Recently I have upgraded a customer site from Drupal 5 to Drupal 6. The site contains a number of custom modules that required considerable work because of some changes in the Drupal API. One of the API changes is the removal of hook_info and hook_auth.

The new authentication mechanism has two advantages:

First of all, two authentication-specific hooks have been eliminated. There is no replacement hook, instead you must use hook_form_alter to replace the built-in validation functions of the user login form. This is a more general and more flexible approach and it shows the power of the current form API. You can check user_login_block and user_login_default_validators for examples.

Secondly, there is a lot more flexibility to do error reporting when authentication fails. In Drupal 5 when hook_auth returned false, Drupal would always display the error message "Sorry, unrecognized username or password. Have you forgotten your password?" even though the real problem might be something else, for example a remote server responsible for doing the actual verification of the password is not available. In Drupal 6 you can fully control which messages get displayed during an authentication failure.

Even though there is some work involved to migrate custom authentication functionality to Drupal 6, the end result is code that is much cleaner and more powerful.