactory
Create PSR-3 logger objects.
Definition LoggerFactory.php:32

MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22

MediaWiki\MainConfigNames\EnableBotPasswords
const EnableBotPasswords
Name constant for the EnableBotPasswords setting, for use with Config::get()
Definition MainConfigNames.php:3063

MediaWiki\Message\Message
The Message class deals with fetching and processing of interface message into a variety of formats.
Definition Message.php:144

MediaWiki\Message\Message\newFromSpecifier
static newFromSpecifier( $value)
Transform a MessageSpecifier or a primitive value used interchangeably with specifiers (a message key...
Definition Message.php:492

MediaWiki\User\BotPassword
Utility class for bot passwords.
Definition BotPassword.php:33

MediaWiki\User\BotPassword\canonicalizeLoginData
static canonicalizeLoginData( $username, $password)
There are two ways to login with a bot password: "username@appId", "password" and "username",...
Definition BotPassword.php:329

MediaWiki\User\BotPassword\login
static login( $username, $password, WebRequest $request)
Try to log the user in.
Definition BotPassword.php:355

MediaWiki\User\UserIdentityUtils
Convenience functions for interpreting UserIdentity objects using additional services or config.
Definition UserIdentityUtils.php:13

Wikimedia\ParamValidator\ParamValidator
Service for formatting and validating API parameters.
Definition ParamValidator.php:42

MediaWiki\Api
Definition ApiAcquireTempUserName.php:8

MediaWiki\Api\getUser
getUser()

MediaWiki\Api\getRequest
getRequest()