MediaWiki master
ThrottlePreAuthenticationProvider.php
Go to the documentation of this file.
1<?php
22namespace MediaWiki\Auth;
23
24use MediaWiki\MainConfigNames;
25use MediaWiki\MediaWikiServices;
26use MediaWiki\User\User;
27use Wikimedia\ObjectCache\BagOStuff;
28
39class ThrottlePreAuthenticationProvider extends AbstractPreAuthenticationProvider {
41 protected $throttleSettings;
42
44 protected $accountCreationThrottle;
45
47 protected $passwordAttemptThrottle;
48
50 protected $cache;
51
60 public function __construct( $params = [] ) {
61 $this->throttleSettings = array_intersect_key( $params,
62 [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );
63 $services = MediaWikiServices::getInstance();
64 $this->cache = $params['cache'] ?? $services->getObjectCacheFactory()
65 ->getLocalClusterInstance();
66 }
67
68 protected function postInitSetup() {
69 $accountCreationThrottle = $this->config->get( MainConfigNames::AccountCreationThrottle );
70 // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)
71 if ( !is_array( $accountCreationThrottle ) ) {
72 $accountCreationThrottle = [ [
73 'count' => $accountCreationThrottle,
74 'seconds' => 86400,
75 ] ];
76 }
77
78 // @codeCoverageIgnoreStart
79 $this->throttleSettings += [
80 // @codeCoverageIgnoreEnd
81 'accountCreationThrottle' => $accountCreationThrottle,
82 'passwordAttemptThrottle' =>
83 $this->config->get( MainConfigNames::PasswordAttemptThrottle ),
84 ];
85
86 if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {
87 $this->accountCreationThrottle = new Throttler(
88 $this->throttleSettings['accountCreationThrottle'], [
89 'type' => 'acctcreate',
90 'cache' => $this->cache,
91 ]
92 );
93 }
94 if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {
95 $this->passwordAttemptThrottle = new Throttler(
96 $this->throttleSettings['passwordAttemptThrottle'], [
97 'type' => 'password',
98 'cache' => $this->cache,
99 ]
100 );
101 }
102 }
103
104 public function testForAccountCreation( $user, $creator, array $reqs ) {
105 if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {
106 return \StatusValue::newGood();
107 }
108
109 $ip = $this->manager->getRequest()->getIP();
110
111 if ( !$this->getHookRunner()->onExemptFromAccountCreationThrottle( $ip ) ) {
112 $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle" );
113 return \StatusValue::newGood();
114 }
115
116 $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );
117 if ( $result ) {
118 $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )
119 ->durationParams( $result['wait'] );
120 return \StatusValue::newFatal( $message );
121 }
122
123 return \StatusValue::newGood();
124 }
125
126 public function testForAuthentication( array $reqs ) {
127 if ( !$this->passwordAttemptThrottle ) {
128 return \StatusValue::newGood();
129 }
130
131 $ip = $this->manager->getRequest()->getIP();
132 try {
133 $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
134 } catch ( \UnexpectedValueException $e ) {
135 $username = null;
136 }
137
138 // Get everything this username could normalize to, and throttle each one individually.
139 // If nothing uses usernames, just throttle by IP.
140 if ( $username !== null ) {
141 $usernames = $this->manager->normalizeUsername( $username );
142 } else {
143 $usernames = [ null ];
144 }
145 $result = false;
146 foreach ( $usernames as $name ) {
147 $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );
148 if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {
149 $result = $r;
150 }
151 }
152
153 if ( $result ) {
154 $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
155 return \StatusValue::newFatal( $message );
156 } else {
157 $this->manager->setAuthenticationSessionData( 'LoginThrottle',
158 [ 'users' => $usernames, 'ip' => $ip ] );
159 return \StatusValue::newGood();
160 }
161 }
162
167 public function postAuthentication( $user, AuthenticationResponse $response ) {
168 if ( $response->status !== AuthenticationResponse::PASS ) {
169 return;
170 } elseif ( !$this->passwordAttemptThrottle ) {
171 return;
172 }
173
174 $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );
175 if ( !$data ) {
176 // this can occur when login is happening via AuthenticationRequest::$loginRequest
177 // so testForAuthentication is skipped
178 $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );
179 return;
180 }
181
182 foreach ( $data['users'] as $name ) {
183 $this->passwordAttemptThrottle->clear( $name, $data['ip'] );
184 }
185 }
186}
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition GlobalFunctions.php:906
$params
array $params
The job parameters.
Definition UploadJobTrait.php:45
MediaWiki\Auth\AbstractPreAuthenticationProvider
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
Definition AbstractPreAuthenticationProvider.php:33
MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition AuthenticationRequest.php:303
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition AuthenticationResponse.php:38
MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition AuthenticationResponse.php:40
MediaWiki\Auth\ThrottlePreAuthenticationProvider
A pre-authentication provider to throttle authentication actions.
Definition ThrottlePreAuthenticationProvider.php:39
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.Called from AuthManager::beginAccountCreation()No nee...
Definition ThrottlePreAuthenticationProvider.php:104
MediaWiki\Auth\ThrottlePreAuthenticationProvider\postInitSetup
postInitSetup()
A provider can override this to do any necessary setup after init() is called.
Definition ThrottlePreAuthenticationProvider.php:68
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAuthentication
testForAuthentication(array $reqs)
Determine whether an authentication may begin.Called from AuthManager::beginAuthentication()StatusVal...
Definition ThrottlePreAuthenticationProvider.php:126
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition MainConfigNames.php:22
MediaWiki\MainConfigNames\AccountCreationThrottle
const AccountCreationThrottle
Name constant for the AccountCreationThrottle setting, for use with Config::get()
Definition MainConfigNames.php:2907
MediaWiki\MainConfigNames\PasswordAttemptThrottle
const PasswordAttemptThrottle
Name constant for the PasswordAttemptThrottle setting, for use with Config::get()
Definition MainConfigNames.php:2997
MediaWiki\MediaWikiServices
Service locator for MediaWiki core services.
Definition MediaWikiServices.php:239
MediaWiki\MediaWikiServices\getInstance
static getInstance()
Returns the global default instance of the top level service locator.
Definition MediaWikiServices.php:322
MediaWiki\User\User
internal since 1.36
Definition User.php:93
Wikimedia\ObjectCache\BagOStuff
Class representing a cache/ephemeral data store.
Definition BagOStuff.php:88