Problem/Motivation
In UserLoginForm, first we check if the user name matches a blocked user via an entity query.
Then we check if the user name matches a not-blocked user before checking flood control by username, via another entity query.
Once the user has passed flood control, we then call UserAuth::authenticate() with the username and password - this runs the second entity query again to locate the user by username that we've already done.
Steps to reproduce
Watch database queries (via Drupal's performance testing framework + Gander or just have a look at the test coverage changes.
Proposed resolution
Add UserAuth::authenticateAccount($account, $password) to save looking up the user twice, then use it in UserLoginForm.
Because the authentication validator checks if users are active (and exist) before trying to authenticate them, we only need to check if they're blocked if they fail to validate to show a different validation message. IMO this validation message is a bit questionable, but trying to keep functionality the same.
This is stacked on #3410419: Only clear flood attempts when necessary during user login due to affecting the same lines of test coverage, but the fixes are independent otherwise.
If the login fails, fallback to checking if the user is blocked to maintain the same message in that case.
Deprecate User::validateName()