[5.7] Use Request::validate() macro in Auth traits

[cmorbitzer]

The traits AuthenticatesUsers, ResetsPasswords, and SendsPasswordResetEmails currently call ValidatesRequests::validate() in order to validate request data. However, ValidatesRequests is not listed as a dependency of these traits and even though the base controller of the default Laravel installation includes this trait, it is technically optional.

This PR uses the Request::validate() function that is macroed in FoundationServiceProvider since 5.5 (#19063) because that is more likely to be available.

This is technically a breaking change because it's possible for an installation not to include FoundationServiceProvider. However, all examples of validation in the Laravel documentation use this method instead and it is much more likely that a developer would remove the ValidatesRequests trait from the base controller for disuse than for the FoundationServiceProvider to be removed, especially considering that there is no mention of FoundationServiceProvider or of removing the framework service providers in config/app.php in the documentation. Still, I'm willing to resubmit this for 5.8.

[sisve]

This change will silently stop calling people's overridden LoginController::validate method. It's basically a huge silent change in behavior. Code that has worked for ages are suddenly no longer invoked, and custom validation of user-data in authentication controllers is no longer performed. There's no exception, nothing logged, that the custom security checks implemented for the last few years (since Laravel 5.0) is no longer checked.

A breaking change doesn't mean that the new code will not work. This is not only a breaking change because the small possibility that the FoundationServiceProvider is missing; it's a enormous breaking change because any existing application logic needs to be refactored into new places to have effect again.

[cmorbitzer]

I'm sympathetic and willing to submit this for 5.8.

However, in defense of the change, overriding ValidatesRequests::validate doesn't seem like such a good idea even for only one controller since the under-the-hood mechanics of that method are undocumented and subject to change. Every tutorial I've seen so far on how to customize the login input validation recommends overriding the validateLogin/validateEmail methods instead, which won't break with this change.

[rekrios]

rly? how can developers make such changes between minor versions?

[antimech]

I am confused. Why is it a minor change?