Skip to content
This repository was archived by the owner on Jul 24, 2023. It is now read-only.

Commit 3cd8cca

Browse files
stevebaumanstevebauman
committed
Return false on LDAP authentication failure
1 parent a360038 commit 3cd8cca

File tree

1 file changed

+40
-38
lines changed

1 file changed

+40
-38
lines changed

src/Auth/DatabaseUserProvider.php

Lines changed: 40 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -125,46 +125,48 @@ public function retrieveByCredentials(array $credentials)
125125
*/
126126
public function validateCredentials(Authenticatable $model, array $credentials)
127127
{
128-
// We'll check if we have an LDAP user, and then make sure
129-
// they pass authentication before going further.
130-
if (
131-
$this->user instanceof User &&
132-
$this->getResolver()->authenticate($this->user, $credentials)
133-
) {
134-
$this->handleAuthenticatedWithCredentials($this->user, $model);
135-
136-
// Here we will perform authorization on the LDAP user. If all
137-
// validation rules pass, we will allow the authentication
138-
// attempt. Otherwise, it is automatically rejected.
139-
if ($this->newValidator($this->getRules($this->user, $model))->passes()) {
140-
// We'll check if we've been given a password and that
141-
// syncing password is enabled. Otherwise we'll
142-
// use a random 16 character string.
143-
if ($this->isSyncingPasswords()) {
144-
$password = $credentials['password'];
145-
} else {
146-
$password = str_random();
128+
if ($this->user instanceof User) {
129+
// If an LDAP user was discovered, we can go
130+
// ahead and try to authenticate them.
131+
if ($this->getResolver()->authenticate($this->user, $credentials)) {
132+
$this->handleAuthenticatedWithCredentials($this->user, $model);
133+
134+
// Here we will perform authorization on the LDAP user. If all
135+
// validation rules pass, we will allow the authentication
136+
// attempt. Otherwise, it is automatically rejected.
137+
if ($this->newValidator($this->getRules($this->user, $model))->passes()) {
138+
// We'll check if we've been given a password and that
139+
// syncing password is enabled. Otherwise we'll
140+
// use a random 16 character string.
141+
if ($this->isSyncingPasswords()) {
142+
$password = $credentials['password'];
143+
} else {
144+
$password = str_random();
145+
}
146+
147+
// If the model has a set mutator for the password then we'll
148+
// assume that we're using a custom encryption method for
149+
// passwords. Otherwise we'll bcrypt it normally.
150+
$model->password = $model->hasSetMutator('password') ?
151+
$password : bcrypt($password);
152+
153+
// All of our validation rules have passed and we can
154+
// finally save the model in case of changes.
155+
$model->save();
156+
157+
// If binding to the eloquent model is configured, we
158+
// need to make sure it's available during the
159+
// same authentication request.
160+
if ($this->isBindingUserToModel($model)) {
161+
$model->setLdapUser($this->user);
162+
}
163+
164+
return true;
147165
}
148-
149-
// If the model has a set mutator for the password then we'll
150-
// assume that we're using a custom encryption method for
151-
// passwords. Otherwise we'll bcrypt it normally.
152-
$model->password = $model->hasSetMutator('password') ?
153-
$password : bcrypt($password);
154-
155-
// All of our validation rules have passed and we can
156-
// finally save the model in case of changes.
157-
$model->save();
158-
159-
// If binding to the eloquent model is configured, we
160-
// need to make sure it's available during the
161-
// same authentication request.
162-
if ($this->isBindingUserToModel($model)) {
163-
$model->setLdapUser($this->user);
164-
}
165-
166-
return true;
167166
}
167+
168+
// LDAP authentication failure.
169+
return false;
168170
}
169171

170172
if ($this->isFallingBack() && $model->exists) {

0 commit comments

Comments
 (0)