From bdb1d8b4a10674a568bbe3e995763bf7ba4ffcb4 Mon Sep 17 00:00:00 2001
From: Ryan Lane <rlane@wikimedia.org>
Date: Wed, 20 Mar 2013 11:56:43 -0700
Subject: [PATCH] Switch to using AbortLogin hook for tokens

Change-Id: I2e1ff4f35018854ff0cfa4e649984f1d56ecb828
---
 OATHAuth.i18n.php |  2 ++
 OATHAuth.php      |  3 ++-
 OATHUser.php      | 53 +++++++++++++++++++++++++++++++++++++----------
 3 files changed, 46 insertions(+), 12 deletions(-)

diff --git a/OATHAuth.i18n.php b/OATHAuth.i18n.php
index f867c2a4..46ccb1e0 100644
--- a/OATHAuth.i18n.php
+++ b/OATHAuth.i18n.php
@@ -45,6 +45,7 @@ $messages['en'] = array(
 	'oathauth-notloggedin' => 'Login required',
 	'oathauth-mustbeloggedin' => 'You must be logged in to perform this action.',
 	'oathauth-prefs-label' => 'Two-factor authentication:',
+	'oathauth-abortlogin' => 'The two-factor authentication token provided was invalid.',
 );
 
 /** Message documentation (Message documentation)
@@ -85,6 +86,7 @@ $messages['qqq'] = array(
 {{Identical|Login required}}',
 	'oathauth-mustbeloggedin' => 'Plain text seen on Special:OATH when a user is not logged in.',
 	'oathauth-prefs-label' => 'Plain text label seen on Special:Preferences',
+	'oathauth-abortlogin' => 'Error message shown on login and password change pages when authentication is aborted.',
 );
 
 /** Afrikaans (Afrikaans)
diff --git a/OATHAuth.php b/OATHAuth.php
index a8aceebb..7e150a3f 100644
--- a/OATHAuth.php
+++ b/OATHAuth.php
@@ -48,7 +48,8 @@ $wgResourceModules['ext.oathauth'] = array(
 	'remoteExtPath' => 'OATHAuth',
 );
 
-$wgHooks['ChainAuth'][] = 'OATHUser::ChainAuth';
+$wgHooks['AbortChangePassword'][] = 'OATHUser::AbortChangePassword';
+$wgHooks['AbortLogin'][] = 'OATHUser::AbortLogin';
 $wgHooks['UserLoginForm'][] = 'OATHUser::ModifyUITemplate';
 $wgHooks['ChangePasswordForm'][] = 'OATHUser::ChangePasswordForm';
 $wgHooks['TwoFactorIsEnabled'][] = 'OATHUser::TwoFactorIsEnabled';
diff --git a/OATHUser.php b/OATHUser.php
index 35529fa0..2894e051 100644
--- a/OATHUser.php
+++ b/OATHUser.php
@@ -308,27 +308,58 @@ class OATHUser {
 	}
 
 	/**
-	 * @param $username string
+	 * @param $user User
 	 * @param $password string
-	 * @param $result bool
+	 * @param $newpassword string
+	 * @param &$errorMsg string
 	 * @return bool
 	 */
-	static function ChainAuth( $username, $password, &$result ) {
-		global $wgRequest;
-
-		$token = $wgRequest->getText( 'wpOATHToken' );
-		$user = OATHUser::newFromUsername( $username );
-		if ( $user && $user->isEnabled() && $user->isValidated() ) {
-			$result = $user->verifyToken( $token );
-		}
-
+	static function AbortChangePassword( $user, $password, $newpassword, &$errorMsg ) {
+		$result = self::authenticate( $user );
 		if ( $result ) {
 			return true;
 		} else {
+			$errorMsg = 'oathauth-abortlogin';
 			return false;
 		}
 	}
 
+	/**
+	 * @param $user User
+	 * @param $password string
+	 * @param &$abort int
+	 * @param &$errorMsg string
+	 * @return bool
+	 */
+	static function AbortLogin( $user, $password, &$abort, &$errorMsg ) {
+		$result = self::authenticate( $user );
+		if ( $result ) {
+			return true;
+		} else {
+			$abort = LoginForm::ABORTED;
+			$errorMsg = 'oathauth-abortlogin';
+			return false;
+		}
+	}
+
+	/**
+	 * @param $user User
+	 * @return bool
+	 */
+	static function authenticate( $user ) {
+		global $wgRequest;
+		$token = $wgRequest->getText( 'wpOATHToken' );
+		$oathuser = OATHUser::newFromUser( $user );
+		# Though it's weird to default to true, we only want to deny
+		# users who have two-factor enabled and have validated their
+		# token.
+		$result = true;
+		if ( $oathuser && $oathuser->isEnabled() && $oathuser->isValidated() ) {
+			$result = $oathuser->verifyToken( $token );
+		}
+		return $result;
+	}
+
 	static function TwoFactorIsEnabled( &$isEnabled ) {
 		global $wgUser;