MediaWiki  master
ThrottlePreAuthenticationProvider.php
Go to the documentation of this file.
1 <?php
22 namespace MediaWiki\Auth;
23 
24 use BagOStuff;
25 use MediaWiki\MainConfigNames;
26 
37 class ThrottlePreAuthenticationProvider extends AbstractPreAuthenticationProvider {
39  protected $throttleSettings;
40 
42  protected $accountCreationThrottle;
43 
45  protected $passwordAttemptThrottle;
46 
48  protected $cache;
49 
58  public function __construct( $params = [] ) {
59  $this->throttleSettings = array_intersect_key( $params,
60  [ 'accountCreationThrottle' => true, 'passwordAttemptThrottle' => true ] );
61  $this->cache = $params['cache'] ?? \ObjectCache::getLocalClusterInstance();
62  }
63 
64  protected function postInitSetup() {
65  $accountCreationThrottle = $this->config->get( MainConfigNames::AccountCreationThrottle );
66  // Handle old $wgAccountCreationThrottle format (number of attempts per 24 hours)
67  if ( !is_array( $accountCreationThrottle ) ) {
68  $accountCreationThrottle = [ [
69  'count' => $accountCreationThrottle,
70  'seconds' => 86400,
71  ] ];
72  }
73 
74  // @codeCoverageIgnoreStart
75  $this->throttleSettings += [
76  // @codeCoverageIgnoreEnd
77  'accountCreationThrottle' => $accountCreationThrottle,
78  'passwordAttemptThrottle' =>
79  $this->config->get( MainConfigNames::PasswordAttemptThrottle ),
80  ];
81 
82  if ( !empty( $this->throttleSettings['accountCreationThrottle'] ) ) {
83  $this->accountCreationThrottle = new Throttler(
84  $this->throttleSettings['accountCreationThrottle'], [
85  'type' => 'acctcreate',
86  'cache' => $this->cache,
87  ]
88  );
89  }
90  if ( !empty( $this->throttleSettings['passwordAttemptThrottle'] ) ) {
91  $this->passwordAttemptThrottle = new Throttler(
92  $this->throttleSettings['passwordAttemptThrottle'], [
93  'type' => 'password',
94  'cache' => $this->cache,
95  ]
96  );
97  }
98  }
99 
100  public function testForAccountCreation( $user, $creator, array $reqs ) {
101  if ( !$this->accountCreationThrottle || !$creator->isPingLimitable() ) {
102  return \StatusValue::newGood();
103  }
104 
105  $ip = $this->manager->getRequest()->getIP();
106 
107  if ( !$this->getHookRunner()->onExemptFromAccountCreationThrottle( $ip ) ) {
108  $this->logger->debug( __METHOD__ . ": a hook allowed account creation w/o throttle" );
109  return \StatusValue::newGood();
110  }
111 
112  $result = $this->accountCreationThrottle->increase( null, $ip, __METHOD__ );
113  if ( $result ) {
114  $message = wfMessage( 'acct_creation_throttle_hit' )->params( $result['count'] )
115  ->durationParams( $result['wait'] );
116  return \StatusValue::newFatal( $message );
117  }
118 
119  return \StatusValue::newGood();
120  }
121 
122  public function testForAuthentication( array $reqs ) {
123  if ( !$this->passwordAttemptThrottle ) {
124  return \StatusValue::newGood();
125  }
126 
127  $ip = $this->manager->getRequest()->getIP();
128  try {
129  $username = AuthenticationRequest::getUsernameFromRequests( $reqs );
130  } catch ( \UnexpectedValueException $e ) {
131  $username = null;
132  }
133 
134  // Get everything this username could normalize to, and throttle each one individually.
135  // If nothing uses usernames, just throttle by IP.
