diff --git a/core/modules/rest/src/Plugin/ResourceBase.php b/core/modules/rest/src/Plugin/ResourceBase.php
index 33cb3aa..4e77eb9 100644
--- a/core/modules/rest/src/Plugin/ResourceBase.php
+++ b/core/modules/rest/src/Plugin/ResourceBase.php
@@ -64,7 +64,7 @@ public static function create(ContainerInterface $container, array $configuratio
$plugin_id,
$plugin_definition,
$container->getParameter('serializer.formats'),
- $container->get('logger.factory')->get('rest')
+ $container->get('logger.channel.rest')
);
}
diff --git a/core/modules/rest/src/Tests/RESTTestBase.php b/core/modules/rest/src/Tests/RESTTestBase.php
index 71b1a08..d9c4607 100644
--- a/core/modules/rest/src/Tests/RESTTestBase.php
+++ b/core/modules/rest/src/Tests/RESTTestBase.php
@@ -73,11 +73,13 @@ protected function setUp() {
* The body for POST and PUT.
* @param string $mime_type
* The MIME type of the transmitted content.
+ * @param array $request_headers
+ * Some additional request headers.
*
* @return string
* The content returned from the request.
*/
- protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL) {
+ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL, $request_headers = []) {
if (!isset($mime_type)) {
$mime_type = $this->defaultMimeType;
}
@@ -118,10 +120,11 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL) {
CURLOPT_POSTFIELDS => $body,
CURLOPT_URL => $url,
CURLOPT_NOBODY => FALSE,
- CURLOPT_HTTPHEADER => array(
+ CURLOPT_HTTPHEADER => array_merge(
+ array(
'Content-Type: ' . $mime_type,
'X-CSRF-Token: ' . $token,
- ),
+ ), $request_headers),
);
break;
@@ -173,6 +176,9 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL) {
$this->verbose($method . ' request to: ' . $url .
'
Code: ' . curl_getinfo($this->curlHandle, CURLINFO_HTTP_CODE) .
+ '
Request headers: ' . nl2br(print_r($curl_options[CURLOPT_HTTPHEADER], TRUE)) .
+ '
Extra headers: ' . nl2br(print_r($request_headers, TRUE)) .
+ '
Request body: ' . nl2br(print_r($body, TRUE)) .
'
Response headers: ' . nl2br(print_r($headers, TRUE)) .
'
Response body: ' . $this->responseBody);
diff --git a/core/modules/rest/src/Tests/ResourceTest.php b/core/modules/rest/src/Tests/ResourceTest.php
index df99cc6..0919205 100644
--- a/core/modules/rest/src/Tests/ResourceTest.php
+++ b/core/modules/rest/src/Tests/ResourceTest.php
@@ -112,8 +112,10 @@ public function testUriPaths() {
$manager = \Drupal::service('plugin.manager.rest');
foreach ($manager->getDefinitions() as $resource => $definition) {
- foreach ($definition['uri_paths'] as $key => $uri_path) {
- $this->assertFalse(strpos($uri_path, '//'), 'The resource URI path does not have duplicate slashes.');
+ if (isset($definition['uri_paths'])) {
+ foreach ($definition['uri_paths'] as $key => $uri_path) {
+ $this->assertFalse(strpos($uri_path, '//'), 'The resource URI path does not have duplicate slashes.');
+ }
}
}
}
diff --git a/core/modules/rest/src/Tests/UserLoginTest.php b/core/modules/rest/src/Tests/UserLoginTest.php
new file mode 100644
index 0000000..d6c926a
--- /dev/null
+++ b/core/modules/rest/src/Tests/UserLoginTest.php
@@ -0,0 +1,138 @@
+defaultAuth;
+
+ $account = $this->drupalCreateUser();
+ $name = $account->getUsername();
+ $pass = $account->pass_raw;
+
+ // Add login permission to anonymous user.
