protected function UserAuthenticationController::getLoginFloodIdentifier in Drupal 9

Same name and namespace in other branches

1. 8 core/modules/user/src/Controller/UserAuthenticationController.php \Drupal\user\Controller\UserAuthenticationController::getLoginFloodIdentifier()

Gets the login identifier for user login flood control.

Parameters

\Symfony\Component\HttpFoundation\Request $request: The current request.

string $username: The username supplied in login credentials.

Return value

string The login identifier or if the user does not exist an empty string.

2 calls to UserAuthenticationController::getLoginFloodIdentifier()

UserAuthenticationController::floodControl in core/modules/user/src/Controller/UserAuthenticationController.php

Enforces flood control for the current login request.

UserAuthenticationController::login in core/modules/user/src/Controller/UserAuthenticationController.php

Logs in a user.

File

core/modules/user/src/Controller/UserAuthenticationController.php, line 391

Class

UserAuthenticationController

Provides controllers for login, login status and logout via HTTP requests.

Namespace

Drupal\user\Controller

Code

protected function getLoginFloodIdentifier(Request $request, $username) {
  $flood_config = $this
    ->config('user.flood');
  $accounts = $this->userStorage
    ->loadByProperties([
    'name' => $username,
    'status' => 1,
  ]);
  if ($account = reset($accounts)) {
    if ($flood_config
      ->get('uid_only')) {

      // Register flood events based on the uid only, so they apply for any
      // IP address. This is the most secure option.
      $identifier = $account
        ->id();
    }
    else {

      // The default identifier is a combination of uid and IP address. This
      // is less secure but more resistant to denial-of-service attacks that
      // could lock out all users with public user names.
      $identifier = $account
        ->id() . '-' . $request
        ->getClientIp();
    }
    return $identifier;
  }
  return '';
}