@@ -134,11 +134,7 @@ public function isUserLogged()
134134 */
135135 public function getCurrentUser (): ?User
136136 {
137- $ useruser ();
138- if ($ userinstanceof User) {
139- return $ user
140- }
141- return null ;
137+ return Auth::user ();
142138 }
143139
144140 /**
@@ -152,10 +148,11 @@ public function login(string $username, string $password, bool $remember_me): bo
152148 {
153149 Log::debug ("AuthService::login " );
154150
151+ $ this last_login_error = "" ;
155152 if (!Auth::attempt (['username ' => $ username'password ' => $ password$ remember_me
156153 throw new AuthenticationException
157154 (
158- "username or password does not match an existing record. "
155+ "We are sorry, your username or password does not match an existing record.
159156 );
160157 }
161158 Log::debug ("AuthService::login: clearing principal " );
@@ -164,7 +161,7 @@ public function login(string $username, string $password, bool $remember_me): bo
164161 if (is_null ($ current_user$ current_usercanLogin ())
165162 throw new AuthenticationException
166163 (
167- "username or password does not match an existing record. "
164+ "We are sorry, your username or password does not match an existing record.
168165 );
169166 $ this principal_service ->register
170167 (
@@ -185,28 +182,13 @@ public function validateCredentials(string $username, string $password): User
185182 {
186183 Log::debug ("AuthService::validateCredentials " );
187184
188- // retrieveByCredentials swallows AuthenticationLockedUserLoginAttempt and returns null,
189- // so pre-check lock state here to surface a distinct message for locked accounts.
190- $ existing$ this user_repository ->getByEmailOrName ($ username
191- if (!is_null ($ existing$ existingisActive ()) {
192- throw new AuthenticationException (
193- sprintf ("User %s is locked. " , $ username
194- );
195- }
196-
197- // Known cost: retrieveByCredentials() calls user_repository->getByEmailOrName() internally
198- // (CustomAuthProvider line ~122), duplicating the query above. Eliminating it would require
199- // either changing the provider API to accept a pre-fetched User, or moving
200- // LockUserCounterMeasure checkpoint logic out of the provider — both out of scope here.
201- $ usergetProvider ()->retrieveByCredentials ([
202- 'username ' => $ username
203- 'password ' => $ password
204- ]);
205-
206- if (is_null ($ user$ userinstanceof User || !$ usercanLogin ()) {
207- throw new AuthenticationException (
208- "username or password does not match an existing record. "
209- );
185+ /**
186+ * @var User|null $user
187+ */
188+ $ user$ this user_repository ->getByEmailOrName ($ username
189+ $ validgetProvider ()->validateCredentials ($ user'username ' => $ username'password ' => $ password
190+ if (!$ valid
191+ throw new AuthenticationException ();
210192 }
211193
212194 return $ user
@@ -220,6 +202,7 @@ public function validateCredentials(string $username, string $password): User
220202 public function loginUser (User $ userbool $ remembervoid
221203 {
222204 Log::debug ("AuthService::loginUser " );
205+ if (!$ userisActive () || !$ usercanLogin ()) throw new AuthenticationException ("User is not active or cannot login. " );
223206 Auth::login ($ user$ remember
224207 }
225208
@@ -315,7 +298,7 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
315298
316299 if (!$ usercanLogin ()) {
317300 Log::warning (sprintf ("AuthService::loginWithOTP user %s cannot login ( is not active ). " , $ usergetId ()));
318- throw new AuthenticationException ("username or password does not match an existing record. " );
301+ throw new AuthenticationException ("We are sorry, your username or password does not match an existing record. );
319302 }
320303
321304 $ otpsetAuthTime (time ());
0 commit comments