You are here

protected function UserAuthenticationController::floodControl in Drupal 10

Same name and namespace in other branches
  1. 8 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::floodControl()
  2. 9 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::floodControl()

Enforces flood control for the current login request.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The current request.

string $username: The user name sent for login credentials.

1 call to UserAuthenticationController::floodControl()
UserAuthenticationController::login in core/modules/user/src/Controller/UserAuthenticationController.php
Logs in a user.

File

core/modules/user/src/Controller/UserAuthenticationController.php, line 355

Class

UserAuthenticationController
Provides controllers for login, login status and logout via HTTP requests.

Namespace

Drupal\user\Controller

Code

protected function floodControl(Request $request, $username) {
  $flood_config = $this
    ->config('user.flood');
  if (!$this->userFloodControl
    ->isAllowed('user.failed_login_ip', $flood_config
    ->get('ip_limit'), $flood_config
    ->get('ip_window'))) {
    throw new AccessDeniedHttpException('Access is blocked because of IP based flood prevention.', NULL, Response::HTTP_TOO_MANY_REQUESTS);
  }
  if ($identifier = $this
    ->getLoginFloodIdentifier($request, $username)) {

    // Don't allow login if the limit for this user has been reached.
    // Default is to allow 5 failed attempts every 6 hours.
    if (!$this->userFloodControl
      ->isAllowed('user.http_login', $flood_config
      ->get('user_limit'), $flood_config
      ->get('user_window'), $identifier)) {
      if ($flood_config
        ->get('uid_only')) {
        $error_message = sprintf('There have been more than %s failed login attempts for this account. It is temporarily blocked. Try again later or request a new password.', $flood_config
          ->get('user_limit'));
      }
      else {
        $error_message = 'Too many failed login attempts from your IP address. This IP address is temporarily blocked.';
      }
      throw new AccessDeniedHttpException($error_message, NULL, Response::HTTP_TOO_MANY_REQUESTS);
    }
  }
}