You are here

Home » API reference » Drupal 9 » BasicAuth.php » BasicAuth

public function BasicAuth::authenticate in Drupal 9

Same name and namespace in other branches
  1. 8 core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate()

Authenticates the user.

Parameters

\Symfony\Component\HttpFoundation\Request|null $request: The request object.

Return value

\Drupal\Core\Session\AccountInterface|null AccountInterface - in case of a successful authentication. NULL - in case where authentication failed.

Overrides AuthenticationProviderInterface::authenticate

File

core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php, line 81

Class

BasicAuth
HTTP Basic authentication provider.

Namespace

Drupal\basic_auth\Authentication\Provider

Code

public function authenticate(Request $request) {
  $flood_config = $this->configFactory
    ->get('user.flood');
  $username = $request->headers
    ->get('PHP_AUTH_USER');
  $password = $request->headers
    ->get('PHP_AUTH_PW');

  // Flood protection: this is very similar to the user login form code.
  // @see \Drupal\user\Form\UserLoginForm::validateAuthentication()
  // Do not allow any login from the current user's IP if the limit has been
  // reached. Default is 50 failed attempts allowed in one hour. This is
  // independent of the per-user limit to catch attempts from one IP to log
  // in to many different user accounts.  We have a reasonably high limit
  // since there may be only one apparent IP for all users at an institution.
  if ($this->flood
    ->isAllowed('basic_auth.failed_login_ip', $flood_config
    ->get('ip_limit'), $flood_config
    ->get('ip_window'))) {
    $accounts = $this->entityTypeManager
      ->getStorage('user')
      ->loadByProperties([
      'name' => $username,
      'status' => 1,
    ]);
    $account = reset($accounts);
    if ($account) {
      if ($flood_config
        ->get('uid_only')) {

        // Register flood events based on the uid only, so they apply for any
        // IP address. This is the most secure option.
        $identifier = $account
          ->id();
      }
      else {

        // The default identifier is a combination of uid and IP address. This
        // is less secure but more resistant to denial-of-service attacks that
        // could lock out all users with public user names.
        $identifier = $account
          ->id() . '-' . $request
          ->getClientIP();
      }

      // Don't allow login if the limit for this user has been reached.
      // Default is to allow 5 failed attempts every 6 hours.
      if ($this->flood
        ->isAllowed('basic_auth.failed_login_user', $flood_config
        ->get('user_limit'), $flood_config
        ->get('user_window'), $identifier)) {
        $uid = $this->userAuth
          ->authenticate($username, $password);
        if ($uid) {
          $this->flood
            ->clear('basic_auth.failed_login_user', $identifier);
          return $this->entityTypeManager
            ->getStorage('user')
            ->load($uid);
        }
        else {

          // Register a per-user failed login event.
          $this->flood
            ->register('basic_auth.failed_login_user', $flood_config
            ->get('user_window'), $identifier);
        }
      }
    }
  }

  // Always register an IP-based failed login event.
  $this->flood
    ->register('basic_auth.failed_login_ip', $flood_config
    ->get('ip_window'));
  return NULL;
}