Untitled

The controller does what it is suppose to do: Control. User authentication can mainly be seen as a controlling method to either allow or deny a user access.

There is no problem if you want to create a function validateUser($username,$password) within your model.

However placing validation in the Model can strain on resources.
1.) You need to pass values values every time to authenticate
2.) authenticating every time on the model means additional and unnecessary load

If you do want to authenticate write a small wrapper... e.g. you wish to add a new product via API, but it will require adding details to another table as well. Here, you have 2 tables you need to add to, so you create a single point of entry (wrapper) and place the authentication model here.

function myAddUserWrapper($loginArray, $productArray, $categoryArray)
{
  $auth = $this->validateUser($loginArray);
  if (!$auth)
    return 'NO!'

 $this->createProduct($productArray);
 $this->categoryProduct($categoryArray);

}

ps: the wrapper i am refering to is just a small function that combines relevant details together as per example.

Hope it helps.