Issue #3410582 by catch, Prashant.c, heddn, alexpott, smustgrave,...

use Drupal\Core\Entity\EntityTypeManagerInterface;

use Drupal\Core\Flood\FloodInterface;

use Drupal\Core\Http\Exception\CacheableUnauthorizedHttpException;

use Drupal\user\UserAuthenticationInterface;

use Drupal\user\UserAuthInterface;

use Symfony\Component\HttpFoundation\Request;

use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;

  /**

   * The user auth service.

   *

   * @var \Drupal\user\UserAuthInterface

   */

  protected $userAuth;

   *

   * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory

   *   The config factory.

   * @param \Drupal\user\UserAuthInterface $user_auth

   * @param \Drupal\user\UserAuthInterface|\Drupal\user\UserAuthenticationInterface $user_auth

   *   The user authentication service.

   * @param \Drupal\Core\Flood\FloodInterface $flood

   *   The flood service.

   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager

   *   The entity type manager service.

   */

  public function __construct(ConfigFactoryInterface $config_factory, UserAuthInterface $user_auth, FloodInterface $flood, EntityTypeManagerInterface $entity_type_manager) {

  public function __construct(ConfigFactoryInterface $config_factory, UserAuthInterface|UserAuthenticationInterface $user_auth, FloodInterface $flood, EntityTypeManagerInterface $entity_type_manager) {

    $this->configFactory = $config_factory;

    if (!$user_auth instanceof UserAuthenticationInterface) {

      @trigger_error('The $user_auth parameter implementing UserAuthInterface is deprecated in drupal:10.3.0 and will be removed in drupal:12.0.0. Implement UserAuthenticationInterface instead. See https://www.drupal.org/node/3411040');

    }

    $this->userAuth = $user_auth;

    $this->flood = $flood;

    $this->entityTypeManager = $entity_type_manager;

    // in to many different user accounts.  We have a reasonably high limit

    // since there may be only one apparent IP for all users at an institution.

    if ($this->flood->isAllowed('basic_auth.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {

      $account = FALSE;

      if ($this->userAuth instanceof UserAuthenticationInterface) {

        $lookup = $this->userAuth->lookupAccount($username);

        if ($lookup && !$lookup->isBlocked()) {

          $account = $lookup;

        }

      }

      else {

        $accounts = $this->entityTypeManager->getStorage('user')->loadByProperties(['name' => $username, 'status' => 1]);

        $account = reset($accounts);

      }

      if ($account) {

        if ($flood_config->get('uid_only')) {

          // Register flood events based on the uid only, so they apply for any

        // Don't allow login if the limit for this user has been reached.

        // Default is to allow 5 failed attempts every 6 hours.

        if ($this->flood->isAllowed('basic_auth.failed_login_user', $flood_config->get('user_limit'), $flood_config->get('user_window'), $identifier)) {

          $uid = FALSE;

          if ($this->userAuth instanceof UserAuthenticationInterface && $this->userAuth->authenticateAccount($account, $password)) {

            $uid = $account->id();

          }

          else {

            $uid = $this->userAuth->authenticate($username, $password);

          }

          if ($uid) {

            $this->flood->clear('basic_auth.failed_login_user', $identifier);

            return $this->entityTypeManager->getStorage('user')->load($uid);

            return $account;

          }

          else {

            // Register a per-user failed login event.

use Drupal\Core\Controller\ControllerBase;

use Drupal\Core\DependencyInjection\ContainerInjectionInterface;

use Drupal\Core\Routing\RouteProviderInterface;

use Drupal\user\UserAuthenticationInterface;

use Drupal\user\UserAuthInterface;

use Drupal\user\UserFloodControlInterface;

use Drupal\user\UserInterface;

  /**

   * The user authentication.

   *

   * @var \Drupal\user\UserAuthInterface

   * @var \Drupal\user\UserAuthenticationInterface

   */

  protected $userAuth;

   *   The user storage.

   * @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token

   *   The CSRF token generator.

   * @param \Drupal\user\UserAuthInterface $user_auth

   * @param \Drupal\user\UserAuthenticationInterface|\Drupal\user\UserAuthInterface $user_auth

   *   The user authentication.

