Description
Laravel Version
10.48.29
PHP Version
8.2.26
Database Driver & Version
No response
Description
While investigating an authentication-related issue, we came across a behavioral difference between EloquentUserProvider and DatabaseUserProvider.
When attempting an authentication using a guard with EloquentUserProvider, if the user is not found, retrieveByCredentials()
returns null
, and validateCredentials()
is never called: https://github.com/laravel/framework/blob/12.x/src/Illuminate/Auth/SessionGuard.php#L481
In contrast, DatabaseUserProvider returns a dummy user object even when no user is found, which causes validateCredentials() to be executed regardless.
We’re not sure if this is an intentional design decision or an inconsistency between the two providers, so we wanted to raise it here for clarification.
Thanks!
Steps To Reproduce
Just a clarification request, but it can be reproduced by checking the different retrieveByCredentials() method results using the two mentioned providers.