Skip to content

Inconsistent Behavior in EloquentUserProvider::retrieveByCredentials on Missing User - Clarification #56034

Closed
@mbottiniep

Description

@mbottiniep

Laravel Version

10.48.29

PHP Version

8.2.26

Database Driver & Version

No response

Description

While investigating an authentication-related issue, we came across a behavioral difference between EloquentUserProvider and DatabaseUserProvider.

When attempting an authentication using a guard with EloquentUserProvider, if the user is not found, retrieveByCredentials() returns null, and validateCredentials() is never called: https://github.com/laravel/framework/blob/12.x/src/Illuminate/Auth/SessionGuard.php#L481

In contrast, DatabaseUserProvider returns a dummy user object even when no user is found, which causes validateCredentials() to be executed regardless.

We’re not sure if this is an intentional design decision or an inconsistency between the two providers, so we wanted to raise it here for clarification.

Thanks!

Steps To Reproduce

Just a clarification request, but it can be reproduced by checking the different retrieveByCredentials() method results using the two mentioned providers.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions