function UserLoginForm::validateAuthentication

Same name in other branches
  1. 9 core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm::validateAuthentication()
  2. 8.9.x core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm::validateAuthentication()
  3. 11.x core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm::validateAuthentication()

Checks supplied username/password against local users table.

If successful, $form_state->get('uid') is set to the matching user ID.

File

core/modules/user/src/Form/UserLoginForm.php, line 190

Class

UserLoginForm
Provides a user login form.

Namespace

Drupal\user\Form

Code

public function validateAuthentication(array &$form, FormStateInterface $form_state) {
    $password = trim($form_state->getValue('pass'));
    $flood_config = $this->config('user.flood');
    $account = FALSE;
    if (!$form_state->isValueEmpty('name') && strlen($password) > 0) {
        // Do not allow any login from the current user's IP if the limit has been
        // reached. Default is 50 failed attempts allowed in one hour. This is
        // independent of the per-user limit to catch attempts from one IP to log
        // in to many different user accounts.  We have a reasonably high limit
        // since there may be only one apparent IP for all users at an institution.
        if (!$this->userFloodControl
            ->isAllowed('user.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
            $form_state->set('flood_control_triggered', 'ip');
            return;
        }
        if ($this->userAuth instanceof UserAuthenticationInterface) {
            $account = $this->userAuth
                ->lookupAccount($form_state->getValue('name'));
        }
        else {
            $accounts = $this->userStorage
                ->loadByProperties([
                'name' => $form_state->getValue('name'),
            ]);
            $account = reset($accounts);
        }
        if ($account && $account->isBlocked()) {
            $form_state->setErrorByName('name', $this->t('The username %name has not been activated or is blocked.', [
                '%name' => $form_state->getValue('name'),
            ]));
        }
        elseif ($account && $account->isActive()) {
            if ($flood_config->get('uid_only')) {
                // Register flood events based on the uid only, so they apply for any
                // IP address. This is the most secure option.
                $identifier = $account->id();
            }
            else {
                // The default identifier is a combination of uid and IP address. This
                // is less secure but more resistant to denial-of-service attacks that
                // could lock out all users with public user names.
                $identifier = $account->id() . '-' . $this->getRequest()
                    ->getClientIP();
            }
            $form_state->set('flood_control_user_identifier', $identifier);
            // If there are zero flood records for this user, then we don't need to
            // clear any failed login attempts after a successful login, so check
            // for this case first before checking the actual flood limit and store
            // the result in form state.
            if (!$this->userFloodControl
                ->isAllowed('user.failed_login_user', 1, $flood_config->get('user_window'), $identifier)) {
                // Now check the actual limit for the user. Default is to allow 5
                // failed attempts every 6 hours. This means we check the flood table
                // twice if flood control has already been triggered by a previous
                // login attempt, but this should be the less common case.
                if (!$this->userFloodControl
                    ->isAllowed('user.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
                    $form_state->set('flood_control_triggered', 'user');
                    return;
                }
            }
            else {
                $form_state->set('flood_control_skip_clear', 'user');
            }
            // We are not limited by flood control, so try to authenticate.
            // Store the user ID in form state as a flag for self::validateFinal().
            if ($this->userAuth instanceof UserAuthenticationInterface) {
                $form_state->set('uid', $this->userAuth
                    ->authenticateAccount($account, $password) ? $account->id() : FALSE);
            }
            else {
                $uid = $this->userAuth
                    ->authenticate($form_state->getValue('name'), $password);
                $form_state->set('uid', $uid);
            }
        }
        elseif (!$this->userAuth instanceof UserAuthenticationInterface) {
            $uid = $this->userAuth
                ->authenticate($form_state->getValue('name'), $password);
            $form_state->set('uid', $uid);
        }
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.