+ Role::load(RoleInterface::ANONYMOUS_ID)
+ ->grantPermission('restful post user_login')
+ ->grantPermission('restful get user_login_status')
+ ->grantPermission('restful post user_password_reset')
+ ->save();
+
+ Role::load(RoleInterface::AUTHENTICATED_ID)
+ ->grantPermission('restful get user_login_status')
+ ->grantPermission('restful post user_logout')
+ ->save();
+
+
+ $url = Url::fromRoute('user.login.json');
+ $url->setRouteParameter('_format', 'json');
+ $this->httpRequest($url, 'GET', NULL, 'application/json');
+ $this->assertResponse(200);
+ $this->assertResponseBody('"' . UserLoginStatusResource::LOGGED_OUT . '"');
+
+
+ // Flooded.
+ \Drupal::configFactory()->getEditable('user.flood')
+ ->set('user_limit', 3)
+ ->save();
+
+ $request_body = ['name' => $name, 'pass' => 'wrong-pass'];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Sorry, unrecognized username or password."}');
+
+ $request_body = ['name' => $name, 'pass' => 'wrong-pass'];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Sorry, unrecognized username or password."}');
+
+ $request_body = ['name' => $name, 'pass' => 'wrong-pass'];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Sorry, unrecognized username or password."}');
+
+ $request_body = ['name' => $name, 'pass' => 'wrong-pass'];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Blocked."}');
+
+ // After testing the flood control we can increase the limit.
+ \Drupal::configFactory()->getEditable('user.flood')
+ ->set('user_limit', 100)
+ ->save();
+
+ $request_body = [];
+ $this->httpRequest('/user/login/', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Missing credentials."}');
+
+ $request_body = ['pass' => $pass];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Missing credentials.name."}');
+
+ $request_body = ['name' => $name];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Missing credentials.pass."}');
+
+ // Blocked.
+ $account
+ ->block()
+ ->save();
+ $request_body = ['name' => $name, 'pass' => $pass];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"The user has not been activated or is blocked."}');
+ $account
+ ->activate()
+ ->save();
+
+ $request_body = ['name' => $name, 'pass' => 'garbage'];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Sorry, unrecognized username or password."}');
+
+ $request_body = ['name' => 'garbage', 'pass' => $pass];
+ $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(400);
+ $this->assertResponseBody('{"error":"Sorry, unrecognized username or password."}');
+
+ $request_body = ['name' => $name, 'pass' => $pass];
+ $response = $this->httpRequest('/user/login', 'POST', json_encode($request_body), 'application/json');
+ $response = json_decode($response);
+ $this->assertEqual($name, $response->current_user->name, "The user name is correct.");
+
+ $url = Url::fromRoute('user.login_status.json');
+ $url->setRouteParameter('_format', 'json');
+ $this->httpRequest($url, 'GET', NULL, 'application/json');
+ $this->assertResponse(200);
+ $this->assertResponseBody('"' . UserLoginStatusResource::LOGGED_IN . '"');
+
+ $request_body = ['name' => $name, 'pass' => $pass];
+ $this->httpRequest('/user/logout', 'POST', json_encode($request_body), 'application/json');
+ $this->assertResponse(204);
+
+ $url = Url::fromRoute('rest.user_login_status.GET.json');
+ $url->setRouteParameter('_format', 'json');
+ $this->httpRequest($url, 'GET', NULL, 'application/json');
+ $this->assertResponse(200);
+ $this->assertResponseBody('"' . UserLoginStatusResource::LOGGED_OUT . '"');
+ }
+
+}
diff --git a/core/modules/user/src/Controller/UserLoginController.php b/core/modules/user/src/Controller/UserLoginController.php
new file mode 100644
index 0000000..51b3e3f
--- /dev/null
+++ b/core/modules/user/src/Controller/UserLoginController.php
@@ -0,0 +1,181 @@
+flood = $flood;
+ $this->userStorage = $user_storage;
+ $this->csrfToken = $csrf_token;
+ $this->userAuth = $user_auth;
+ }
+
+ public function login($credentials) {
+ if (!isset($credentials['name']) && !isset($credentials['pass'])) {
+ throw new BadRequestHttpException('Missing credentials.');
+ }
+
+ if (!isset($credentials['name'])) {
+ throw new BadRequestHttpException('Missing credentials.name.');
+ }
+ if (!isset($credentials['pass'])) {
+ throw new BadRequestHttpException('Missing credentials.pass.');
+ }
+
+ if (!$this->isFloodBlocked()) {
+ throw new BadRequestHttpException('Blocked.');
+ }
+
+ if ($this->userIsBlocked($credentials['name'])) {
+ throw new BadRequestHttpException('The user has not been activated or is blocked.');
+ }
+
+ if ($uid = $this->userAuth->authenticate($credentials['name'], $credentials['pass'])) {
+ /** @var \Drupal\user\UserInterface $user */
+ $user = $this->userStorage->load($uid);
+ $this->userLoginFinalize($user);
+
+ // Send basic metadata about the logged in user.
