Skip to content

Feature | Add AuthService validateCredentials method #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
matiasperrone-exo wants to merge 4 commits into
base: feat/mfa-phase1-user-model
Choose a base branch
from
+437 −33
Open

Feature | Add AuthService validateCredentials method #127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
aebc4cc
feat: Add AuthService validateCredentials method
matiasperrone-exo Apr 29, 2026
9fc38a0
chore: lint file app/libs/Auth/AuthService.php
matiasperrone-exo Apr 29, 2026
70ba198
chore: Add PR's requested changes
matiasperrone-exo May 5, 2026
28541f5
chore: Add PR's requested changes
matiasperrone-exo May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 75 additions & 33 deletions app/libs/Auth/AuthService.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
<?php namespace Auth;
<?php
namespace Auth;
/**
* Copyright 2016 OpenStack Foundation
* Licensed under the Apache License, Version 2.0 (the "License");
Expand All @@ -17,6 +18,7 @@
use App\Services\AbstractService;
use Auth\Exceptions\AuthenticationException;
use Auth\Exceptions\AuthenticationLockedUserLoginAttempt;
use Auth\Exceptions\UnverifiedEmailMemberException;
use Auth\Repositories\IUserRepository;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Config;
Expand Down Expand Up @@ -100,17 +102,16 @@ final class AuthService extends AbstractService implements IAuthService
*/
public function __construct
(
IUserRepository $user_repository,
IOAuth2OTPRepository $otp_repository,
IPrincipalService $principal_service,
IUserService $user_service,
IUserActionService $user_action_service,
ICacheService $cache_service,
IAuthUserService $auth_user_service,
IUserRepository $user_repository,
IOAuth2OTPRepository $otp_repository,
IPrincipalService $principal_service,
IUserService $user_service,
IUserActionService $user_action_service,
ICacheService $cache_service,
IAuthUserService $auth_user_service,
ISecurityContextService $security_context_service,
ITransactionService $tx_service
)
{
ITransactionService $tx_service
) {
parent::__construct($tx_service);
$this->user_repository = $user_repository;
$this->principal_service = $principal_service;
Expand Down Expand Up @@ -159,7 +160,7 @@ public function login(string $username, string $password, bool $remember_me): bo
Log::debug("AuthService::login: clearing principal");
$this->principal_service->clear();
$current_user = $this->getCurrentUser();
if(is_null($current_user) || !$current_user->canLogin())
if (is_null($current_user) || !$current_user->canLogin())
throw new AuthenticationException
(
"We are sorry, your username or password does not match an existing record."
Expand All @@ -173,6 +174,44 @@ public function login(string $username, string $password, bool $remember_me): bo
return true;
}

/**
* @param string $username
* @param string $password
* @return User|null
* @throws AuthenticationException
*/
public function validateCredentials(string $username, string $password): User
{
Log::debug("AuthService::validateCredentials");

try {
/**
* @var User|null $user
*/
$user = Auth::getProvider()->retrieveByCredentials(['username' => $username, 'password' => $password]);
if (!$user instanceof User || !$user->canLogin()) {
throw new AuthenticationException("We are sorry, your username or password does not match an existing record.");
}
} catch (UnverifiedEmailMemberException $ex) {
throw new AuthenticationException($ex->getMessage());
}

return $user;
}

/**
* @param User $user
* @param bool $remember
* @return void
*/
public function loginUser(User $user, bool $remember): void
{
Log::debug("AuthService::loginUser");
if (!$user->canLogin())
throw new AuthenticationException("User is not active or cannot login.");
Auth::login($user, $remember);
Comment thread
matiasperrone-exo marked this conversation as resolved.
}

/**
* @param OAuth2OTP $otpClaim
* @param Client|null $client
Expand Down Expand Up @@ -228,11 +267,13 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
throw new AuthenticationException("Single-use code mismatch.");
}

if(!empty($otpClaim->getScope()) && !$otp->allowScope($otpClaim->getScope()))
if (!empty($otpClaim->getScope()) && !$otp->allowScope($otpClaim->getScope()))
throw new InvalidOTPException("Single-use code requested scopes escalates former scopes.");

if (($otp->hasClient() && is_null($client)) ||
($otp->hasClient() && !is_null($client) && $client->getClientId() != $otp->getClient()->getClientId())) {
if (
($otp->hasClient() && is_null($client)) ||
($otp->hasClient() && !is_null($client) && $client->getClientId() != $otp->getClient()->getClientId())
) {
throw new AuthenticationException("Single-use code audience mismatch.");
}

