feat: Add AuthService validateCredentials method

matiasperrone-exo · matiasperrone-exo · commit a293dde7d4be · 2026-04-28T22:07:06.000Z
diff --git a/app/libs/Auth/AuthService.php b/app/libs/Auth/AuthService.php
@@ -96,7 +96,6 @@ final class AuthService extends AbstractService implements IAuthService
      * @param IAuthUserService $auth_user_service
      * @param ISecurityContextService $security_context_service
      * @param ITransactionService $tx_service
-     * @params ISecurityContextService $security_context_service
      */
     public function __construct
     (
@@ -135,7 +134,11 @@ public function isUserLogged()
      */
     public function getCurrentUser(): ?User
     {
-        return Auth::user();
+        $user = Auth::user();
+        if ($user instanceof User) {
+            return $user;
+        }
+        return null;
     }
 
     /**
@@ -149,11 +152,10 @@ public function login(string $username, string $password, bool $remember_me): bo
     {
         Log::debug("AuthService::login");
 
-        $this->last_login_error = "";
         if (!Auth::attempt(['username' => $username, 'password' => $password], $remember_me)) {
             throw new AuthenticationException
             (
-                "We are sorry, your username or password does not match an existing record."
+                "username or password does not match an existing record."
             );
         }
         Log::debug("AuthService::login: clearing principal");
@@ -162,7 +164,7 @@ public function login(string $username, string $password, bool $remember_me): bo
         if(is_null($current_user) || !$current_user->canLogin())
             throw new AuthenticationException
             (
-                "We are sorry, your username or password does not match an existing record."
+                "username or password does not match an existing record."
             );
         $this->principal_service->register
         (
@@ -173,6 +175,50 @@ public function login(string $username, string $password, bool $remember_me): bo
         return true;
     }
 
+    /**
+     * @param string $username
+     * @param string $password
+     * @return User
+     * @throws AuthenticationException
+     */
+    public function validateCredentials(string $username, string $password): User
+    {
+        Log::debug("AuthService::validateCredentials");
+
+        // retrieveByCredentials swallows AuthenticationLockedUserLoginAttempt and returns null,
+        // so pre-check lock state here to surface a distinct message for locked accounts.
+        $existing = $this->user_repository->getByEmailOrName($username);
+        if (!is_null($existing) && !$existing->isActive()) {
+            throw new AuthenticationException(
+                sprintf("User %s is locked.", $username)
+            );
+        }
+
+        $user = Auth::getProvider()->retrieveByCredentials([
+            'username' => $username,
+            'password' => $password,
+        ]);
+
+        if (is_null($user) || !$user instanceof User || !$user->canLogin()) {
+            throw new AuthenticationException(
+                "We are sorry, your username or password does not match an existing record."
+            );
+        }
+
+        return $user;
+    }
+
+    /**
+     * @param User $user
+     * @param bool $remember
+     * @return void
+     */
+    public function loginUser(User $user, bool $remember): void
+    {
+        Log::debug("AuthService::loginUser");
+        Auth::login($user, $remember);
+    }
+
     /**
      * @param OAuth2OTP $otpClaim
      * @param Client|null $client
@@ -264,7 +310,7 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
 
             if(!$user->canLogin()){
                 Log::warning(sprintf("AuthService::loginWithOTP user %s cannot login ( is not active ).", $user->getId()));
-                throw new AuthenticationException("We are sorry, your username or password does not match an existing record.");
+                throw new AuthenticationException("username or password does not match an existing record.");
             }
 
             $otp->setAuthTime(time());
diff --git a/app/libs/Auth/Models/User.php b/app/libs/Auth/Models/User.php
@@ -81,7 +81,12 @@ class User extends BaseEntity implements AuthenticatableContract, IOpenIdUser, I
     public const MFAMethod_TOTP    = 'totp';
     public const MFAMethod_PASSKEY = 'passkey';
 
-    public const ValidMFAMethods = [self::MFAMethod_OTP];
+    public const ValidMFAMethods = [
+        self::MFAMethod_OTP,
+        // self::MFAMethod_SMS,
+        // self::MFAMethod_TOTP,
+        // self::MFAMethod_PASSKEY
+    ];
 
     /**
      * @var string
@@ -2452,6 +2457,17 @@ protected function setTwoFactorMethod(string $method): void
                 )
             );
         }
+
+        if (!in_array($method, $this->getAvailableTwoFactorMethods(), true)) {
+            throw new ValidationException(
+                sprintf(
+                    "Disabled 2FA method '%s'. Enabled methods: %s",
+                    $method,
+                    implode(', ', $this->getAvailableTwoFactorMethods())
+                )
+            );
+        }
+
         $this->two_factor_method = $method;
     }
 
diff --git a/app/libs/Utils/Services/IAuthService.php b/app/libs/Utils/Services/IAuthService.php
@@ -57,6 +57,28 @@ public function getCurrentUser():?User;
      */
     public function login(string $username, string $password, bool $remember_me): bool;
 