   * @param \Drupal\Core\Routing\RouteProviderInterface $route_provider

   *   The route provider.

   * @param \Psr\Log\LoggerInterface $logger

   *   A logger instance.

   */

  public function __construct(UserFloodControlInterface $user_flood_control, UserStorageInterface $user_storage, CsrfTokenGenerator $csrf_token, UserAuthInterface $user_auth, RouteProviderInterface $route_provider, Serializer $serializer, array $serializer_formats, LoggerInterface $logger) {

  public function __construct(UserFloodControlInterface $user_flood_control, UserStorageInterface $user_storage, CsrfTokenGenerator $csrf_token, UserAuthenticationInterface|UserAuthInterface $user_auth, RouteProviderInterface $route_provider, Serializer $serializer, array $serializer_formats, LoggerInterface $logger) {

    $this->userFloodControl = $user_flood_control;

    $this->userStorage = $user_storage;

    $this->csrfToken = $csrf_token;

    if (!$user_auth instanceof UserAuthenticationInterface) {

      @trigger_error('The $user_auth parameter implementing UserAuthInterface is deprecated in drupal:10.3.0 and will be removed in drupal:12.0.0. Implement UserAuthenticationInterface instead. See https://www.drupal.org/node/3411040');

    }

    $this->userAuth = $user_auth;

    $this->serializer = $serializer;

    $this->serializerFormats = $serializer_formats;

    $this->floodControl($request, $credentials['name']);

    if ($this->userIsBlocked($credentials['name'])) {

    $account = FALSE;

    if ($this->userAuth instanceof UserAuthenticationInterface) {

      $account = $this->userAuth->lookupAccount($credentials['name']);

    }

    else {

      $accounts = $this->userStorage->loadByProperties(['name' => $credentials['name']]);

      if ($accounts) {

        $account = reset($accounts);

      }

    }

    if ($account) {

      if ($account->isBlocked()) {

        throw new BadRequestHttpException('The user has not been activated or is blocked.');

      }

    if ($uid = $this->userAuth->authenticate($credentials['name'], $credentials['pass'])) {

      if ($this->userAuth->authenticateAccount($account, $credentials['pass'])) {

        $this->userFloodControl->clear('user.http_login', $this->getLoginFloodIdentifier($request, $credentials['name']));

      /** @var \Drupal\user\UserInterface $user */

      $user = $this->userStorage->load($uid);

      $this->userLoginFinalize($user);

        $this->userLoginFinalize($account);

        // Send basic metadata about the logged in user.

        $response_data = [];

      if ($user->get('uid')->access('view', $user)) {

        $response_data['current_user']['uid'] = $user->id();

        if ($account->get('uid')->access('view', $account)) {

          $response_data['current_user']['uid'] = $account->id();

        }

      if ($user->get('roles')->access('view', $user)) {

        $response_data['current_user']['roles'] = $user->getRoles();

        if ($account->get('roles')->access('view', $account)) {

          $response_data['current_user']['roles'] = $account->getRoles();

        }

      if ($user->get('name')->access('view', $user)) {

        $response_data['current_user']['name'] = $user->getAccountName();

        if ($account->get('name')->access('view', $account)) {

          $response_data['current_user']['name'] = $account->getAccountName();

        }

        $response_data['csrf_token'] = $this->csrfToken->get('rest');

        $encoded_response_data = $this->serializer->encode($response_data, $format);

        return new Response($encoded_response_data);

      }

    }

    $flood_config = $this->config('user.flood');

    if ($identifier = $this->getLoginFloodIdentifier($request, $credentials['name'])) {

      $users = $this->userStorage->loadByProperties(['mail' => trim($identifier)]);

    }

    /** @var \Drupal\Core\Session\AccountInterface $account */

    /** @var \Drupal\user\UserInterface $account */

    $account = reset($users);

    if ($account && $account->id()) {

      if ($this->userIsBlocked($account->getAccountName())) {

      if ($account->isBlocked()) {

        $this->logger->error('Unable to send password reset email for blocked or not yet activated user %identifier.', [

          '%identifier' => $identifier,

        ]);

   *

   * @return bool

   *   TRUE if the user is blocked, otherwise FALSE.

   *

   * @deprecated in drupal:10.3.0 and is removed from drupal:12.0.0. There

   * is no replacement.

