wikimedia/mediawiki-extensions-ConfirmEdit
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/ConfirmEdit synced 2024-11-24 08:13:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
mediawiki-extensions-Confir.../includes/auth/CaptchaPreAuthenticationProvider.php

175 lines
6.3 KiB
PHP
Raw Normal View History

Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
<?php
use MediaWiki\Auth\AbstractPreAuthenticationProvider;
use MediaWiki\Auth\AuthenticationRequest;
use MediaWiki\Auth\AuthenticationResponse;
use MediaWiki\Auth\AuthManager;
use MediaWiki\Logger\LoggerFactory;
class CaptchaPreAuthenticationProvider extends AbstractPreAuthenticationProvider {
public function getAuthenticationRequests( $action, array $options ) {
$captcha = ConfirmEditHooks::getInstance();
$user = User::newFromName( $options['username'] );
$needed = false;
switch ( $action ) {
case AuthManager::ACTION_CREATE:
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
$u = $user ?: new User();
$needed = $captcha->needCreateAccountCaptcha( $u );
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
if ( $needed ) {
$captcha->setAction( 'accountcreate' );
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
// This is debug level simply because generally
// captchas are either always or never triggered on
// view of create account, so it gets pretty noisy
LoggerFactory::getInstance( 'captcha' )
->debug( 'Captcha shown on account creation for {user}', [
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
'event' => 'captcha.display',
Rename 'type' field of authevents channel to 'eventType' 'type' is problematic as it conflicts with a default field name in logstash. Bug: T145133 Change-Id: Idb73ba3e431ef2bd25b14c8562d1b3f212b4e072 Depends-On: Iab1eb47a6b6c98f3c84b4f8e2d16cbe2cdbf515b
2016-11-26 00:59:48 +00:00
'eventType' => 'accountcreation',
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
'user' => $u->getName()
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
] );
}
break;
case AuthManager::ACTION_LOGIN:
// Captcha is shown on login when there were too many failed attempts from the
// current IP or user. The latter is a bit awkward because we don't know the
// username yet. The username from the last successful login is stored in a cookie,
// but we still must make sure to not lock out other usernames so we use a session
// flag. This will result in confusing error messages if the browser cannot persist
// the session, but then login would be impossible anyway so no big deal.
// If the username ends to be one that does not trigger the captcha, that will
// result in weird behavior (if the user leaves the captcha field open, they get
// a required field error, if they fill it with an invalid answer, it will pass)
// - again, not a huge deal.
$session = $this->manager->getRequest()->getSession();
$sessionFlag = $session->get( 'ConfirmEdit:loginCaptchaPerUserTriggered' );
$suggestedUsername = $session->suggestLoginUsername();
if (
$captcha->isBadLoginTriggered()
|| $sessionFlag
|| $suggestedUsername && $captcha->isBadLoginPerUserTriggered( $suggestedUsername )
) {
$needed = true;
$captcha->setAction( 'badlogin' );
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
LoggerFactory::getInstance( 'captcha' )
Don't use logging reserved word 'ip' as parameter Bug: T245280 Change-Id: I368724e9e6de85df45fd8734668789e8d524214f Follows-up: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-27 15:10:29 +00:00
->info( 'Captcha shown on login by {clientip} for {suggestedUser}', [
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
'event' => 'captcha.display',
Rename 'type' field of authevents channel to 'eventType' 'type' is problematic as it conflicts with a default field name in logstash. Bug: T145133 Change-Id: Idb73ba3e431ef2bd25b14c8562d1b3f212b4e072 Depends-On: Iab1eb47a6b6c98f3c84b4f8e2d16cbe2cdbf515b
2016-11-26 00:59:48 +00:00
'eventType' => 'accountcreation',
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
'suggestedUser' => $suggestedUsername,
Don't use logging reserved word 'ip' as parameter Bug: T245280 Change-Id: I368724e9e6de85df45fd8734668789e8d524214f Follows-up: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-27 15:10:29 +00:00
'clientip' => $this->manager->getRequest()->getIP()
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
] );
break;
}
break;
}
if ( $needed ) {
Add AuthManager support for ReCaptcha, ReCaptchaNoCaptcha Also remove references to "two words" from ReCaptcha labels. The captcha image doesn't always contain two words. Bug: T110302 Change-Id: I544656289480056152a1db195babb6dadf29bc71
2016-05-03 16:42:00 +00:00
return [ $captcha->createAuthenticationRequest() ];
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
} else {
return [];
}
}
public function testForAuthentication( array $reqs ) {
$captcha = ConfirmEditHooks::getInstance();
$username = AuthenticationRequest::getUsernameFromRequests( $reqs );
$success = true;
$isBadLoginPerUserTriggered = $username ?
$captcha->isBadLoginPerUserTriggered( $username ) : false;
if ( $captcha->isBadLoginTriggered() || $isBadLoginPerUserTriggered ) {
$captcha->setAction( 'badlogin' );
$captcha->setTrigger( "post-badlogin login '$username'" );
$success = $this->verifyCaptcha( $captcha, $reqs, new User() );
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
$ip = $this->manager->getRequest()->getIP();
LoggerFactory::getInstance( 'captcha' )->info( 'Captcha submitted on login for {user}', [
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
'event' => 'captcha.submit',
Rename 'type' field of authevents channel to 'eventType' 'type' is problematic as it conflicts with a default field name in logstash. Bug: T145133 Change-Id: Idb73ba3e431ef2bd25b14c8562d1b3f212b4e072 Depends-On: Iab1eb47a6b6c98f3c84b4f8e2d16cbe2cdbf515b
2016-11-26 00:59:48 +00:00
'eventType' => 'login',
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
'successful' => $success,
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
'user' => $username,
Don't use logging reserved word 'ip' as parameter Bug: T245280 Change-Id: I368724e9e6de85df45fd8734668789e8d524214f Follows-up: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-27 15:10:29 +00:00
'clientip' => $ip
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
] );
}
if ( $isBadLoginPerUserTriggered || $isBadLoginPerUserTriggered === null ) {
$session = $this->manager->getRequest()->getSession();
$session->set( 'ConfirmEdit:loginCaptchaPerUserTriggered', true );
}
// Make brute force attacks harder by not telling whether the password or the
// captcha failed.