+    /**
+     * Validates the supplied credentials without establishing a session.
+     * Delegates to CustomAuthProvider::retrieveByCredentials() so security
+     * checkpoints (LockUserCounterMeasure, etc.) still fire on failure.
+     *
+     * @param string $username
+     * @param string $password
+     * @return User
+     * @throws AuthenticationException on invalid credentials, missing user, or locked account.
+     */
+    public function validateCredentials(string $username, string $password): User;
+
+    /**
+     * Establishes a Laravel session for an already-authenticated user.
+     * Used by the 2FA flow after the second factor is verified.
+     *
+     * @param User $user
+     * @param bool $remember
+     * @return void
+     */
+    public function loginUser(User $user, bool $remember): void;
+
     /**
      * @param OAuth2OTP $otpClaim
      * @param Client|null $client
diff --git a/tests/AuthServiceValidateCredentialsIntegrationTest.php b/tests/AuthServiceValidateCredentialsIntegrationTest.php
@@ -0,0 +1,106 @@
+<?php namespace Tests;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\Exceptions\AuthenticationException;
+use Auth\Repositories\IUserRepository;
+use Auth\User;
+use Illuminate\Support\Facades\Auth;
+use LaravelDoctrine\ORM\Facades\EntityManager;
+use Utils\Services\IAuthService;
+use Utils\Services\UtilsServiceCatalog;
+
+/**
+ * Class AuthServiceValidateCredentialsIntegrationTest
+ * Exercises AuthService::validateCredentials() against the real database and
+ * security-checkpoint stack to verify that failed attempts increment the
+ * user's login_failed_attempt counter (via LockUserCounterMeasure) and that
+ * no session is established on either success or failure.
+ */
+final class AuthServiceValidateCredentialsIntegrationTest extends OpenStackIDBaseTestCase
+{
+    // CustomAuthProvider looks up users via IUserRepository::getByEmailOrName(),
+    // which currently matches only on the email column — so login uses the email
+    // as the "username".
+    private const SEEDED_USERNAME = 'sebastian@tipit.net';
+    private const SEEDED_PASSWORD = '1Qaz2wsx!';
+
+    private IAuthService $auth_service;
+
+    protected function prepareForTests(): void
+    {
+        parent::prepareForTests();
+        $this->auth_service = $this->app[UtilsServiceCatalog::AuthenticationService];
+    }
+
+    /**
+     * A failed validateCredentials() call must:
+     *  - throw AuthenticationException,
+     *  - NOT establish a session (Auth::check() stays false),
+     *  - trigger LockUserCounterMeasure so the user's login_failed_attempt counter increments.
+     */
+    public function testFailedAttempt_incrementsLoginFailedAttemptCounter(): void
+    {
+        $initial_attempts = $this->getLoginFailedAttempt(self::SEEDED_USERNAME);
+        $this->assertFalse(Auth::check(), 'precondition: no authenticated user');
+
+        $threw = false;
+        try {
+            $this->auth_service->validateCredentials(self::SEEDED_USERNAME, 'wrong-password');
+        } catch (AuthenticationException $ex) {
+            $threw = true;
+        }
+
+        $this->assertTrue($threw, 'Expected AuthenticationException on wrong password');
+        $this->assertFalse(Auth::check(), 'No session should be established after a failed attempt');
+
+        $new_attempts = $this->getLoginFailedAttempt(self::SEEDED_USERNAME);
+        $this->assertSame(
+            $initial_attempts + 1,
+            $new_attempts,
+            'login_failed_attempt counter must increment via LockUserCounterMeasure'
+        );
+    }
+
+    /**
+     * A successful validateCredentials() call must return the user without
+     * establishing a session — Auth::check() must remain false afterwards.
+     */
+    public function testSuccessfulValidation_doesNotEstablishSession(): void
+    {
+        $this->assertFalse(Auth::check(), 'precondition: no authenticated user');
+
+        $user = $this->auth_service->validateCredentials(
+            self::SEEDED_USERNAME,
+            self::SEEDED_PASSWORD
+        );
+
+        $this->assertInstanceOf(User::class, $user);
+        $this->assertFalse(
+            Auth::check(),
+            'validateCredentials() must NOT call Auth::login() on success'
+        );
+    }
+
+    private function getLoginFailedAttempt(string $username): int
+    {
+        // Clear Doctrine's identity map so we read fresh state from the DB,
+        // not a cached in-memory entity from a prior transaction.
+        EntityManager::clear();
+        $repo = EntityManager::getRepository(User::class);
+        /** @var IUserRepository $repo */
+        $user = $repo->getByEmailOrName($username);
+        $this->assertInstanceOf(User::class, $user, "Seeded user {$username} not found");
+        return $user->getLoginFailedAttempt();
+    }
+}
diff --git a/tests/unit/AuthServiceValidateCredentialsTest.php b/tests/unit/AuthServiceValidateCredentialsTest.php