   * @see https://www.drupal.org/node/3425340

   */

  protected function userIsBlocked($name) {

    @trigger_error(__METHOD__ . ' is deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. There is no replacement. See https://www.drupal.org/node/3425340', E_USER_DEPRECATED);

    return user_is_blocked($name);

  }

use Drupal\Core\Render\RendererInterface;

use Drupal\Core\Render\BareHtmlPageRendererInterface;

use Drupal\Core\Url;

use Drupal\user\UserAuthenticationInterface;

use Drupal\user\UserAuthInterface;

use Drupal\user\UserInterface;

use Drupal\user\UserStorageInterface;

  /**

   * The user authentication object.

   *

   * @var \Drupal\user\UserAuthInterface

   * @var \Drupal\user\UserAuthenticationInterface

   */

  protected $userAuth;

   *   The user flood control service.

   * @param \Drupal\user\UserStorageInterface $user_storage

   *   The user storage.

   * @param \Drupal\user\UserAuthInterface $user_auth

   * @param \Drupal\user\UserAuthInterface|\Drupal\user\UserAuthenticationInterface $user_auth

   *   The user authentication object.

   * @param \Drupal\Core\Render\RendererInterface $renderer

   *   The renderer.

   * @param \Drupal\Core\Render\BareHtmlPageRendererInterface $bare_html_renderer

   *   The renderer.

   */

  public function __construct(UserFloodControlInterface $user_flood_control, UserStorageInterface $user_storage, UserAuthInterface $user_auth, RendererInterface $renderer, BareHtmlPageRendererInterface $bare_html_renderer) {

  public function __construct(UserFloodControlInterface $user_flood_control, UserStorageInterface $user_storage, UserAuthInterface|UserAuthenticationInterface $user_auth, RendererInterface $renderer, BareHtmlPageRendererInterface $bare_html_renderer) {

    $this->userFloodControl = $user_flood_control;

    $this->userStorage = $user_storage;

    if (!$user_auth instanceof UserAuthenticationInterface) {

      @trigger_error('The $user_auth parameter not implementing UserAuthenticationInterface is deprecated in drupal:10.3.0 and will be removed in drupal:12.0.0. See https://www.drupal.org/node/3411040');

    }

    $this->userAuth = $user_auth;

    $this->renderer = $renderer;

    $this->bareHtmlPageRenderer = $bare_html_renderer;

    $form['actions'] = ['#type' => 'actions'];

    $form['actions']['submit'] = ['#type' => 'submit', '#value' => $this->t('Log in')];

    $form['#validate'][] = '::validateName';

    $form['#validate'][] = '::validateAuthentication';

    $form['#validate'][] = '::validateFinal';

   * {@inheritdoc}

   */

  public function submitForm(array &$form, FormStateInterface $form_state) {

    if (empty($uid = $form_state->get('uid'))) {

    $uid = $form_state->get('uid');

    if (!$uid) {

      return;

    }

    $account = $this->userStorage->load($uid);

  /**

   * Sets an error if supplied username has been blocked.

   *

   * @deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. There is no replacement.

   * @see https://www.drupal.org/node/3410706

   */

  public function validateName(array &$form, FormStateInterface $form_state) {

    @trigger_error(__METHOD__ . ' is deprecated in drupal:10.3.0 and is removed from drupal:11.0.0. There is no replacement. See https://www.drupal.org/node/3410706', E_USER_DEPRECATED);

    if (!$form_state->isValueEmpty('name') && user_is_blocked($form_state->getValue('name'))) {

      // Blocked in user administration.

      $form_state->setErrorByName('name', $this->t('The username %name has not been activated or is blocked.', ['%name' => $form_state->getValue('name')]));

  public function validateAuthentication(array &$form, FormStateInterface $form_state) {

    $password = trim($form_state->getValue('pass'));

    $flood_config = $this->config('user.flood');

    $account = FALSE;

    if (!$form_state->isValueEmpty('name') && strlen($password) > 0) {

      // Do not allow any login from the current user's IP if the limit has been

      // reached. Default is 50 failed attempts allowed in one hour. This is

        $form_state->set('flood_control_triggered', 'ip');

        return;

