public function UserLogin::processRequest in Services 9.0.x
Same name and namespace in other branches
- 8.4 src/Plugin/ServiceDefinition/UserLogin.php \Drupal\services\Plugin\ServiceDefinition\UserLogin::processRequest()
Processes the request and returns an array of data as appropriate.
Parameters
\Symfony\Component\HttpFoundation\Request $request: The request object.
\Drupal\Core\Routing\RouteMatchInterface $route_match: The route match object.
\Symfony\Component\Serializer\SerializerInterface $serializer: The serializer. Some methods might require the plugin to leverage the serializer after extracting the request contents.
Return value
array The response.
Throws
\Symfony\Component\HttpKernel\Exception\HttpException
Overrides ServiceDefinitionInterface::processRequest
File
- src/
Plugin/ ServiceDefinition/ UserLogin.php, line 85
Class
- UserLogin
- Plugin annotation @ServiceDefinition( id = "user_login", methods = { "POST" }, title = @Translation("User login"), description = @Translation("Allows users to login."), category = @Translation("User"), path = "user/login" )
Namespace
Drupal\services\Plugin\ServiceDefinitionCode
public function processRequest(Request $request, RouteMatchInterface $route_match, SerializerInterface $serializer) {
if ($serializer instanceof DecoderInterface) {
$content = $serializer
->decode($request
->getContent(), $request
->getContentType());
}
else {
throw new HttpException(500, $this
->t('The appropriate DecoderInterface was not found.'));
}
if (!isset($content)) {
throw new HttpException(500, $this
->t('The content of the request was empty.'));
}
$flood_config = $this->configFactory
->get('user.flood');
$username = $content['username'];
$password = $content['password'];
// Flood protection: this is very similar to the user login form code.
// @see \Drupal\user\Form\UserLoginForm::validateAuthentication()
// Do not allow any login from the current user's IP if the limit has been
// reached. Default is 50 failed attempts allowed in one hour. This is
// independent of the per-user limit to catch attempts from one IP to log
// in to many different user accounts. We have a reasonably high limit
// since there may be only one apparent IP for all users at an institution.
if ($this->flood
->isAllowed('services.failed_login_ip', $flood_config
->get('ip_limit'), $flood_config
->get('ip_window'))) {
$accounts = $this->entityManager
->getStorage('user')
->loadByProperties(array(
'name' => $username,
'status' => 1,
));
$account = reset($accounts);
if ($account) {
if ($flood_config
->get('uid_only')) {
// Register flood events based on the uid only, so they apply for any
// IP address. This is the most secure option.
$identifier = $account
->id();
}
else {
// The default identifier is a combination of uid and IP address. This
// is less secure but more resistant to denial-of-service attacks that
// could lock out all users with public user names.
$identifier = $account
->id() . '-' . $request
->getClientIP();
}
// Don't allow login if the limit for this user has been reached.
// Default is to allow 5 failed attempts every 6 hours.
if ($this->flood
->isAllowed('services.failed_login_user', $flood_config
->get('user_limit'), $flood_config
->get('user_window'), $identifier)) {
$uid = $this->userAuth
->authenticate($username, $password);
if ($uid) {
$this->flood
->clear('services.failed_login_user', $identifier);
$this->session
->start();
user_login_finalize($account);
$this
->messenger()
->addMessage(t('User successfully logged in'), 'status', FALSE);
return [
'id' => $this->session
->getId(),
'name' => $this->session
->getName(),
];
// Return $this->entityManager->getStorage('user')->load($uid);
}
else {
// Register a per-user failed login event.
$this->flood
->register('services.failed_login_user', $flood_config
->get('user_window'), $identifier);
}
}
}
}
// Always register an IP-based failed login event.
$this->flood
->register('services.failed_login_ip', $flood_config
->get('ip_window'));
return [];
}