Add AuthManager support for ReCaptcha, ReCaptchaNoCaptcha Also remove references to "two words" from ReCaptcha labels. The captcha image doesn't always contain two words. Bug: T110302 Change-Id: I544656289480056152a1db195babb6dadf29bc71
2016-05-03 16:42:00 +00:00
return $success ? Status::newGood() : $this->makeError( 'wrongpassword', $captcha );
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
}
public function testForAccountCreation( $user, $creator, array $reqs ) {
$captcha = ConfirmEditHooks::getInstance();
if ( $captcha->needCreateAccountCaptcha( $creator ) ) {
$username = $user->getName();
$captcha->setAction( 'accountcreate' );
$captcha->setTrigger( "new account '$username'" );
$success = $this->verifyCaptcha( $captcha, $reqs, $user );
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
$ip = $this->manager->getRequest()->getIP();
LoggerFactory::getInstance( 'captcha' )->info(
'Captcha submitted on account creation for {user}', [
'event' => 'captcha.submit',
'eventType' => 'accountcreation',
'successful' => $success,
'user' => $username,
Don't use logging reserved word 'ip' as parameter Bug: T245280 Change-Id: I368724e9e6de85df45fd8734668789e8d524214f Follows-up: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-27 15:10:29 +00:00
'clientip' => $ip
log login captchas to "captcha" channel instead of "authevents" Also makes the log events more useful by including the username in question and fix logging logins as being account creations. See also Icde984d27. Bug: T210817 Change-Id: I5f602bc08902b63acbb0752093b418d0ab063493
2020-02-11 07:38:46 +00:00
]
);
Add AuthManager support for ReCaptcha, ReCaptchaNoCaptcha Also remove references to "two words" from ReCaptcha labels. The captcha image doesn't always contain two words. Bug: T110302 Change-Id: I544656289480056152a1db195babb6dadf29bc71
2016-05-03 16:42:00 +00:00
if ( !$success ) {
return $this->makeError( 'captcha-createaccount-fail', $captcha );
}
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
}
return Status::newGood();
}
public function postAuthentication( $user, AuthenticationResponse $response ) {
$captcha = ConfirmEditHooks::getInstance();
switch ( $response->status ) {
case AuthenticationResponse::PASS:
case AuthenticationResponse::RESTART:
$session = $this->manager->getRequest()->getSession();
$session->remove( 'ConfirmEdit:loginCaptchaPerUserTriggered' );
$captcha->resetBadLoginCounter( $user ? $user->getName() : null );
break;
case AuthenticationResponse::FAIL:
$captcha->increaseBadLoginCounter( $user ? $user->getName() : null );
break;
}
}
/**
* Verify submitted captcha.
* Assumes that the user has to pass the capctha (permission checks are caller's responsibility).
* @param SimpleCaptcha $captcha
* @param AuthenticationRequest[] $reqs
* @param User $user
* @return bool
*/
protected function verifyCaptcha( SimpleCaptcha $captcha, array $reqs, User $user ) {
/** @var CaptchaAuthenticationRequest $req */
Add AuthManager support for ReCaptcha, ReCaptchaNoCaptcha Also remove references to "two words" from ReCaptcha labels. The captcha image doesn't always contain two words. Bug: T110302 Change-Id: I544656289480056152a1db195babb6dadf29bc71
2016-05-03 16:42:00 +00:00
$req = AuthenticationRequest::getRequestByClass( $reqs,
CaptchaAuthenticationRequest::class, true );
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
if ( !$req ) {
return false;
}
return $captcha->passCaptchaLimited( $req->captchaId, $req->captchaWord, $user );
}
Add AuthManager support for ReCaptcha, ReCaptchaNoCaptcha Also remove references to "two words" from ReCaptcha labels. The captcha image doesn't always contain two words. Bug: T110302 Change-Id: I544656289480056152a1db195babb6dadf29bc71
2016-05-03 16:42:00 +00:00
/**
* @param string $message Message key
* @param SimpleCaptcha $captcha
* @return Status
*/
protected function makeError( $message, SimpleCaptcha $captcha ) {
$error = $captcha->getError();
if ( $error ) {
return Status::newFatal( wfMessage( 'captcha-error', $error ) );
}
return Status::newFatal( $message );
}
Add AuthManager support to SimpleCaptcha, QuestyCaptcha, FancyCaptcha, MathCaptcha Also update MathCaptcha so that it works with recent versions of Math (and breaks with old ones). Also fix MathCaptcha API output, which used to send the question in plaintext. Bug: T110302 Change-Id: I0da671a546700110d789b79a3089460abd9cce3b Depends-On: I8b52ec8ddf494f23941807638f149f15b5e46b0c
2016-04-25 20:58:18 +00:00
}
Reference in a new issue Copy permalink