class UserLoginForm

Same name and namespace in other branches
  1. 9 core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm
  2. 8.9.x core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm
  3. 10 core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm

Provides a user login form.

@internal

Hierarchy

Expanded class hierarchy of UserLoginForm

1 file declares its use of UserLoginForm
UserLoginBlock.php in core/modules/user/src/Plugin/Block/UserLoginBlock.php
1 string reference to 'UserLoginForm'
user.routing.yml in core/modules/user/user.routing.yml
core/modules/user/user.routing.yml

File

core/modules/user/src/Form/UserLoginForm.php, line 23

Namespace

Drupal\user\Form
View on git.drupalcode.org
View source 
class UserLoginForm extends FormBase implements WorkspaceSafeFormInterface {
  
  /**
   * The user flood control service.
   *
   * @var \Drupal\user\UserFloodControl
   */
  protected $userFloodControl;
  
  /**
   * The user storage.
   *
   * @var \Drupal\user\UserStorageInterface
   */
  protected $userStorage;
  
  /**
   * The user authentication object.
   *
   * @var \Drupal\user\UserAuthInterface|\Drupal\user\UserAuthenticationInterface
   */
  protected $userAuth;
  
  /**
   * The renderer.
   *
   * @var \Drupal\Core\Render\RendererInterface
   */
  protected $renderer;
  
  /**
   * The bare HTML renderer.
   *
   * @var \Drupal\Core\Render\BareHtmlPageRendererInterface
   */
  protected $bareHtmlPageRenderer;
  
  /**
   * Constructs a new UserLoginForm.
   *
   * @param \Drupal\user\UserFloodControlInterface $user_flood_control
   *   The user flood control service.
   * @param \Drupal\user\UserStorageInterface $user_storage
   *   The user storage.
   * @param \Drupal\user\UserAuthInterface|\Drupal\user\UserAuthenticationInterface $user_auth
   *   The user authentication object.
   * @param \Drupal\Core\Render\RendererInterface $renderer
   *   The renderer.
   * @param \Drupal\Core\Render\BareHtmlPageRendererInterface $bare_html_renderer
   *   The renderer.
   */
  public function __construct(UserFloodControlInterface $user_flood_control, UserStorageInterface $user_storage, UserAuthInterface|UserAuthenticationInterface $user_auth, RendererInterface $renderer, BareHtmlPageRendererInterface $bare_html_renderer) {
    $this->userFloodControl = $user_flood_control;
    $this->userStorage = $user_storage;
    if (!$user_auth instanceof UserAuthenticationInterface) {
      @trigger_error('The $user_auth parameter not implementing UserAuthenticationInterface is deprecated in drupal:10.3.0 and will be removed in drupal:12.0.0. See https://www.drupal.org/node/3411040');
    }
    $this->userAuth = $user_auth;
    $this->renderer = $renderer;
    $this->bareHtmlPageRenderer = $bare_html_renderer;
  }
  
  /**
   * {@inheritdoc}
   */
  public static function create(ContainerInterface $container) {
    return new static($container->get('user.flood_control'), $container->get('entity_type.manager')
      ->getStorage('user'), $container->get('user.auth'), $container->get('renderer'), $container->get('bare_html_page_renderer'));
  }
  
  /**
   * {@inheritdoc}
   */
  public function getFormId() {
    return 'user_login_form';
  }
  
  /**
   * {@inheritdoc}
   */
  public function buildForm(array $form, FormStateInterface $form_state) {
    $config = $this->config('system.site');
    // Display login form:
    $form['name'] = [
      '#type' => 'textfield',
      '#title' => $this->t('Username'),
      '#size' => 60,
      '#maxlength' => UserInterface::USERNAME_MAX_LENGTH,
      '#required' => TRUE,
      '#attributes' => [
        'autocorrect' => 'none',
        'autocapitalize' => 'none',
        'spellcheck' => 'false',
        'autofocus' => 'autofocus',
        'autocomplete' => 'username',
      ],
    ];
    $form['pass'] = [
      '#type' => 'password',
      '#title' => $this->t('Password'),
      '#size' => 60,
      '#required' => TRUE,
      '#attributes' => [
        'autocomplete' => 'current-password',
      ],
    ];
    $form['actions'] = [
      '#type' => 'actions',
    ];
    $form['actions']['submit'] = [
      '#type' => 'submit',
      '#value' => $this->t('Log in'),
    ];
    $form['#validate'][] = '::validateAuthentication';
    $form['#validate'][] = '::validateFinal';
    $this->renderer
      ->addCacheableDependency($form, $config);
    return $form;
  }
  
