Merge "Add an api action to validate an OATH token"

api/ApiOATHValidate.php

@@ -0,0 +1,111 @@
+<?php
+/**
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ */
+
+/**
+ * Validate an OATH token.
+ *
+ * @ingroup API
+ * @ingroup Extensions
+ */
+class ApiOATHValidate extends ApiBase {
+	public function execute() {
+		// Be extra paranoid about the data that is sent
+		$this->requirePostedParameters( [ 'totp', 'token' ] );
+
+		$params = $this->extractRequestParams();
+		if ( $params['user'] === null ) {
+			$params['user'] = $this->getUser()->getName();
+		}
+
+		if ( !$this->getUser()->isAllowed( 'oathauth-api-all' ) ) {
+			$this->dieUsage(
+				'You do not have permission to validate an OATH token',
+				'permissiondenied'
+			);
+		}
+
+		$user = User::newFromName( $params['user'] );
+		if ( $user === false ) {
+			$this->dieUsageMsg( [ 'noname', $params['user'] ] );
+		}
+
+		// Don't increase pingLimiter, just check for limit exceeded
+		if ( $user->pingLimiter( 'badoath', 0 ) ) {
+			$this->dieUsageMsg( 'actionthrottledtext' );
+		}
+
+		$result = [
+			ApiResult::META_BC_BOOLS => [ 'enabled', 'valid' ],
+			'enabled' => false,
+			'valid' => false,
+		];
+
+		if ( !$user->isAnon() ) {
+			$oathUser = OATHAuthHooks::getOATHUserRepository()
+				->findByUser( $user );
+			if ( $oathUser ) {
+				$key = $oathUser->getKey();
+				if ( $key !== null ) {
+					$result['enabled'] = true;
+					$result['valid'] = $key->verifyToken(
+						$params['totp'], $oathUser ) !== false;
+				}
+			}
+		}
+
+		if ( !$result['valid'] ) {
+			// Increase rate limit counter for failed request
+			$user->pingLimiter( 'badoath' );
+		}
+
+		$this->getResult()->addValue( null, $this->getModuleName(), $result );
+	}
+
+	public function getCacheMode( $params ) {
+		return 'private';
+	}
+
+	public function isInternal() {
+		return true;
+	}
+
+	public function needsToken() {
+		return 'csrf';
+	}
+
+	public function getAllowedParams() {
+		return [
+			'user' => [
+				ApiBase::PARAM_TYPE => 'user',
+			],
+			'totp' => [
+				ApiBase::PARAM_TYPE => 'string',
+				ApiBase::PARAM_REQUIRED => true,
+			],
+		];
+	}
+
+	protected function getExamplesMessages() {
+		return [
+			'action=oathvalidate&totp=123456&token=123ABC'
+				=> 'apihelp-oath-example-1',
+			'action=oathvalidate&user=Example&totp=123456&token=123ABC'
+				=> 'apihelp-oath-example-2',
+		];
+	}
+}

api/ApiQueryOATH.php

@@ -51,6 +51,7 @@ class ApiQueryOATH extends ApiQueryBase {
 
 		$result = $this->getResult();
 		$data = [
+			ApiResult::META_BC_BOOLS => [ 'enabled' ],
 			'enabled' => false,
 		];
 

extension.json

@@ -7,6 +7,7 @@
 	"type": "other",
 	"license-name": "GPL-2.0+",
 	"AutoloadClasses": {
+		"ApiOATHValidate": "api/ApiOATHValidate.php",
 		"ApiQueryOATH": "api/ApiQueryOATH.php",
 		"OATHAuthHooks": "OATHAuth.hooks.php",
 		"OATHAuthLegacyHooks": "OATHAuth.hooks.legacy.php",
@@ -90,8 +91,19 @@
 	"GrantPermissionGroups": {
 		"oath": "authentication"
 	},
+	"APIModules": {
+		"oathvalidate": "ApiOATHValidate"
+	},
 	"APIMetaModules": {
 		"oath": "ApiQueryOATH"
 	},
+	"RateLimits": {
+		"badoath": {
+			"user": [
+				10,
+				60
+			]
+		}
+	},
 	"manifest_version": 1
 }

i18n/en.json

@@ -58,5 +58,10 @@
 	"apihelp-query+oath-description": "Check to see if two-factor authentication (OATH) is enabled for a user.",
 	"apihelp-query+oath-param-user": "User to get information about. Defaults to the current user.",
 	"apihelp-query+oath-example-1": "Get information about the current user",
-	"apihelp-query+oath-example-2": "Get information about user <kbd>Example</kbd>"
+	"apihelp-query+oath-example-2": "Get information about user <kbd>Example</kbd>",
+	"apihelp-oathvalidate-description": "Validate a two-factor authentication (OATH) token.",
+	"apihelp-oathvalidate-param-user": "User to validate token for. Defaults to the current user.",
+	"apihelp-oathvalidate-param-totp": "Two-factor authentication (OATH) token.",
+	"apihelp-oath-example-1": "Validate a token for the current user",
+	"apihelp-oath-example-2": "Validate a token for the user <kbd>Example</kbd>"
 }

i18n/qqq.json

@@ -63,5 +63,10 @@
 	"apihelp-query+oath-description": "{{doc-apihelp-description|query+oath}}",
 	"apihelp-query+oath-param-user": "{{doc-apihelp-param|query+oath|user}}",
 	"apihelp-query+oath-example-1": "{{doc-apihelp-example|query+oath}}",
-	"apihelp-query+oath-example-2": "{{doc-apihelp-example|query+oath}}"
+	"apihelp-query+oath-example-2": "{{doc-apihelp-example|query+oath}}",
+	"apihelp-oathvalidate-description": "{{doc-apihelp-description|oathvalidate}}",
+	"apihelp-oathvalidate-param-user": "{{doc-apihelp-param|oathvalidate|user}}",
+	"apihelp-oathvalidate-param-totp": "{{doc-apihelp-param|oathvalidate|totp}}",
+	"apihelp-oath-example-1": "{{doc-apihelp-example|oathvalidate}}",
+	"apihelp-oath-example-2": "{{doc-apihelp-example|oathvalidate}}"
 }