+ $response_data = [
+ 'current_user' => [
+ 'uid' => $user->id(),
+ 'roles' => $user->getRoles(),
+ 'name' => $user->getAccountName(),
+ ],
+ 'csrf_token' => $this->csrfToken->get('rest'),
+ ];
+
+ $response = new ResourceResponse($response_data);
+ return $response->addCacheableDependency($user);
+ }
+
+ $this->flood->register('rest.login_cookie', $this->configFactory->get('user.flood')->get('user_window'));
+ throw new BadRequestHttpException('Sorry, unrecognized username or password.');
+ }
+
+ /**
+ * Verifies if the user is blocked.
+ *
+ * @param string $name
+ * The username.
+ *
+ * @return bool
+ * Returns TRUE if the user is blocked, otherwise FALSE.
+ */
+ protected function userIsBlocked($name) {
+ return user_is_blocked($name);
+ }
+
+ /**
+ * Finalizes the user login.
+ *
+ * @param \Drupal\user\UserInterface $user
+ * The user.
+ */
+ protected function userLoginFinalize(UserInterface $user) {
+ user_login_finalize($user);
+ }
+
+ /**
+ * Checks for flooding.
+ *
+ * @return bool
+ * TRUE if the user is allowed to proceed, FALSE otherwise.
+ */
+ protected function isFloodBlocked() {
+ $config = $this->configFactory->get('user.flood');
+ $limit = $config->get('user_limit');
+ $interval = $config->get('user_window');
+
+ return $this->flood->isAllowed('rest.login_cookie', $limit, $interval);
+ }
+
+ public function logout() {
+ $this->userLogout();
+ return new ResourceResponse(NULL, 204);
+ }
+
+ /**
+ * Logs the user out.
+ */
+ protected function userLogout() {
+ user_logout();
+ }
+
+ public function loginStatus() {
+ if ($this->currentUser->isAuthenticated()) {
+ $response = new ResourceResponse(self::LOGGED_IN);
+ $response->addCacheableDependency($this->currentUser);
+ }
+ else {
+ $response = new ResourceResponse(self::LOGGED_OUT);
+ }
+ return $response->addCacheableDependency((new CacheableMetadata())->setCacheMaxAge(0));
+ }
+
+}
diff --git a/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml
index 6eea7ec..369cf76 100644
--- a/core/modules/user/user.routing.yml
+++ b/core/modules/user/user.routing.yml
@@ -129,6 +129,26 @@ user.login:
options:
_maintenance_access: TRUE
+user.login.json:
+ path: '/user/login'
+ defaults:
+ _controller: \Drupal\user\Controller\UserLoginController::login
+ requirements:
+ _user_is_logged_in: 'FALSE'
+ _format: 'json'
+ options:
+ _maintenance_access: TRUE
+
+user.logout.json:
+ path: '/user/logout'
+ defaults:
+ _controller: \Drupal\user\Controller\UserLoginController::logout
+ requirements:
+ _user_is_logged_in: 'TRUE'
+ _format: 'json'
+ options:
+ _maintenance_access: TRUE
+
user.cancel_confirm:
path: '/user/{user}/cancel/confirm/{timestamp}/{hashed_pass}'
defaults: