mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth
synced 2024-11-28 10:10:19 +00:00
106497dc27
The first time the extension asks for the code of the mobile phone isn't an error and shouldn't be styles as such (see the depends-on change). Change all other UIs to errors. Bug: T139179 Change-Id: I7cc3333c3e166295e85e91c7b377e53842bdb307 Depends-On: I9a27911613e62b5c4cb86bea40696cb37c4f49c2
90 lines
3 KiB
PHP
90 lines
3 KiB
PHP
<?php
|
|
|
|
use MediaWiki\Auth\AbstractSecondaryAuthenticationProvider;
|
|
use MediaWiki\Auth\AuthenticationRequest;
|
|
use MediaWiki\Auth\AuthenticationResponse;
|
|
use MediaWiki\Auth\AuthManager;
|
|
use MediaWiki\Auth\Throttler;
|
|
use MediaWiki\Session\SessionManager;
|
|
|
|
/**
|
|
* AuthManager secondary authentication provider for TOTP second-factor authentication.
|
|
*
|
|
* After a successful primary authentication, requests a time-based one-time password
|
|
* (typically generated by a mobile app such as Google Authenticator) from the user.
|
|
*
|
|
* @see AuthManager
|
|
* @see https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
|
|
*/
|
|
class TOTPSecondaryAuthenticationProvider extends AbstractSecondaryAuthenticationProvider {
|
|
|
|
public function getAuthenticationRequests( $action, array $options ) {
|
|
switch ( $action ) {
|
|
case AuthManager::ACTION_LOGIN:
|
|
// don't ask for anything initially so the second factor is on a separate screen
|
|
return [];
|
|
default:
|
|
return [];
|
|
}
|
|
}
|
|
|
|
/**
|
|
* If the user has enabled two-factor authentication, request a second factor.
|
|
* @inheritdoc
|
|
*/
|
|
public function beginSecondaryAuthentication( $user, array $reqs ) {
|
|
$oathuser = OATHAuthHooks::getOATHUserRepository()->findByUser( $user );
|
|
|
|
if ( $oathuser->getKey() === null ) {
|
|
return AuthenticationResponse::newAbstain();
|
|
} else {
|
|
return AuthenticationResponse::newUI( array( new TOTPAuthenticationRequest() ),
|
|
wfMessage( 'oathauth-auth-ui' ), 'warning' );
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Verify the second factor.
|
|
* @inheritdoc
|
|
*/
|
|
public function continueSecondaryAuthentication( $user, array $reqs ) {
|
|
/** @var TOTPAuthenticationRequest $request */
|
|
$request = AuthenticationRequest::getRequestByClass( $reqs, TOTPAuthenticationRequest::class );
|
|
if ( !$request ) {
|
|
return AuthenticationResponse::newUI( array( new TOTPAuthenticationRequest() ),
|
|
wfMessage( 'oathauth-login-failed' ), 'error' );
|
|
}
|
|
|
|
$throttler = new Throttler( null, [ 'type' => 'TOTP' ] );
|
|
$result = $throttler->increase( $user->getName(), null, __METHOD__ );
|
|
if ( $result ) {
|
|
return AuthenticationResponse::newUI( array( new TOTPAuthenticationRequest() ),
|
|
new Message(
|
|
'oathauth-throttled',
|
|
[ Message::durationParam( $result['wait'] ) ]
|
|
), 'error' );
|
|
}
|
|
|
|
$oathuser = OATHAuthHooks::getOATHUserRepository()->findByUser( $user );
|
|
$token = $request->OATHToken;
|
|
|
|
if ( $oathuser->getKey() === null ) {
|
|
$this->logger->warning( 'Two-factor authentication was disabled mid-authentication for '
|
|
. $user->getName() );
|
|
return AuthenticationResponse::newAbstain();
|
|
}
|
|
|
|
if ( $oathuser->getKey()->verifyToken( $token, $oathuser ) ) {
|
|
$throttler->clear( $user->getName(), null );
|
|
return AuthenticationResponse::newPass();
|
|
} else {
|
|
return AuthenticationResponse::newUI( array( new TOTPAuthenticationRequest() ),
|
|
wfMessage( 'oathauth-login-failed' ), 'error' );
|
|
}
|
|
}
|
|
|
|
public function beginSecondaryAccountCreation( $user, $creator, array $reqs ) {
|
|
return AuthenticationResponse::newAbstain();
|
|
}
|
|
}
|