In UserLoginForm, first we check if the user name matches a blocked user via an entity query.
Then we check if the user name matches a not-blocked user before checking flood control by username, via another entity query.
Once the user has passed flood control, we then call UserAuth::authenticate() with the username and password - this runs the second entity query again to locate the user by username that we've already done.
Watch database queries (via Drupal's performance testing framework + Gander or just have a look at the test coverage changes.
Add UserAuth::authenticateAccount($account, $password) to save looking up the user twice, then use it in UserLoginForm.
Because the authentication validator checks if users are active (and exist) before trying to authenticate them, we only need to check if they're blocked if they fail to validate to show a different validation message. IMO this validation message is a bit questionable, but trying to keep functionality the same.
This is stacked on #3410419: Only clear flood attempts when necessary during user login due to affecting the same lines of test coverage, but the fixes are independent otherwise.
If the login fails, fallback to checking if the user is blocked to maintain the same message in that case.
Deprecate User::validateName()
| Comment | File | Size | Author |
|---|---|---|---|
| #57 | 3410582-nr-bot.txt | 90 bytes | needs-review-queue-bot |
| #54 | 3410582-nr-bot.txt | 90 bytes | needs-review-queue-bot |
| #25 | 3410582-nr-bot.txt | 90 bytes | needs-review-queue-bot |
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes, plain diff MR !5944changes, plain diff MR !6994
Comments
Comment #2
catchAnother one:
UserLoginForm::validateName() does exactly the same checks as UserLoginForm::validateAuthentication() except that the latter doesn't set the same error message if it can't find an account. If we move the validation message around, we save yet another identical entity query.
Comment #4
catchComment #5
catchComment #6
catchComment #7
smustgrave commentedApplied the MR and verified I could still login. Test updates show the coverage so think this is good.
Comment #8
catchPushed an additional commit to deprecate ::validateName() instead of removing it, and removed the call to user_is_blocked() by just checking status on the entity, this removes an extra query on a failed login too.
Also opened #3410707: Optimize UserAuthenticationController by remove duplicate entity queries as a follow-up, doing it here would double the MR size since UserLoginController more or less copies the form logic 1-1, so we need to make all the same changes there more or less.
Back to needs review for those changes.
Comment #9
catchComment #10
smustgrave commentedDeprecation seems fine, still can login at least.
Comment #12
heddnLeaving at RTBC after docs fix.
Comment #13
claudiu.cristeaAs we add a new public method let’s strict type all params and the return
Comment #15
prashant.cComment #16
prashant.cAttempting to make a contribution here, I've modified aspects concerning strict types in both function parameters and return values. After local testing, I can confirm that the login functionality is functioning as expected following these adjustments. Updating the status to NR.
Thanks
Comment #17
catchWe need a change record for the
UserAuthInterfacemethod addition too, should probably be a separate change record to the form validation deprecation.Comment #18
claudiu.cristeaSet to NW because of "Needs change record" tag
Comment #19
prashant.cI attempted to create a change record https://www.drupal.org/node/3411040 (Draft) as mentioned in #17. It may require a lot of changes.
Kindly review, thankyou.
Comment #20
smustgrave commentedMR has a test failure.
Have not re-reviewed.
Comment #21
heddnDo we need to add the interface and the string strict typing here? Given the test failures, that feels like more disruptive then this was originally scoped.
Comment #22
catchThe existing method on the interface definitely shouldn't have type hints added in this issue, that's out of scope (and would have to be implemented completely differently to how it is in the MR due to bc).
Comment #23
catchReverted the out of scope changes to the methods we're not adding here, tightened up type hinting on the new method, also made the new method return bool instead of bool/int since we already have the uid available before we call it.
Comment #24
heddnI fixed one small issue with a doc block. But that was so small I doubt it blocks from re-RTBCing. LGTM.
Comment #25
needs-review-queue-bot commentedThe Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #26
catchRebased. Just a couple of merge conflicts in the assertions. #3396196: Separate cache operations from database queries in OpenTelemetry and assertions will allow all the assertions in these tests to use assertSame() which will make it much easier to see the impact of changes like this.
Comment #27
catchRebased again after #3396196: Separate cache operations from database queries in OpenTelemetry and assertions which now makes it much easier to see what the effect on the database query count is.
Comment #28
quietone commentedI'm triaging RTBC issues. I read the IS, the comments and the MR. I didn't find any unanswered questions or other work to do.
The diff no longer applies, setting to needs work. Also, I left some comments in the MR.
Comment #29
catchRebased, accepted the suggestions, and updated the comment. Since all those changes were minor, moving back to RTBC.
Also removing the 'needs change record' tag since that's done now.
Comment #30
joseph.olstadNice work on this optimization, greatly appreciated!
Comment #31
slashrsm commentedComment #32
catchRebased after #3421164: Log every individual query in performance tests
Comment #33
longwaveThe change records need a bit of work.
https://www.drupal.org/node/3411040 says we are adding a new interface, but the interface already exists; we are only adding a new method to it.
https://www.drupal.org/node/3410706 doesn't really have enough information. We should explain briefly why
::validateName()is deprecated - the code is merged into::validateAuthentication(), which isn't clear - and what to do if you were overriding the login form and calling this before.Saving issue credits.
Comment #34
catchUpdated both CRs.
Comment #35
alexpottCommitted and pushed 589b8fe870 to 11.x and 95cc37fbfa to 10.3.x. Thanks!
Comment #38
alexpottAlso opened #3425342: Optimize \Drupal\basic_auth\Authentication\Provider\BasicAuth::authenticate() as a follow-up.
Comment #41
berdirThis seems problematic.
