mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/OATHAuth
synced 2024-11-24 08:14:15 +00:00
a6b60d2465
Extend the token validation failure checks introduced in I4884f6e to the other interactions where OATHAuthKey::verifyToken is used. Depends-On: Ia3add8bbbab0307f036e9b77e752c382da3a0d04 Change-Id: Icbe5cdf561c683dc971a099d61cedff311b26b43
89 lines
2.8 KiB
PHP
89 lines
2.8 KiB
PHP
<?php
|
|
|
|
use MediaWiki\Auth\AbstractSecondaryAuthenticationProvider;
|
|
use MediaWiki\Auth\AuthenticationRequest;
|
|
use MediaWiki\Auth\AuthenticationResponse;
|
|
use MediaWiki\Auth\AuthManager;
|
|
use MediaWiki\Session\SessionManager;
|
|
|
|
/**
|
|
* AuthManager secondary authentication provider for TOTP second-factor authentication.
|
|
*
|
|
* After a successful primary authentication, requests a time-based one-time password
|
|
* (typically generated by a mobile app such as Google Authenticator) from the user.
|
|
*
|
|
* @see AuthManager
|
|
* @see https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
|
|
*/
|
|
class TOTPSecondaryAuthenticationProvider extends AbstractSecondaryAuthenticationProvider {
|
|
|
|
public function getAuthenticationRequests( $action, array $options ) {
|
|
switch ( $action ) {
|
|
case AuthManager::ACTION_LOGIN:
|
|
// don't ask for anything initially so the second factor is on a separate screen
|
|
return [];
|
|
default:
|
|
return [];
|
|
}
|
|
}
|
|
|
|
/**
|
|
* If the user has enabled two-factor authentication, request a second factor.
|
|
* @inheritdoc
|
|
*/
|
|
public function beginSecondaryAuthentication( $user, array $reqs ) {
|
|
$oathuser = OATHAuthHooks::getOATHUserRepository()->findByUser( $user );
|
|
|
|
if ( $oathuser->getKey() === null ) {
|
|
return AuthenticationResponse::newAbstain();
|
|
} else {
|
|
return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
|
|
wfMessage( 'oathauth-auth-ui' ), 'warning' );
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Verify the second factor.
|
|
* @inheritdoc
|
|
*/
|
|
public function continueSecondaryAuthentication( $user, array $reqs ) {
|
|
/** @var TOTPAuthenticationRequest $request */
|
|
$request = AuthenticationRequest::getRequestByClass( $reqs, TOTPAuthenticationRequest::class );
|
|
if ( !$request ) {
|
|
return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
|
|
wfMessage( 'oathauth-login-failed' ), 'error' );
|
|
}
|
|
|
|
$oathuser = OATHAuthHooks::getOATHUserRepository()->findByUser( $user );
|
|
$token = $request->OATHToken;
|
|
|
|
if ( $oathuser->getKey() === null ) {
|
|
$this->logger->warning( 'Two-factor authentication was disabled mid-authentication for '
|
|
. $user->getName() );
|
|
return AuthenticationResponse::newAbstain();
|
|
}
|
|
|
|
// Don't increase pingLimiter, just check for limit exceeded.
|
|
if ( $user->pingLimiter( 'badoath', 0 ) ) {
|
|
return AuthenticationResponse::newUI(
|
|
[ new TOTPAuthenticationRequest() ],
|
|
new Message(
|
|
'oathauth-throttled',
|
|
// Arbitrary duration given here
|
|
[ Message::durationParam( 60 ) ]
|
|
), 'error' );
|
|
}
|
|
|
|
if ( $oathuser->getKey()->verifyToken( $token, $oathuser ) ) {
|
|
return AuthenticationResponse::newPass();
|
|
} else {
|
|
return AuthenticationResponse::newUI( [ new TOTPAuthenticationRequest() ],
|
|
wfMessage( 'oathauth-login-failed' ), 'error' );
|
|
}
|
|
}
|
|
|
|
public function beginSecondaryAccountCreation( $user, $creator, array $reqs ) {
|
|
return AuthenticationResponse::newAbstain();
|
|
}
|
|
}
|