      }

      $accounts = $this->userStorage->loadByProperties(['name' => $form_state->getValue('name'), 'status' => 1]);

      if ($this->userAuth instanceof UserAuthenticationInterface) {

        $account = $this->userAuth->lookupAccount($form_state->getValue('name'));

      }

      else {

        $accounts = $this->userStorage->loadByProperties(['name' => $form_state->getValue('name')]);

        $account = reset($accounts);

      if ($account) {

      }

      if ($account && $account->isBlocked()) {

        $form_state->setErrorByName('name', $this->t('The username %name has not been activated or is blocked.', ['%name' => $form_state->getValue('name')]));

      }

      elseif ($account && $account->isActive()) {

        if ($flood_config->get('uid_only')) {

          // Register flood events based on the uid only, so they apply for any

          // IP address. This is the most secure option.

        else {

          $form_state->set('flood_control_skip_clear', 'user');

        }

      }

        // We are not limited by flood control, so try to authenticate.

      // Store $uid in form state as a flag for self::validateFinal().

        // Store the user ID in form state as a flag for self::validateFinal().

        if ($this->userAuth instanceof UserAuthenticationInterface) {

          if ($this->userAuth->authenticateAccount($account, $password)) {

            $form_state->set('uid', $account->id());

          }

        }

        else {

          $uid = $this->userAuth->authenticate($form_state->getValue('name'), $password);

          $form_state->set('uid', $uid);

        }

      }

    }

  }

  /**

   * Checks if user was not authenticated, or if too many logins were attempted.

/**

 * Validates user authentication credentials.

 */

class UserAuth implements UserAuthInterface {

class UserAuth implements UserAuthInterface, UserAuthenticationInterface {

  /**

   * The entity type manager.

   * {@inheritdoc}

   */

  public function authenticate($username, #[\SensitiveParameter] $password) {

    @trigger_error(__METHOD__ . ' is deprecated in drupal:10.3.0 and will be removed from drupal 12.0.0. Implement \Drupal\user\UserAuthenticationInterface instead. See https://www.drupal.org/node/3411040');

    $uid = FALSE;

    if (!empty($username) && strlen($password) > 0) {

      $account_search = $this->entityTypeManager->getStorage('user')->loadByProperties(['name' => $username]);

      if ($account = reset($account_search)) {

        if ($this->passwordChecker->check($password, $account->getPassword())) {

          // Successful authentication.

        if ($this->authenticateAccount($account, $password)) {

          $uid = $account->id();

        }

      }

    }

    return $uid;

  }

  /**

   * {@inheritdoc}

   */

  public function lookupAccount($identifier): UserInterface|false {

    if (!empty($identifier)) {

      $account_search = $this->entityTypeManager->getStorage('user')->loadByProperties(['name' => $identifier]);

      if ($account = reset($account_search)) {

        return $account;

      }

    }

    return FALSE;

  }

  /**

   * {@inheritdoc}

   */

  public function authenticateAccount(UserInterface $account, #[\SensitiveParameter] string $password): bool {

    if ($this->passwordChecker->check($password, $account->getPassword())) {

      // Update user to new password scheme if needed.

      if ($this->passwordChecker->needsRehash($account->getPassword())) {

        $account->setPassword($password);

        $account->save();

      }

      return TRUE;

    }

      }

    }

    return $uid;

    return FALSE;

  }

}

<?php

namespace Drupal\user;

/**

 * An interface for validating user authentication credentials.

 */

interface UserAuthenticationInterface {

  /**

   * Validates user authentication credentials.

   *

   * @param string $identifier

   *   The user identifier to authenticate. Usually the username.

   *

   * @return Drupal\User\UserInterface|false

   *   The user account on success, or FALSE on failure to authenticate.

   */

  public function lookupAccount($identifier): UserInterface|false;

  /**

   * Validates user authentication credentials for an account.

   *

   * This can be used where the account has already been located using the login

   * credentials.

   *

   * @param \Drupal\Core\Session\AccountInterface $account

   *   The account to authenticate.

   * @param string $password

   *   A plain-text password, such as trimmed text from form values.

   *

   * @return bool

   *   TRUE on success, FALSE on failure.

   */

  public function authenticateAccount(UserInterface $account, #[\SensitiveParameter] string $password): bool;

}