  /**
   * {@inheritdoc}
   */
  public function submitForm(array &$form, FormStateInterface $form_state) {
    if (empty($uid = $form_state->get('uid'))) {
      return;
    }
    $account = $this->userStorage
      ->load($uid);
    // A destination was set, probably on an exception controller.
    if (!$this->getRequest()->request
      ->has('destination')) {
      $form_state->setRedirect('entity.user.canonical', [
        'user' => $account->id(),
      ]);
    }
    else {
      $this->getRequest()->query
        ->set('destination', $this->getRequest()->request
        ->get('destination'));
    }
    user_login_finalize($account);
  }
  
  /**
   * Checks supplied username/password against local users table.
   *
   * If successful, $form_state->get('uid') is set to the matching user ID.
   */
  public function validateAuthentication(array &$form, FormStateInterface $form_state) {
    $password = trim($form_state->getValue('pass'));
    $flood_config = $this->config('user.flood');
    $account = FALSE;
    if (!$form_state->isValueEmpty('name') && strlen($password) > 0) {
      // Do not allow any login from the current user's IP if the limit has been
      // reached. Default is 50 failed attempts allowed in one hour. This is
      // independent of the per-user limit to catch attempts from one IP to log
      // in to many different user accounts.  We have a reasonably high limit
      // since there may be only one apparent IP for all users at an
      // institution.
      if (!$this->userFloodControl
        ->isAllowed('user.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
        $form_state->set('flood_control_triggered', 'ip');
        return;
      }
      if ($this->userAuth instanceof UserAuthenticationInterface) {
        $account = $this->userAuth
          ->lookupAccount($form_state->getValue('name'));
      }
      else {
        $accounts = $this->userStorage
          ->loadByProperties([
          'name' => $form_state->getValue('name'),
        ]);
        $account = reset($accounts);
      }
      if ($account && $account->isBlocked()) {
        $form_state->setErrorByName('name', $this->t('The username %name has not been activated or is blocked.', [
          '%name' => $form_state->getValue('name'),
        ]));
      }
      elseif ($account && $account->isActive()) {
        if ($flood_config->get('uid_only')) {
          // Register flood events based on the uid only, so they apply for any
          // IP address. This is the most secure option.
          $identifier = $account->id();
        }
        else {
          // The default identifier is a combination of uid and IP address. This
          // is less secure but more resistant to denial-of-service attacks that
          // could lock out all users with public user names.
          $identifier = $account->id() . '-' . $this->getRequest()
            ->getClientIP();
        }
        $form_state->set('flood_control_user_identifier', $identifier);
        // If there are zero flood records for this user, then we don't need to
        // clear any failed login attempts after a successful login, so check
        // for this case first before checking the actual flood limit and store
        // the result in form state.
        if (!$this->userFloodControl
          ->isAllowed('user.failed_login_user', 1, $flood_config->get('user_window'), $identifier)) {
          // Now check the actual limit for the user. Default is to allow 5
          // failed attempts every 6 hours. This means we check the flood table
          // twice if flood control has already been triggered by a previous
          // login attempt, but this should be the less common case.
          if (!$this->userFloodControl
            ->isAllowed('user.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
            $form_state->set('flood_control_triggered', 'user');
            return;
          }
        }
        else {
          $form_state->set('flood_control_skip_clear', 'user');
        }
        // We are not limited by flood control, so try to authenticate.
        // Store the user ID in form state as a flag for self::validateFinal().
        if ($this->userAuth instanceof UserAuthenticationInterface) {
          $form_state->set('uid', $this->userAuth
            ->authenticateAccount($account, $password) ? $account->id() : FALSE);
        }
        else {
          $uid = $this->userAuth
            ->authenticate($form_state->getValue('name'), $password);
          $form_state->set('uid', $uid);
        }
      }
      elseif (!$this->userAuth instanceof UserAuthenticationInterface) {
        $uid = $this->userAuth
          ->authenticate($form_state->getValue('name'), $password);
        $form_state->set('uid', $uid);
      }
    }
  }
  
  /**
   * Checks if user was not authenticated, or if too many logins were attempted.
   *
   * This validation function should always be the last one.
   */
  public function validateFinal(array &$form, FormStateInterface $form_state) {
    $flood_config = $this->config('user.flood');
    if (!$form_state->get('uid')) {
      // Always register an IP-based failed login event.
      $this->userFloodControl
        ->register('user.failed_login_ip', $flood_config->get('ip_window'));
      // Register a per-user failed login event.
      if ($flood_control_user_identifier = $form_state->get('flood_control_user_identifier')) {
        $this->userFloodControl
          ->register('user.failed_login_user', $flood_config->get('user_window'), $flood_control_user_identifier);
      }
      if ($flood_control_triggered = $form_state->get('flood_control_triggered')) {
        if ($flood_control_triggered == 'user') {
          $message = $this->formatPlural($flood_config->get('user_limit'), 'There has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', 'There have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', [
            ':url' => Url::fromRoute('user.pass')->toString(),
          ]);
        }
        else {
          // We did not find a uid, so the limit is IP-based.
          $message = $this->t('Too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', [
            ':url' => Url::fromRoute('user.pass')->toString(),
          ]);
        }
        $response = $this->bareHtmlPageRenderer
          ->renderBarePage([
          '#markup' => $message,
        ], $this->t('Login failed'), 'maintenance_page__flood');
        $response->setStatusCode(403);
        $form_state->setResponse($response);
      }
      else {
        $form_state->setErrorByName('name', $this->t('Unrecognized username or password. <a href=":password">Forgot your password?</a>', [
          ':password' => Url::fromRoute('user.pass')->toString(),
        ]));
        $accounts = $this->userStorage
          ->loadByProperties([
          'name' => $form_state->getValue('name'),
        ]);
        if (!empty($accounts)) {
          $this->logger('user')
            ->notice('Login attempt failed for %user.', [
            '%user' => $form_state->getValue('name'),
          ]);
        }
        else {
          // If the username entered is not a valid user,
          // only store the IP address.
          $this->logger('user')
            ->notice('Login attempt failed from %ip.', [
            '%ip' => $this->getRequest()
              ->getClientIp(),
          ]);
        }
      }
    }
    elseif (!$form_state->get('flood_control_skip_clear') && ($flood_control_user_identifier = $form_state->get('flood_control_user_identifier'))) {
      // Clear past failures for this user so as not to block a user who might
      // log in and out more than once in an hour.
      $this->userFloodControl
        ->clear('user.failed_login_user', $flood_control_user_identifier);
    }
  }

}

Members

Title Modifiers Object type Summary Overriden Title Overrides
DependencySerializationTrait::$_entityStorages protected property An array of entity type IDs keyed by the property name of their storages.
DependencySerializationTrait::$_serviceIds protected property An array of service IDs keyed by property name used for serialization.
DependencySerializationTrait::__sleep public function 3
DependencySerializationTrait::__wakeup public function 3
FormBase::$configFactory protected property The config factory. 2
FormBase::$elementInfoManager protected property The element info manager.
FormBase::$requestStack protected property The request stack. 1
FormBase::$routeMatch protected property The route match.
FormBase::config protected function Retrieves a configuration object.
FormBase::configFactory protected function Gets the config factory for this form. 2
FormBase::container private function Returns the service container.
FormBase::currentUser protected function Gets the current user. 2
FormBase::elementInfoManager protected function The element info manager.
FormBase::getRequest protected function Gets the request object.
FormBase::getRouteMatch protected function Gets the route match.
FormBase::logger protected function Gets the logger for a specific channel.
FormBase::redirect protected function Returns a redirect response object for the specified route.
FormBase::resetConfigFactory public function Resets the configuration factory.
FormBase::setConfigFactory public function Sets the config factory for this form.
FormBase::setElementInfoManager public function Sets the element info manager for this form.
FormBase::setRequestStack public function Sets the request stack object to use.
FormBase::validateForm public function Form validation handler. Overrides FormInterface::validateForm 60
LoggerChannelTrait::$loggerFactory protected property The logger channel factory service.
LoggerChannelTrait::getLogger protected function Gets the logger for a specific channel.
LoggerChannelTrait::setLoggerFactory public function Injects the logger channel factory.
MessengerTrait::$messenger protected property The messenger. 25
MessengerTrait::messenger public function Gets the messenger. 25
MessengerTrait::setMessenger public function Sets the messenger.
RedirectDestinationTrait::$redirectDestination protected property The redirect destination service. 2
RedirectDestinationTrait::getDestinationArray protected function Prepares a &#039;destination&#039; URL query parameter for use with \Drupal\Core\Url.
RedirectDestinationTrait::getRedirectDestination protected function Returns the redirect destination service.
RedirectDestinationTrait::setRedirectDestination public function Sets the redirect destination service.
StringTranslationTrait::$stringTranslation protected property The string translation service. 3
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language. 1
UserLoginForm::$bareHtmlPageRenderer protected property The bare HTML renderer.
UserLoginForm::$renderer protected property The renderer.
UserLoginForm::$userAuth protected property The user authentication object.
UserLoginForm::$userFloodControl protected property The user flood control service.
UserLoginForm::$userStorage protected property The user storage.
UserLoginForm::buildForm public function Form constructor. Overrides FormInterface::buildForm
UserLoginForm::create public static function Instantiates a new instance of this class. Overrides FormBase::create
UserLoginForm::getFormId public function Returns a unique string identifying the form. Overrides FormInterface::getFormId
UserLoginForm::submitForm public function Form submission handler. Overrides FormInterface::submitForm
UserLoginForm::validateAuthentication public function Checks supplied username/password against local users table.
UserLoginForm::validateFinal public function Checks if user was not authenticated, or if too many logins were attempted.
UserLoginForm::__construct public function Constructs a new UserLoginForm.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.