function BasicAuth::authenticate

Same name in other branches
  1. 9 core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()
  2. 10 core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()
  3. 11.x core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()

Overrides AuthenticationProviderInterface::authenticate

File

core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php, line 88

Class

BasicAuth
HTTP Basic authentication provider.

Namespace

Drupal\basic_auth\Authentication\Provider

Code

public function authenticate(Request $request) {
    $flood_config = $this->configFactory
        ->get('user.flood');
    $username = $request->headers
        ->get('PHP_AUTH_USER');
    $password = $request->headers
        ->get('PHP_AUTH_PW');
    // Flood protection: this is very similar to the user login form code.
    // @see \Drupal\user\Form\UserLoginForm::validateAuthentication()
    // Do not allow any login from the current user's IP if the limit has been
    // reached. Default is 50 failed attempts allowed in one hour. This is
    // independent of the per-user limit to catch attempts from one IP to log
    // in to many different user accounts.  We have a reasonably high limit
    // since there may be only one apparent IP for all users at an institution.
    if ($this->flood
        ->isAllowed('basic_auth.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
        $accounts = $this->entityTypeManager
            ->getStorage('user')
            ->loadByProperties([
            'name' => $username,
            'status' => 1,
        ]);
        $account = reset($accounts);
        if ($account) {
            if ($flood_config->get('uid_only')) {
                // Register flood events based on the uid only, so they apply for any
                // IP address. This is the most secure option.
                $identifier = $account->id();
            }
            else {
                // The default identifier is a combination of uid and IP address. This
                // is less secure but more resistant to denial-of-service attacks that
                // could lock out all users with public user names.
                $identifier = $account->id() . '-' . $request->getClientIP();
            }
            // Don't allow login if the limit for this user has been reached.
            // Default is to allow 5 failed attempts every 6 hours.
            if ($this->flood
                ->isAllowed('basic_auth.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
                $uid = $this->userAuth
                    ->authenticate($username, $password);
                if ($uid) {
                    $this->flood
                        ->clear('basic_auth.failed_login_user', $identifier);
                    return $this->entityTypeManager
                        ->getStorage('user')
                        ->load($uid);
                }
                else {
                    // Register a per-user failed login event.
                    $this->flood
                        ->register('basic_auth.failed_login_user', $flood_config->get('user_window'), $identifier);
                }
            }
        }
    }
    // Always register an IP-based failed login event.
    $this->flood
        ->register('basic_auth.failed_login_ip', $flood_config->get('ip_window'));
    return NULL;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.