Feature | Add AuthService validateCredentials method

[matiasperrone-exo]

Task:

Ref: https://app.clickup.com/t/86b9j51aa

Depends on:

• https://app.clickup.com/t/86b9h8xt1 - Feature | Implement Two-Factor Authentication (2FA) support for users #126

Summary

Adds validateCredentials() and loginUser() to AuthService as the foundation for the MFA two-step login flow. The new methods split what was previously a single login() call into two discrete phases: verify the password (phase 1, no session) and establish the session (phase 2, after the second factor passes).

Changes

app/libs/Auth/AuthService.php

• validateCredentials(string $username, string $password): User — validates credentials via Auth::getProvider()->retrieveByCredentials() without calling Auth::attempt(), so no session is established. Pre-checks the user's active state before touching the provider; if the account is locked it throws immediately with a distinct "is locked" message (the provider swallows AuthenticationLockedUserLoginAttempt and returns null, masking the lock state). Security checkpoints such as LockUserCounterMeasure still fire on provider-level failures.
• loginUser(User $user, bool $remember): void — thin wrapper around Auth::login() for use after the second factor is verified.

app/libs/Utils/Services/IAuthService.php

• Added validateCredentials() and loginUser() to the interface with full doc-blocks explaining the session-safety contract.

Tests

• tests/unit/AuthServiceValidateCredentialsTest.php — isolated unit tests (Mockery alias mocks for Auth and Log facades, run in separate processes). Covers: valid credentials
  return user without session, invalid credentials throw AuthenticationException, locked account short-circuits before calling the provider, active user does not take the locked path, loginUser() with remember = true/false.
• tests/AuthServiceValidateCredentialsIntegrationTest.php — integration test against the real database and security-checkpoint stack. Verifies that a failed validateCredentials() call increments login_failed_attempt via LockUserCounterMeasure, and that a successful call returns the User entity without establishing a session (Auth::check() stays false).

Test plan

• Run unit suite: docker compose exec app ./vendor/bin/phpunit tests/unit/AuthServiceValidateCredentialsTest.php
• Run integration test: docker compose exec app ./vendor/bin/phpunit tests/AuthServiceValidateCredentialsIntegrationTest.php
• Run full suite to check for regressions: docker compose exec app ./vendor/bin/phpunit

---

Requested Goal

Current state

AuthService::login() validates credentials AND establishes a session in a single call. There is no way to validate a user's password without logging them in, which is required to insert a 2FA gate between credential validation and session establishment.

Target state

AuthService exposes a new validateCredentials(string $username, string $password): User method that validates the password via the existing CustomAuthProvider::retrieveByCredentials() (which handles attempt tracking and account locking via security checkpoints) and returns the authenticated User object WITHOUT establishing a
session. Throws AuthenticationException on failure.

TASKS

• Add validateCredentials() method to IAuthService interface
• Implement validateCredentials() in AuthService: delegates to Auth::getProvider()->retrieveByCredentials() with username and password, throws AuthenticationException if user is null
• Add loginUser(User $user, bool $remember) method to IAuthService interface (needed by verify2FA to establish session after 2FA succeeds) → it should call Auth::login($user, $remember);
• Write unit test: valid credentials return User object without session being established
• Write unit test: invalid credentials throw AuthenticationException
• Write unit test: locked account throws AuthenticationException with locked-account message
• Write integration test: validateCredentials() triggers security checkpoint tracking (failed attempt counter increments on failure)

ACCEPTANCE CRITERIA

• validateCredentials() with correct username/password returns the User object
• validateCredentials() with wrong password throws AuthenticationException
• validateCredentials() does NOT call Auth::login() or establish any session
• After validateCredentials() succeeds, Session::get('login_web') is null (no authenticated session)
• Security checkpoints still fire: failed attempts increment the counter, account locking still triggers after threshold
• loginUser() establishes a Laravel session for the given User object ( call Auth::login() )
• All tests pass

DEVELOPMENT NOTES

Key files:

• Modified: app/Services/Auth/IAuthService.php (interface)
• Modified: app/Services/Auth/AuthService.php (implementation)
• Modified: app/libs/Auth/CustomAuthProvider.php (reference only, do not modify)
• New: tests/Unit/AuthServiceValidateCredentialsTest.php

Gotchas:

• CustomAuthProvider::retrieveByCredentials() is the ONLY path for credential validation. Do NOT duplicate password checking logic. The provider handles password hashing, security checkpoints,
  and lock countermeasures.
• The existing login() method calls Auth::attempt() which both validates AND establishes a session. validateCredentials() must NOT use Auth::attempt().
• LockUserCounterMeasure tracks failed attempts. Ensure validateCredentials() triggers this on failure by going through the same code path as the existing login flow.

Out of scope:

Controller changes

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 67211df3-2ebb-4dab-880b-41676e45102d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/mfa-phase1-authservice-validatecredentials-method

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[martinquiroga-exo]

@matiasperrone-exo please see comments

[smarcet]

@matiasperrone-exo please review comments
@matiasperrone-exo @martinquiroga-exo changes on existent code are out of scope
anything like that should be discussed before any proposed changes

[martinquiroga-exo]

LGTM

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[smarcet]

@martinquiroga-exo the ticket ask for

Implement validateCredentials() in AuthService: delegates to Auth::getProvider()->retrieveByCredentials() with username and password, throws AuthenticationException if user is null

but the code is not following that please re review it

https://github.com/OpenStackweb/openstackid/pull/127/changes#diff-31b8c36cbff745e9a0410953fc435b4b933632a787b6815b2e861af3a5f6adb3R198

[smarcet]

@martinquiroga-exo @matiasperrone-exo please re review

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[caseylocker]

Two outstanding items before this can merge — both scoped to the new validateCredentials() method, no existing-code changes required:

1. The post-retrieveByCredentials() guard doesn't match what was requested in the prior review.
2. UnverifiedEmailMemberException escapes validateCredentials() uncaught, violating the IAuthService contract.

Inline comments below. Also worth a quick rewrite of the PR description before merge — it still describes the pre-check and getCurrentUser() instanceof User guard that were reverted in 70ba198, so the merged record won't match the diff.

[matiasperrone-exo]

Two outstanding items before this can merge — both scoped to the new validateCredentials() method, no existing-code changes required:

1. The post-retrieveByCredentials() guard doesn't match what was requested in the prior review.
2. UnverifiedEmailMemberException escapes validateCredentials() uncaught, violating the IAuthService contract.

Inline comments below. Also worth a quick rewrite of the PR description before merge — it still describes the pre-check and getCurrentUser() instanceof User guard that were reverted in 70ba198, so the merged record won't match the diff.

All the suggestion were introduced.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[caseylocker]

LGTM

[matiasperrone-exo]

@smarcet please review again thanks!

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-127/

This page is automatically updated on each push to this PR.