diff options
Diffstat (limited to 'includes/api/ApiLogin.php')
| -rw-r--r-- | includes/api/ApiLogin.php | 135 |
1 files changed, 15 insertions, 120 deletions
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php index a45390c4..43b30f7c 100644 --- a/includes/api/ApiLogin.php +++ b/includes/api/ApiLogin.php @@ -36,23 +36,6 @@ if (!defined('MEDIAWIKI')) { */ class ApiLogin extends ApiBase { - /** - * Time (in seconds) a user must wait after submitting - * a bad login (will be multiplied by the THROTTLE_FACTOR for each bad attempt) - */ - const THROTTLE_TIME = 5; - - /** - * The factor by which the wait-time in between authentication - * attempts is increased every failed attempt. - */ - const THROTTLE_FACTOR = 2; - - /** - * The maximum number of failed logins after which the wait increase stops. - */ - const THOTTLE_MAX_COUNT = 10; - public function __construct($main, $action) { parent :: __construct($main, $action, 'lg'); } @@ -61,7 +44,7 @@ class ApiLogin extends ApiBase { * Executes the log-in attempt using the parameters passed. If * the log-in succeeeds, it attaches a cookie to the session * and outputs the user id, username, and session token. If a - * log-in fails, as the result of a bad password, a nonexistant + * log-in fails, as the result of a bad password, a nonexistent * user, or any other reason, the host is cached with an expiry * and no log-in attempts will be accepted until that expiry * is reached. The expiry is $this->mLoginThrottle. @@ -69,25 +52,14 @@ class ApiLogin extends ApiBase { * @access public */ public function execute() { - $name = $password = $domain = null; - extract($this->extractRequestParams()); + $params = $this->extractRequestParams(); $result = array (); - // Make sure noone is trying to guess the password brut-force - $nextLoginIn = $this->getNextLoginTimeout(); - if ($nextLoginIn > 0) { - $result['result'] = 'NeedToWait'; - $result['details'] = "Please wait $nextLoginIn seconds before next log-in attempt"; - $result['wait'] = $nextLoginIn; - $this->getResult()->addValue(null, 'login', $result); - return; - } - - $params = new FauxRequest(array ( - 'wpName' => $name, - 'wpPassword' => $password, - 'wpDomain' => $domain, + $req = new FauxRequest(array ( + 'wpName' => $params['name'], + 'wpPassword' => $params['password'], + 'wpDomain' => $params['domain'], 'wpRemember' => '' )); @@ -96,8 +68,8 @@ class ApiLogin extends ApiBase { wfSetupSession(); } - $loginForm = new LoginForm($params); - switch ($loginForm->authenticateUserData()) { + $loginForm = new LoginForm($req); + switch ($authRes = $loginForm->authenticateUserData()) { case LoginForm :: SUCCESS : global $wgUser, $wgCookiePrefix; @@ -139,95 +111,18 @@ class ApiLogin extends ApiBase { $result['result'] = 'CreateBlocked'; $result['details'] = 'Your IP address is blocked from account creation'; break; + case LoginForm :: THROTTLED : + global $wgPasswordAttemptThrottle; + $result['result'] = 'Throttled'; + $result['wait'] = $wgPasswordAttemptThrottle['seconds']; + break; default : - ApiBase :: dieDebug(__METHOD__, 'Unhandled case value'); - } - - if ($result['result'] != 'Success' && !isset( $result['details'] ) ) { - $delay = $this->cacheBadLogin(); - $result['wait'] = $delay; - $result['details'] = "Please wait " . $delay . " seconds before next log-in attempt"; + ApiBase :: dieDebug(__METHOD__, "Unhandled case value: {$authRes}"); } - // if we were allowed to try to login, memcache is fine $this->getResult()->addValue(null, 'login', $result); } - - /** - * Caches a bad-login attempt associated with the host and with an - * expiry of $this->mLoginThrottle. These are cached by a key - * separate from that used by the captcha system--as such, logging - * in through the standard interface will get you a legal session - * and cookies to prove it, but will not remove this entry. - * - * Returns the number of seconds until next login attempt will be allowed. - * - * @access private - */ - private function cacheBadLogin() { - global $wgMemc; - - $key = $this->getMemCacheKey(); - $val = $wgMemc->get( $key ); - - $val['lastReqTime'] = time(); - if (!isset($val['count'])) { - $val['count'] = 1; - } else { - $val['count'] = 1 + $val['count']; - } - - $delay = ApiLogin::calculateDelay($val['count']); - - $wgMemc->delete($key); - // Cache expiration should be the maximum timeout - to prevent a "try and wait" attack - $wgMemc->add( $key, $val, ApiLogin::calculateDelay(ApiLogin::THOTTLE_MAX_COUNT) ); - - return $delay; - } - - /** - * How much time the client must wait before it will be - * allowed to try to log-in next. - * The return value is 0 if no wait is required. - */ - private function getNextLoginTimeout() { - global $wgMemc; - - $val = $wgMemc->get($this->getMemCacheKey()); - - $elapse = (time() - $val['lastReqTime']); // in seconds - $canRetryIn = ApiLogin::calculateDelay($val['count']) - $elapse; - - return $canRetryIn < 0 ? 0 : $canRetryIn; - } - - /** - * Based on the number of previously attempted logins, returns - * the delay (in seconds) when the next login attempt will be allowed. - */ - private static function calculateDelay($count) { - // Defensive programming - $count = intval($count); - $count = $count < 1 ? 1 : $count; - $count = $count > self::THOTTLE_MAX_COUNT ? self::THOTTLE_MAX_COUNT : $count; - - return self::THROTTLE_TIME + self::THROTTLE_TIME * ($count - 1) * self::THROTTLE_FACTOR; - } - - /** - * Internal cache key for badlogin checks. Robbed from the - * ConfirmEdit extension and modified to use a key unique to the - * API login.3 - * - * @return string - * @access private - */ - private function getMemCacheKey() { - return wfMemcKey( 'apilogin', 'badlogin', 'ip', wfGetIP() ); - } - public function mustBePosted() { return true; } public function getAllowedParams() { @@ -263,6 +158,6 @@ class ApiLogin extends ApiBase { } public function getVersion() { - return __CLASS__ . ': $Id: ApiLogin.php 35565 2008-05-29 19:23:37Z btongminh $'; + return __CLASS__ . ': $Id: ApiLogin.php 45275 2009-01-01 02:02:03Z simetrical $'; } } |