function BasicAuth::authenticate

Same name and namespace in other branches
  1. 9 core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()
  2. 8.9.x core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()
  3. 11.x core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()

File

core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php, line 85

Class

BasicAuth
HTTP Basic authentication provider.

Namespace

Drupal\basic_auth\Authentication\Provider

Code

public function authenticate(Request $request) {
  $flood_config = $this->configFactory
    ->get('user.flood');
  $username = $request->headers
    ->get('PHP_AUTH_USER');
  $password = $request->headers
    ->get('PHP_AUTH_PW');
  // Flood protection: this is very similar to the user login form code.
  // @see \Drupal\user\Form\UserLoginForm::validateAuthentication()
  // Do not allow any login from the current user's IP if the limit has been
  // reached. Default is 50 failed attempts allowed in one hour. This is
  // independent of the per-user limit to catch attempts from one IP to log
  // in to many different user accounts.  We have a reasonably high limit
  // since there may be only one apparent IP for all users at an institution.
  if ($this->flood
    ->isAllowed('basic_auth.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
    $account = FALSE;
    if ($this->userAuth instanceof UserAuthenticationInterface) {
      $lookup = $this->userAuth
        ->lookupAccount($username);
      if ($lookup && !$lookup->isBlocked()) {
        $account = $lookup;
      }
    }
    else {
      $accounts = $this->entityTypeManager
        ->getStorage('user')
        ->loadByProperties([
        'name' => $username,
        'status' => 1,
      ]);
      $account = reset($accounts);
    }
    if ($account) {
      if ($flood_config->get('uid_only')) {
        // Register flood events based on the uid only, so they apply for any
        // IP address. This is the most secure option.
        $identifier = $account->id();
      }
      else {
        // The default identifier is a combination of uid and IP address. This
        // is less secure but more resistant to denial-of-service attacks that
        // could lock out all users with public user names.
        $identifier = $account->id() . '-' . $request->getClientIP();
      }
      // Don't allow login if the limit for this user has been reached.
      // Default is to allow 5 failed attempts every 6 hours.
      if ($this->flood
        ->isAllowed('basic_auth.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
        $uid = FALSE;
        if ($this->userAuth instanceof UserAuthenticationInterface) {
          $uid = $this->userAuth
            ->authenticateAccount($account, $password) ? $account->id() : FALSE;
        }
        else {
          $uid = $this->userAuth
            ->authenticate($username, $password);
        }
        if ($uid) {
          $this->flood
            ->clear('basic_auth.failed_login_user', $identifier);
          return $account;
        }
        else {
          // Register a per-user failed login event.
          $this->flood
            ->register('basic_auth.failed_login_user', $flood_config->get('user_window'), $identifier);
        }
      }
    }
  }
  // Always register an IP-based failed login event.
  $this->flood
    ->register('basic_auth.failed_login_ip', $flood_config->get('ip_window'));
  return NULL;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.