MediaWiki master
ThrottlePreAuthenticationProvider.php
Go to the documentation of this file.
1<?php
7namespace MediaWiki\Auth;
8
9use MediaWiki\MainConfigNames;
10use MediaWiki\MediaWikiServices;
11use MediaWiki\User\User;
12use Wikimedia\ObjectCache\BagOStuff;
13
25class ThrottlePreAuthenticationProvider extends AbstractPreAuthenticationProvider {
27 protected $throttleSettings;
28
29 protected ?Throttler $accountCreationThrottle = null;
30 protected ?Throttler $passwordAttemptThrottle = null;
31 protected BagOStuff $cache;
32
41 public function __construct( $params = [] ) {
42 $this->throttleSettings = array_intersect_key( $params,
43 [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );
44 $services = MediaWikiServices::getInstance();
45 $this->cache = $params['cache'] ?? $services->getObjectCacheFactory()
46 ->getLocalClusterInstance();
47 }
48
49 protected function postInitSetup() {
50 $accountCreationThrottle = $this->config->get( MainConfigNames::AccountCreationThrottle );
51 // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)
52 if ( !is_array( $accountCreationThrottle ) ) {
53 $accountCreationThrottle = [ [
54 'count' => $accountCreationThrottle,
55 'seconds' => 86400,
56 ] ];
57 }
58
59 // @codeCoverageIgnoreStart
60 $this->throttleSettings += [
61 // @codeCoverageIgnoreEnd
62 'accountCreationThrottle' => $accountCreationThrottle,
63 'passwordAttemptThrottle' =>
64 $this->config->get( MainConfigNames::PasswordAttemptThrottle ),
65 ];
66
67 if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {
68 $this->accountCreationThrottle = new Throttler(
69 $this->throttleSettings['accountCreationThrottle'], [
70 'type' => 'acctcreate',
71 'cache' => $this->cache,
72 ]
73 );
74 }
75 if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {
76 $this->passwordAttemptThrottle = new Throttler(
77 $this->throttleSettings['passwordAttemptThrottle'], [
78 'type' => 'password',
79 'cache' => $this->cache,
80 ]
81 );
82 }
83 }
84
86 public function testForAccountCreation( $user, $creator, array $reqs ) {
87 if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {
88 return \StatusValue::newGood();
89 }
90
91 $ip = $this->manager->getRequest()->getIP();
92
93 if ( !$this->getHookRunner()->onExemptFromAccountCreationThrottle( $ip ) ) {
94 $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle" );
95 return \StatusValue::newGood();
96 }
97
98 $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );
99 if ( $result ) {
100 $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )
101 ->durationParams( $result['wait'] );
102 return \StatusValue::newFatal( $message );
103 }
104
105 return \StatusValue::newGood();
106 }
107
109 public function testForAuthentication( array $reqs ) {
110 if ( !$this->passwordAttemptThrottle ) {
111 return \StatusValue::newGood();
112 }
113
114 $ip = $this->manager->getRequest()->getIP();
115 try {
116 $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
117 } catch ( \UnexpectedValueException ) {
118 $username = null;
119 }
120
121 // Get everything this username could normalize to, and throttle each one individually.
122 // If nothing uses usernames, just throttle by IP.
123 if ( $username !== null ) {
124 $usernames = $this->manager->normalizeUsername( $username );
125 } else {
126 $usernames = [ null ];
127 }
128 $result = false;
129 foreach ( $usernames as $name ) {
130 $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );
131 if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {
132 $result = $r;
133 }
134 }
135
136 if ( $result ) {
137 $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
138 return \StatusValue::newFatal( $message );
139 } else {
140 $this->manager->setAuthenticationSessionData( 'LoginThrottle',
141 [ 'users' => $usernames, 'ip' => $ip ] );
142 return \StatusValue::newGood();
143 }
144 }
145
150 public function postAuthentication( $user, AuthenticationResponse $response ) {
151 if ( $response->status !== AuthenticationResponse::PASS ) {
152 return;
153 } elseif ( !$this->passwordAttemptThrottle ) {
154 return;
155 }
156
157 $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );
158 if ( !$data ) {
159 // this can occur when login is happening via AuthenticationRequest::$loginRequest
160 // so testForAuthentication is skipped
161 $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );
162 return;
163 }
164
165 foreach ( $data['users'] as $name ) {
166 $this->passwordAttemptThrottle->clear( $name, $data['ip'] );
167 }
168 }
169}
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:821
MediaWiki\Auth\AbstractPreAuthenticationProvider
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
Definition AbstractPreAuthenticationProvider.php:18
MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition AuthenticationRequest.php:308
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:21
MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition AuthenticationResponse.php:23
MediaWiki\Auth\ThrottlePreAuthenticationProvider
A pre-authentication provider to throttle authentication actions.
Definition ThrottlePreAuthenticationProvider.php:25
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.Called from AuthManager::beginAccountCreation()No nee...
Definition ThrottlePreAuthenticationProvider.php:86
MediaWiki\Auth\ThrottlePreAuthenticationProvider\postInitSetup
postInitSetup()
A provider can override this to do any necessary setup after init() is called.
Definition ThrottlePreAuthenticationProvider.php:49
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAuthentication
testForAuthentication(array $reqs)
Determine whether an authentication may begin.Called from AuthManager::beginAuthentication()StatusVal...
Definition ThrottlePreAuthenticationProvider.php:109
MediaWiki\Auth\Throttler
A helper class for throttling authentication attempts.
Definition Throttler.php:26
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22
MediaWiki\MainConfigNames\AccountCreationThrottle
const AccountCreationThrottle
Name constant for the AccountCreationThrottle setting, for use with Config::get()
Definition MainConfigNames.php:2943
MediaWiki\MainConfigNames\PasswordAttemptThrottle
const PasswordAttemptThrottle
Name constant for the PasswordAttemptThrottle setting, for use with Config::get()
Definition MainConfigNames.php:3039
MediaWiki\MediaWikiServices
Service locator for MediaWiki core services.
Definition MediaWikiServices.php:257
MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition MediaWikiServices.php:345
MediaWiki\User\User
User class for the MediaWiki software.
Definition User.php:130
Wikimedia\ObjectCache\BagOStuff
Abstract class for any ephemeral data store.
Definition BagOStuff.php:73