validate(); $loginForm = new LoginForm(); $loginForm->login = $this->username; $loginForm->password = $this->password; if (!$loginForm->validate()) { $errors = $loginForm->getFirstErrors(); if (isset($errors['login']) && $errors['login'] === E::ACCOUNT_BANNED) { // We believe that a blocked one can get out painlessly return true; } // The previous authorization server implementation used the nickname field instead of username, // so we keep such behavior $attribute = $loginForm->getLoginAttribute(); if ($attribute === 'username') { $attribute = 'nickname'; } throw new ForbiddenOperationException("Invalid credentials. Invalid {$attribute} or password."); } // We're unable to invalidate access tokens because they aren't stored in our database return true; } }