function BasicAuth::authenticate

Same name in other branches
  1. 9 core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()
  2. 8.9.x core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()
  3. 11.x core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()

File

core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php, line 85

Class

BasicAuth
HTTP Basic authentication provider.

Namespace

Drupal\basic_auth\Authentication\Provider

Code

public function authenticate(Request $request) {
    $flood_config = $this->configFactory
        ->get('user.flood');
    $username = $request->headers
        ->get('PHP_AUTH_USER');
    $password = $request->headers
        ->get('PHP_AUTH_PW');
    // Flood protection: this is very similar to the user login form code.
    // @see \Drupal\user\Form\UserLoginForm::validateAuthentication()
    // Do not allow any login from the current user's IP if the limit has been
    // reached. Default is 50 failed attempts allowed in one hour. This is
    // independent of the per-user limit to catch attempts from one IP to log
    // in to many different user accounts.  We have a reasonably high limit
    // since there may be only one apparent IP for all users at an institution.
    if ($this->flood
        ->isAllowed('basic_auth.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
        $account = FALSE;
        if ($this->userAuth instanceof UserAuthenticationInterface) {
            $lookup = $this->userAuth
                ->lookupAccount($username);
            if ($lookup && !$lookup->isBlocked()) {
                $account = $lookup;
            }
        }
        else {
            $accounts = $this->entityTypeManager
                ->getStorage('user')
                ->loadByProperties([
                'name' => $username,
                'status' => 1,
            ]);
            $account = reset($accounts);
        }
        if ($account) {
            if ($flood_config->get('uid_only')) {
                // Register flood events based on the uid only, so they apply for any
                // IP address. This is the most secure option.
                $identifier = $account->id();
            }
            else {
                // The default identifier is a combination of uid and IP address. This
                // is less secure but more resistant to denial-of-service attacks that
                // could lock out all users with public user names.
                $identifier = $account->id() . '-' . $request->getClientIP();
            }
            // Don't allow login if the limit for this user has been reached.
            // Default is to allow 5 failed attempts every 6 hours.
            if ($this->flood
                ->isAllowed('basic_auth.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
                $uid = FALSE;
                if ($this->userAuth instanceof UserAuthenticationInterface) {
                    $uid = $this->userAuth
                        ->authenticateAccount($account, $password) ? $account->id() : FALSE;
                }
                else {
                    $uid = $this->userAuth
                        ->authenticate($username, $password);
                }
                if ($uid) {
                    $this->flood
                        ->clear('basic_auth.failed_login_user', $identifier);
                    return $account;
                }
                else {
                    // Register a per-user failed login event.
                    $this->flood
                        ->register('basic_auth.failed_login_user', $flood_config->get('user_window'), $identifier);
                }
            }
        }
    }
    // Always register an IP-based failed login event.
    $this->flood
        ->register('basic_auth.failed_login_ip', $flood_config->get('ip_window'));
    return NULL;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.