MENU
Edit
In Place Editing Advanced Editing

BasicAuth::authenticate

public BasicAuth::authenticate(Request $request)

Authenticates the user.

Parameters

\Symfony\Component\HttpFoundation\Request|null $request: The request object.

Return value

\Drupal\Core\Session\AccountInterface|null AccountInterface - in case of a successful authentication. NULL - in case where authentication failed.

Overrides AuthenticationProviderInterface::authenticate

File

core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php, line 79

Class

BasicAuth
HTTP Basic authentication provider.

Namespace

Drupal\basic_auth\Authentication\Provider

Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
public function authenticate(Request $request) {
  $flood_config = $this->configFactory->get('user.flood');
  $username = $request->headers->get('PHP_AUTH_USER');
  $password = $request->headers->get('PHP_AUTH_PW');
  // Flood protection: this is very similar to the user login form code.
  // @see \Drupal\user\Form\UserLoginForm::validateAuthentication()
  // Do not allow any login from the current user's IP if the limit has been
  // reached. Default is 50 failed attempts allowed in one hour. This is
  // independent of the per-user limit to catch attempts from one IP to log
  // in to many different user accounts.  We have a reasonably high limit
  // since there may be only one apparent IP for all users at an institution.
  if ($this->flood->isAllowed('basic_auth.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
    $accounts = $this->entityManager->getStorage('user')->loadByProperties(array('name' => $username, 'status' => 1));
    $account = reset($accounts);
    if ($account) {
      if ($flood_config->get('uid_only')) {
        // Register flood events based on the uid only, so they apply for any
        // IP address. This is the most secure option.
        $identifier = $account->id();
      }
      else {
        // The default identifier is a combination of uid and IP address. This
        // is less secure but more resistant to denial-of-service attacks that
        // could lock out all users with public user names.
        $identifier = $account->id() . '-' . $request->getClientIP();
      }
      // Don't allow login if the limit for this user has been reached.
      // Default is to allow 5 failed attempts every 6 hours.
      if ($this->flood->isAllowed('basic_auth.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {
        $uid = $this->userAuth->authenticate($username, $password);
        if ($uid) {
          $this->flood->clear('basic_auth.failed_login_user', $identifier);
          return $this->entityManager->getStorage('user')->load($uid);
        }
        else {
          // Register a per-user failed login event.
          $this->flood->register('basic_auth.failed_login_user', $flood_config->get('user_window'), $identifier);
        }
      }
    }
  }
  // Always register an IP-based failed login event.
  $this->flood->register('basic_auth.failed_login_ip', $flood_config->get('ip_window'));
  return [];
}
doc_Drupal
doc_Drupal
2025-01-10 15:47:30
Comments
Leave a Comment

Please login to continue.