136  if ( $username !== null ) {
137  $usernames = $this->manager->normalizeUsername( $username );
138  } else {
139  $usernames = [ null ];
140  }
141  $result = false;
142  foreach ( $usernames as $name ) {
143  $r = $this->passwordAttemptThrottle->increase( $name, $ip, __METHOD__ );
144  if ( $r && ( !$result || $result['wait'] < $r['wait'] ) ) {
145  $result = $r;
146  }
147  }
148 
149  if ( $result ) {
150  $message = wfMessage( 'login-throttled' )->durationParams( $result['wait'] );
151  return \StatusValue::newFatal( $message );
152  } else {
153  $this->manager->setAuthenticationSessionData( 'LoginThrottle',
154  [ 'users' => $usernames, 'ip' => $ip ] );
155  return \StatusValue::newGood();
156  }
157  }
158 
163  public function postAuthentication( $user, AuthenticationResponse $response ) {
164  if ( $response->status !== AuthenticationResponse::PASS ) {
165  return;
166  } elseif ( !$this->passwordAttemptThrottle ) {
167  return;
168  }
169 
170  $data = $this->manager->getAuthenticationSessionData( 'LoginThrottle' );
171  if ( !$data ) {
172  // this can occur when login is happening via AuthenticationRequest::$loginRequest
173  // so testForAuthentication is skipped
174  $this->logger->info( 'throttler data not found for {user}', [ 'user' => $user->getName() ] );
175  return;
176  }
177 
178  foreach ( $data['users'] as $name ) {
179  $this->passwordAttemptThrottle->clear( $name, $data['ip'] );
180  }
181  }
182 }
wfMessage
wfMessage( $key,... $params)
This is the function for getting translated interface messages.
Definition: GlobalFunctions.php:937
BagOStuff
Class representing a cache/ephemeral data store.
Definition: BagOStuff.php:87
MediaWiki\Auth\AbstractPreAuthenticationProvider
A base class that implements some of the boilerplate for a PreAuthenticationProvider.
Definition: AbstractPreAuthenticationProvider.php:33
MediaWiki\Auth\AuthenticationRequest\getUsernameFromRequests
static getUsernameFromRequests(array $reqs)
Get the username from the set of requests.
Definition: AuthenticationRequest.php:294
MediaWiki\Auth\AuthenticationResponse
This is a value object to hold authentication response data.
Definition: AuthenticationResponse.php:37
MediaWiki\Auth\AuthenticationResponse\PASS
const PASS
Indicates that the authentication succeeded.
Definition: AuthenticationResponse.php:39
MediaWiki\Auth\ThrottlePreAuthenticationProvider
A pre-authentication provider to throttle authentication actions.
Definition: ThrottlePreAuthenticationProvider.php:37
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAccountCreation
testForAccountCreation( $user, $creator, array $reqs)
Determine whether an account creation may begin.Called from AuthManager::beginAccountCreation()No nee...
Definition: ThrottlePreAuthenticationProvider.php:100
MediaWiki\Auth\ThrottlePreAuthenticationProvider\postInitSetup
postInitSetup()
A provider can override this to do any necessary setup after init() is called.
Definition: ThrottlePreAuthenticationProvider.php:64
MediaWiki\Auth\ThrottlePreAuthenticationProvider\postAuthentication
postAuthentication( $user, AuthenticationResponse $response)
Definition: ThrottlePreAuthenticationProvider.php:163
MediaWiki\Auth\ThrottlePreAuthenticationProvider\testForAuthentication
testForAuthentication(array $reqs)
Determine whether an authentication may begin.Called from AuthManager::beginAuthentication()StatusVal...
Definition: ThrottlePreAuthenticationProvider.php:122
MediaWiki\MainConfigNames
A class containing constants representing the names of configuration variables.
Definition: MainConfigNames.php:23
MediaWiki\MainConfigNames\AccountCreationThrottle
const AccountCreationThrottle
Name constant for the AccountCreationThrottle setting, for use with Config::get()
Definition: MainConfigNames.php:2855
MediaWiki\MainConfigNames\PasswordAttemptThrottle
const PasswordAttemptThrottle
Name constant for the PasswordAttemptThrottle setting, for use with Config::get()
Definition: MainConfigNames.php:2933
ObjectCache\getLocalClusterInstance
static getLocalClusterInstance()
Get the main cluster-local cache object.
Definition: ObjectCache.php:286