You are here

Home » API reference » Drupal 8 » UserLoginForm.php » UserLoginForm

public function UserLoginForm::validateFinal in Drupal 8

Same name and namespace in other branches
  1. 9 core/modules/user/src/Form/UserLoginForm.php \Drupal\user\Form\UserLoginForm::validateFinal()

Checks if user was not authenticated, or if too many logins were attempted.

This validation function should always be the last one.

File

core/modules/user/src/Form/UserLoginForm.php, line 213

Class

UserLoginForm
Provides a user login form.

Namespace

Drupal\user\Form

Code

public function validateFinal(array &$form, FormStateInterface $form_state) {
  $flood_config = $this
    ->config('user.flood');
  if (!$form_state
    ->get('uid')) {

    // Always register an IP-based failed login event.
    $this->flood
      ->register('user.failed_login_ip', $flood_config
      ->get('ip_window'));

    // Register a per-user failed login event.
    if ($flood_control_user_identifier = $form_state
      ->get('flood_control_user_identifier')) {
      $this->flood
        ->register('user.failed_login_user', $flood_config
        ->get('user_window'), $flood_control_user_identifier);
    }
    if ($flood_control_triggered = $form_state
      ->get('flood_control_triggered')) {
      if ($flood_control_triggered == 'user') {
        $form_state
          ->setErrorByName('name', $this
          ->formatPlural($flood_config
          ->get('user_limit'), 'There has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', 'There have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', [
          ':url' => Url::fromRoute('user.pass')
            ->toString(),
        ]));
      }
      else {

        // We did not find a uid, so the limit is IP-based.
        $form_state
          ->setErrorByName('name', $this
          ->t('Too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', [
          ':url' => Url::fromRoute('user.pass')
            ->toString(),
        ]));
      }
    }
    else {

      // Use $form_state->getUserInput() in the error message to guarantee
      // that we send exactly what the user typed in. The value from
      // $form_state->getValue() may have been modified by validation
      // handlers that ran earlier than this one.
      $user_input = $form_state
        ->getUserInput();
      $query = isset($user_input['name']) ? [
        'name' => $user_input['name'],
      ] : [];
      $form_state
        ->setErrorByName('name', $this
        ->t('Unrecognized username or password. <a href=":password">Forgot your password?</a>', [
        ':password' => Url::fromRoute('user.pass', [], [
          'query' => $query,
        ])
          ->toString(),
      ]));
      $accounts = $this->userStorage
        ->loadByProperties([
        'name' => $form_state
          ->getValue('name'),
      ]);
      if (!empty($accounts)) {
        $this
          ->logger('user')
          ->notice('Login attempt failed for %user.', [
          '%user' => $form_state
            ->getValue('name'),
        ]);
      }
      else {

        // If the username entered is not a valid user,
        // only store the IP address.
        $this
          ->logger('user')
          ->notice('Login attempt failed from %ip.', [
          '%ip' => $this
            ->getRequest()
            ->getClientIp(),
        ]);
      }
    }
  }
  elseif ($flood_control_user_identifier = $form_state
    ->get('flood_control_user_identifier')) {

    // Clear past failures for this user so as not to block a user who might
    // log in and out more than once in an hour.
    $this->flood
      ->clear('user.failed_login_user', $flood_control_user_identifier);
  }
}