function UserAuthenticationController::login

Same name in other branches
  1. 9 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::login()
  2. 8.9.x core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::login()
  3. 10 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::login()

Logs in a user.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The request.

Return value

\Symfony\Component\HttpFoundation\Response A response which contains the ID and CSRF token.

1 string reference to 'UserAuthenticationController::login'
user.routing.yml in core/modules/user/user.routing.yml
core/modules/user/user.routing.yml

File

core/modules/user/src/Controller/UserAuthenticationController.php, line 166

Class

UserAuthenticationController
Provides controllers for login, login status and logout via HTTP requests.

Namespace

Drupal\user\Controller

Code

public function login(Request $request) {
    $format = $this->getRequestFormat($request);
    $content = $request->getContent();
    $credentials = $this->serializer
        ->decode($content, $format);
    if (!isset($credentials['name']) && !isset($credentials['pass'])) {
        throw new BadRequestHttpException('Missing credentials.');
    }
    if (!isset($credentials['name'])) {
        throw new BadRequestHttpException('Missing credentials.name.');
    }
    if (!isset($credentials['pass'])) {
        throw new BadRequestHttpException('Missing credentials.pass.');
    }
    $this->floodControl($request, $credentials['name']);
    $account = FALSE;
    if ($this->userAuth instanceof UserAuthenticationInterface) {
        $account = $this->userAuth
            ->lookupAccount($credentials['name']);
    }
    else {
        $accounts = $this->userStorage
            ->loadByProperties([
            'name' => $credentials['name'],
        ]);
        if ($accounts) {
            $account = reset($accounts);
        }
    }
    if ($account) {
        if ($account->isBlocked()) {
            throw new BadRequestHttpException('The user has not been activated or is blocked.');
        }
        if ($this->userAuth instanceof UserAuthenticationInterface) {
            $authenticated = $this->userAuth
                ->authenticateAccount($account, $credentials['pass']) ? $account->id() : FALSE;
        }
        else {
            $authenticated = $this->userAuth
                ->authenticate($credentials['name'], $credentials['pass']);
        }
        if ($authenticated) {
            $this->userFloodControl
                ->clear('user.http_login', $this->getLoginFloodIdentifier($request, $credentials['name']));
            $this->userLoginFinalize($account);
            // Send basic metadata about the logged in user.
            $response_data = [];
            if ($account->get('uid')
                ->access('view', $account)) {
                $response_data['current_user']['uid'] = $account->id();
            }
            if ($account->get('roles')
                ->access('view', $account)) {
                $response_data['current_user']['roles'] = $account->getRoles();
            }
            if ($account->get('name')
                ->access('view', $account)) {
                $response_data['current_user']['name'] = $account->getAccountName();
            }
            $response_data['csrf_token'] = $this->csrfToken
                ->get('rest');
            $logout_route = $this->routeProvider
                ->getRouteByName('user.logout.http');
            // Trim '/' off path to match \Drupal\Core\Access\CsrfAccessCheck.
            $logout_path = ltrim($logout_route->getPath(), '/');
            $response_data['logout_token'] = $this->csrfToken
                ->get($logout_path);
            $encoded_response_data = $this->serializer
                ->encode($response_data, $format);
            return new Response($encoded_response_data);
        }
    }
    $flood_config = $this->config('user.flood');
    if ($identifier = $this->getLoginFloodIdentifier($request, $credentials['name'])) {
        $this->userFloodControl
            ->register('user.http_login', $flood_config->get('user_window'), $identifier);
    }
    // Always register an IP-based failed login event.
    $this->userFloodControl
        ->register('user.failed_login_ip', $flood_config->get('ip_window'));
    throw new BadRequestHttpException('Sorry, unrecognized username or password.');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.