It breaks https://git.drupalcode.org/project/mail_login/-/blob/8.x-2.x/src/AuthDec... completely because that implements the interface directly as a decorator.
It also breaks the intent of that API because that and other modules (including our custom implementation) used that to allow logging in with the user e-mail and not only as the username. The new method doesn't allow that, because the user entity was already loaded.
Seems like maybe the whole thing should go the other way and maybe this API should check blocked status?
Comment #42
joseph.olstadBased on feedback from @Berdir
something overlooked here.
Comment #43
catchI had a quick look at putting the blocked logic on UserAuth::authenticate() but that runs into problems with the $uid/FALSE return value.
There are three reasons the method could return FALSE:
1. The username doesn't exist
2. The password is wrong
3. The user is blocked.
Then on top of that, we've got the extra flood control checking which can prevent login even if none of the above are true, although all that logic is in the form still.
For the login form, we currently tell people if the user is blocked - so to get this information we need to have a loaded user, but we can't get that information from a uid/FALSE return value. If we wanted to load the user outside this method and check if they're blocked, we'd need the uid, but you only get that if the auth was successful, so it would have to run the entity query again.
This makes me think we maybe need a new interface, it could be called
UserAuthenticationInterface, and it probably needs to return a value object like UserAuthenticationResult - with ::getAccount() ::isBlocked() methods at least.Comment #44
berdirI don't have a full picture yet, but having a new interface with new methods makes sense to me, then we can check for that and trigger a deprecation + keep the old logic for those sites.
Comment #46
catchThis doesn't cleanly revert so I've made a revert MR. Moving direct to RTBC because it's only a couple of small merge conflicts in StandardPerformanceTest so should be good as long as gitlab comes back green.
Comment #47
catch#2431357: Extract a reusable UserAuthFlood service and reuse it in UserLoginForm and BasicAuth and UserAuthenticationController is doing pretty much what I think we need for #3410582-43: Optimize user logins by avoiding duplicate entity queries so I may just try to revive that issue.
Comment #50
catchCommitted/pushed the revert MR. Back to needs work, but we might end up in #2431357: Extract a reusable UserAuthFlood service and reuse it in UserLoginForm and BasicAuth and UserAuthenticationController instead.
Comment #52
catchI started to look at re-rolling #2431357: Extract a reusable UserAuthFlood service and reuse it in UserLoginForm and BasicAuth and UserAuthenticationController but found a couple of issues - it's very far behind and much, much bigger scope than this issue, but more importantly, it would make the mail_login bc break potentially worse by ignoring the old service and using a brand new one, meaning logging in with e-mail would silently fail to work.
However thinking about the various ways the bc break could be ameliorated resulted in an idea - new interface UserAuthenticationInterface with two new methods: ::lookupAccount() and ::authenticateAccount(). mail_login then would only need to override ::lookupAccount() and ::authenticateAccount() could fall through to the interface.
Pushed up changes to the original MR - reverting the revert, then refactoring a bit to make the deprecation more graceful per the above.
This should make things slightly easier, or at least no-worse, for #2431357: Extract a reusable UserAuthFlood service and reuse it in UserLoginForm and BasicAuth and UserAuthenticationController too.
Comment #53
catchBecause we're deprecating the old interface we now need to incorporate #3410707: Optimize UserAuthenticationController by remove duplicate entity queries and #3410707: Optimize UserAuthenticationController by remove duplicate entity queries here to avoid triggering deprecation errors from those classes.
Comment #54
needs-review-queue-bot commentedThe Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #55
catchRebased.
Comment #56
catchUpdated the CR as well.
Comment #57
needs-review-queue-bot commentedThe Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #58
catchPretty sure the MR is mergable, it might be the needs review bot not liking the revert of the revert.
Comment #59
catchOpened #3427298: Deprecate UserAuthInterface.
Comment #60
smustgrave commentedCircled back on this one and appears all threads and feedback have been addressed.
Comment #61
catchComment #62
alexpott@catch that's a really neat way of addressing the problem. We still support the old interface till Drupal 12 but we allow us to optimise using the new interface. Great idea. We can work out how to clean this up during the 11.x cycle.
I think we could have a follow-up to deprecate UserAuthInterface and remove it from UserAuth.
Committed and pushed 31edb2aa23 to 11.x and 16082d0849 to 10.3.x. Thanks!
Comment #67
alexpottOops I didn't spend enough time reviewing
\Drupal\user\Controller\UserAuthenticationController. This did not implement the BC correctly. It still needs to call$this->userAuth->authenticate()when the injected $this->userAuth is the old interface - otherwise any of the existing decorations are going to be broken.Comment #68
catchGood spot, that would have been annoying. Added the extra interface check - kept it in the one if clause so that it's easier to remove.
Comment #69
alexpottI think we still need to change things to prevent double authenticating on failure.
Comment #70
catchApplied the changes, although they didn't quite work, but close enough after some tidying.
Comment #71
smustgrave commentedLeft a comment on the MR.
Checking the Change records https://www.drupal.org/node/3410706 when is this deprecated to be removed? May answer a question on the MR.
Comment #72
catchApplied the suggestion on the MR and replied to the other thread.
Comment #73
smustgrave commentedThanks, sorry for not catching that before.
Comment #74
alexpottCommitted and pushed 1916b7863e to 11.x and 2076c3d9fe to 10.3.x. Thanks!
Comment #77
catchTagging this for release highlights - it's not much by itself but combined with other performance improvements could make up part of a decent paragraph.
Comment #79
anybodySeems like we have a bug and BC break here, please see #3456738: BC break in login auth changes from #3444978
Updating to Drupal 10.3.0 currently breaks logins with certain login related contrib modules.
Thank you.