Expand All @@ -254,15 +295,14 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
],
$otp
);
}
else{
if($user->isActive()) {
} else {
if ($user->isActive()) {
// verify email
$user->verifyEmail(false);
}
}

if(!$user->canLogin()){
if (!$user->canLogin()) {
Log::warning(sprintf("AuthService::loginWithOTP user %s cannot login ( is not active ).", $user->getId()));
throw new AuthenticationException("We are sorry, your username or password does not match an existing record.");
}
Expand All @@ -278,7 +318,7 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
$client
);

foreach ($grants2Revoke as $otp2Revoke){
foreach ($grants2Revoke as $otp2Revoke) {
try {
Log::debug(sprintf("AuthService::loginWithOTP revoking otp %s ", $otp2Revoke->getValue()));
if ($otp2Revoke->getValue() !== $otpClaim->getValue())
Expand All @@ -299,12 +339,12 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
* @param bool $clear_security_ctx
* @return void
*/
public function logout(bool $clear_security_ctx = true):void
public function logout(bool $clear_security_ctx = true): void
{
Log::debug("AuthService::logout");
$current_user = $this->getCurrentUser();
// check if we have user on session
if(!is_null($current_user)) {
if (!is_null($current_user)) {
$ip = IPHelper::getUserIp();
Log::debug(sprintf("AuthService::logout we have user %s from ip %s", $current_user->getId(), $ip));
$this->user_action_service->addUserAction
Expand All @@ -318,7 +358,7 @@ public function logout(bool $clear_security_ctx = true):void
// regular flow
$this->invalidateSession();
$this->principal_service->clear();
if($clear_security_ctx)
if ($clear_security_ctx)
$this->security_context_service->clear();
Auth::logout();
// put in past
Expand Down Expand Up @@ -438,8 +478,7 @@ public function unwrapUserId(string $user_id): string
$unwrapped_name = $this->decrypt($user_id);
$parts = explode(':', $unwrapped_name);
return intval($parts[1]);
}
catch (Exception $ex){
} catch (Exception $ex) {
Log::warning($ex);
}
return $user_id;
Expand Down Expand Up @@ -502,7 +541,8 @@ public function registerRPLogin(string $client_id): void
$rps = $zlib->uncompress($rps);
$rps .= '|';
}
if (is_null($rps)) $rps = "";
if (is_null($rps))
$rps = "";

if (!str_contains($rps, $client_id))
$rps .= $client_id;
Expand Down Expand Up @@ -541,8 +581,7 @@ public function getLoggedRPs(): array
$rps = $zlib->uncompress($rps);
return explode('|', $rps);
}
}
catch (Exception $ex){
} catch (Exception $ex) {
Log::warning($ex);
}
return [];
Expand Down Expand Up @@ -609,14 +648,17 @@ public function invalidateSession(): void
public function postLoginUserActions(int $user_id): void
{
Log::debug(sprintf("AuthService::postLoginUserActions user %s", $user_id));
$this->tx_service->transaction(function () use($user_id){
$this->tx_service->transaction(function () use ($user_id) {
$user = $this->user_repository->getById($user_id);
if(!$user instanceof User) return;
if (!$user instanceof User)
return;

if (!$user->isActive()) {
Log::warning(sprintf("AuthService::postLoginUserActions user %s is not active.", $user_id));
throw new AuthenticationLockedUserLoginAttempt($user->getEmail(),
sprintf("User %s is locked.", $user->getEmail()));
Log::warning(sprintf("AuthService::postLoginUserActions user %s is not active.", $user_id));
throw new AuthenticationLockedUserLoginAttempt(
$user->getEmail(),
sprintf("User %s is locked.", $user->getEmail())
);
}

//update user fields
Expand Down
22 changes: 22 additions & 0 deletions app/libs/Utils/Services/IAuthService.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,28 @@ public function getCurrentUser():?User;
*/
public function login(string $username, string $password, bool $remember_me): bool;

/**
* Validates the supplied credentials without establishing a session.
* Delegates to CustomAuthProvider::retrieveByCredentials() so security
* checkpoints (LockUserCounterMeasure, etc.) still fire on failure.
*
* @param string $username
* @param string $password
* @return User
* @throws AuthenticationException on invalid credentials, missing user, or locked account.
*/
public function validateCredentials(string $username, string $password): User;

/**
* Establishes a Laravel session for an already-authenticated user.
* Used by the 2FA flow after the second factor is verified.
*
* @param User $user
* @param bool $remember
* @return void
*/
public function loginUser(User $user, bool $remember): void;

/**
* @param OAuth2OTP $otpClaim
* @param Client|null $client
Expand Down
106 changes: 106 additions & 0 deletions tests/AuthServiceValidateCredentialsIntegrationTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
<?php namespace Tests;
/**
* Copyright 2026 OpenStack Foundation
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/

use Auth\Exceptions\AuthenticationException;
use Auth\Repositories\IUserRepository;
use Auth\User;
use Illuminate\Support\Facades\Auth;
use LaravelDoctrine\ORM\Facades\EntityManager;
use Utils\Services\IAuthService;
use Utils\Services\UtilsServiceCatalog;

/**
* Class AuthServiceValidateCredentialsIntegrationTest
* Exercises AuthService::validateCredentials() against the real database and
* security-checkpoint stack to verify that failed attempts increment the
* user's login_failed_attempt counter (via LockUserCounterMeasure) and that
* no session is established on either success or failure.
*/
final class AuthServiceValidateCredentialsIntegrationTest extends OpenStackIDBaseTestCase
{
// CustomAuthProvider looks up users via IUserRepository::getByEmailOrName(),
// which currently matches only on the email column — so login uses the email
// as the "username".
private const SEEDED_USERNAME = 'sebastian@tipit.net';
private const SEEDED_PASSWORD = '1Qaz2wsx!';

private IAuthService $auth_service;

protected function prepareForTests(): void
{
parent::prepareForTests();
$this->auth_service = $this->app[UtilsServiceCatalog::AuthenticationService];
}

/**
* A failed validateCredentials() call must:
* - throw AuthenticationException,
* - NOT establish a session (Auth::check() stays false),
* - trigger LockUserCounterMeasure so the user's login_failed_attempt counter increments.
*/
public function testFailedAttempt_incrementsLoginFailedAttemptCounter(): void
{
$initial_attempts = $this->getLoginFailedAttempt(self::SEEDED_USERNAME);
$this->assertFalse(Auth::check(), 'precondition: no authenticated user');

$threw = false;
try {
$this->auth_service->validateCredentials(self::SEEDED_USERNAME, 'wrong-password');
} catch (AuthenticationException $ex) {
$threw = true;
}

$this->assertTrue($threw, 'Expected AuthenticationException on wrong password');
$this->assertFalse(Auth::check(), 'No session should be established after a failed attempt');

$new_attempts = $this->getLoginFailedAttempt(self::SEEDED_USERNAME);
$this->assertSame(
$initial_attempts + 1,
$new_attempts,
'login_failed_attempt counter must increment via LockUserCounterMeasure'
);
}

/**
* A successful validateCredentials() call must return the user without
* establishing a session — Auth::check() must remain false afterwards.
*/
public function testSuccessfulValidation_doesNotEstablishSession(): void
{
$this->assertFalse(Auth::check(), 'precondition: no authenticated user');

$user = $this->auth_service->validateCredentials(
self::SEEDED_USERNAME,
self::SEEDED_PASSWORD
);

$this->assertInstanceOf(User::class, $user);
$this->assertFalse(
Auth::check(),
'validateCredentials() must NOT call Auth::login() on success'
);
}

private function getLoginFailedAttempt(string $username): int
{
// Clear Doctrine's identity map so we read fresh state from the DB,
// not a cached in-memory entity from a prior transaction.
EntityManager::clear();
$repo = EntityManager::getRepository(User::class);
/** @var IUserRepository $repo */
$user = $repo->getByEmailOrName($username);
$this->assertInstanceOf(User::class, $user, "Seeded user {$username} not found");
return $user->getLoginFailedAttempt();
}
}
Loading
Loading