MediaWiki master
ThrottlePreAuthenticationProvider.php
Go to the documentation of this file.
1<?php
22namespace MediaWiki\Auth;
23
28
42
45 protected BagOStuff $cache;
46
55 public function __construct( $params = [] ) {
56 $this->throttleSettings = array_intersect_key( $params,
57 [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );
59 $this->cache = $params['cache'] ?? $services->getObjectCacheFactory()
60 ->getLocalClusterInstance();
61 }
62
63 protected function postInitSetup() {
65 // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)
66 if ( !is_array( $accountCreationThrottle ) ) {
68 'count' => $accountCreationThrottle,
69 'seconds' => 86400,
70 ] ];
71 }
72
73 // @codeCoverageIgnoreStart
74 $this->throttleSettings += [
75 // @codeCoverageIgnoreEnd
76 'accountCreationThrottle' => $accountCreationThrottle,
77 'passwordAttemptThrottle' =>
78 $this->config->get( MainConfigNames::PasswordAttemptThrottle ),
79 ];
80
81 if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {
82 $this->accountCreationThrottle = new Throttler(
83 $this->throttleSettings['accountCreationThrottle'], [
84 'type' => 'acctcreate',
85 'cache' => $this->cache,
86 ]
87 );
88 }
89 if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {
90 $this->passwordAttemptThrottle = new Throttler(
91 $this->throttleSettings['passwordAttemptThrottle'], [
92 'type' => 'password',
93 'cache' => $this->cache,
94 ]
95 );
96 }
97 }
98
99 public function testForAccountCreation( $user, $creator, array $reqs ) {
100 if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {
101 return \StatusValue::newGood();
102 }
103
104 $ip = $this->manager->getRequest()->getIP();
105
106 if ( !$this->getHookRunner()->onExemptFromAccountCreationThrottle( $ip ) ) {
107 $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle" );
108 return \StatusValue::newGood();
109 }
110
111 $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );
112 if ( $result ) {
113 $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )
114 ->durationParams( $result['wait'] );
115 return \StatusValue::newFatal( $message );
116 }
117
118 return \StatusValue::newGood();
119 }
120
121 public function testForAuthentication( array $reqs ) {
122 if ( !$this->passwordAttemptThrottle ) {
123 return \StatusValue::newGood();
124 }
125
126 $ip = $this->manager->getRequest()->getIP();
127 try {
129 } catch ( \UnexpectedValueException $e ) {
130 $username = null;
131 }
132
133 // Get everything this username could normalize to, and throttle each one individually.
134 // If nothing uses usernames, just throttle by IP.
135 if ( $username !== null ) {
136 $usernames = $this->manager->normalizeUsername( $username );
137 } else {
138 $usernames = [ null ];
139 }
140 $result = false;
141 foreach ( $usernames as $name ) {
142 $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );
143 if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {
144 $result = $r;
145 }
146 }
147
148 if ( $result ) {
149 $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
150 return \StatusValue::newFatal( $message );
151 } else {
152 $this->manager->setAuthenticationSessionData( 'LoginThrottle',
153 [ 'users' => $usernames, 'ip' => $ip ] );
154 return \StatusValue::newGood();
155 }
156 }
157
162 public function postAuthentication( $user, AuthenticationResponse $response ) {
163 if ( $response->status !== AuthenticationResponse::PASS ) {
164 return;
165 } elseif ( !$this->passwordAttemptThrottle ) {
166 return;
167 }
168
169 $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );
170 if ( !$data ) {
171 // this can occur when login is happening via AuthenticationRequest::$loginRequest
172 // so testForAuthentication is skipped
173 $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );
174 return;
175 }
176
177 foreach ( $data['users'] as $name ) {
178 $this->passwordAttemptThrottle->clear( $name, $data['ip'] );
179 }
180 }
181}
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
array $params
The job parameters.
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
This is a value object to hold authentication response data.
const PASS
Indicates that the authentication succeeded.
A pre-authentication provider to throttle authentication actions.
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.Called from AuthManager::beginAccountCreation()No nee...
postInitSetup()
A provider can override this to do any necessary setup after init() is called.
testForAuthentication(array $reqs)
Determine whether an authentication may begin.Called from AuthManager::beginAuthentication()StatusVal...
A class containing constants representing the names of configuration variables.
const AccountCreationThrottle
Name constant for the AccountCreationThrottle setting, for use with Config::get()
const PasswordAttemptThrottle
Name constant for the PasswordAttemptThrottle setting, for use with Config::get()
Service locator for MediaWiki core services.
static getInstance()
Returns the global default instance of the top level service locator.
User class for the MediaWiki software.
Definition User.php:119
Abstract class for any ephemeral data store.
Definition BagOStuff.php:88