+ // Addons registered with the "authenticate" hook may create the user on the
+ // fly. `getAuthenticationInfo` will fail if the user doesn't exist yet. If
+ // the user doesn't exist, we should give the addons a chance to create the
+ // user in our database, if applicable, before re-throwing the exception if
+ // they fail.
+ try {
+ $user = self::getAuthenticationInfo($user_info);
+ } catch (Exception $e) {
+ $username = (is_string($user_info) ? $user_info : $user_info['nickname'] ?? '');
+
+ // Addons can create users, and since this 'catch' branch should only
+ // execute if getAuthenticationInfo can't find an existing user, that's
+ // exactly what will happen here. Creating a numeric username would create
+ // abiguity with user IDs, possibly opening up an attack vector.
+ // So let's be very careful about that.
+ if (empty($username) || is_numeric($username)) {
+ throw $e;
+ }
+
+ return self::getIdFromAuthenticateHooks($username, $password);
+ }