function UserLoginForm::validateAuthentication

Same name and namespace in other branches
  1. 8.9.x core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm::validateAuthentication()
  2. 10 core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm::validateAuthentication()
  3. 11.x core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm::validateAuthentication()

Checks supplied username/password against local users table.

If successful, $form_state->get('uid') is set to the matching user ID.

File

core/modules/user/src/Form/UserLoginForm.php, line 189

Class

UserLoginForm
Provides a user login form.

Namespace

Drupal\user\Form

Code

public function validateAuthentication(array &$form, FormStateInterface $form_state) {
    $password = trim($form_state->getValue('pass'));
    $flood_config = $this->config('user.flood');
    if (!$form_state->isValueEmpty('name') && strlen($password) > 0) {
        // Do not allow any login from the current user's IP if the limit has been
        // reached. Default is 50 failed attempts allowed in one hour. This is
        // independent of the per-user limit to catch attempts from one IP to log
        // in to many different user accounts.  We have a reasonably high limit
        // since there may be only one apparent IP for all users at an institution.
        if (!$this->userFloodControl
            ->isAllowed('user.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
            $form_state->set('flood_control_triggered', 'ip');
            return;
        }
        $accounts = $this->userStorage
            ->loadByProperties([
            'name' => $form_state->getValue('name'),
            'status' => 1,
        ]);
        $account = reset($accounts);
        if ($account) {
            if ($flood_config->get('uid_only')) {
                // Register flood events based on the uid only, so they apply for any
                // IP address. This is the most secure option.
                $identifier = $account->id();
            }
            else {
                // The default identifier is a combination of uid and IP address. This
                // is less secure but more resistant to denial-of-service attacks that
                // could lock out all users with public user names.
                $identifier = $account->id() . '-' . $this->getRequest()
                    ->getClientIP();
            }
            $form_state->set('flood_control_user_identifier', $identifier);
            // Don't allow login if the limit for this user has been reached.
            // Default is to allow 5 failed attempts every 6 hours.
            if (!$this->userFloodControl
                ->isAllowed('user.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
                $form_state->set('flood_control_triggered', 'user');
                return;
            }
        }
        // We are not limited by flood control, so try to authenticate.
        // Store $uid in form state as a flag for self::validateFinal().
        $uid = $this->userAuth
            ->authenticate($form_state->getValue('name'), $password);
        $form_state->set('uid', $uid);
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.