Contrib.social

Rework user_pass_rehash into an AccountTokenGenerator

Open on Drupal.org β†’
Created on 10 May 2015, almost 10 years ago
Updated 30 January 2023, about 2 years ago

Problem/Motivation

The user_pass_rehash function generates a HMAC keyed by user credentials. Its primary purpose is to generate tamper-proof password-reset links and ensure that they can only be used once.

A nice effect of using the hashed password as the HMAC key is that existing authentication tokens automatically become invalid if the password is changed. This is a feature which is interesting for other use-cases as well, e.g. #2472535: Remove SessionManager::delete in favor of a portable mechanism to invalid sessions of authenticated users β†’ .

Proposed resolution

Extract account_token service (AccountTokenGenerator) from user_pass_rehash().

Remaining tasks

Write tests.
Review, commit.

User interface changes

None.

API changes

Deprecates user_pass_rehash().

Beta phase evaluation

<!--Uncomment the relevant rows for the issue. -->
πŸ“Œ Task
Status

Needs work

Version

10.1 ✨

Component
User systemΒ  β†’

Last updated 2 days ago

Created by

πŸ‡¨πŸ‡­Switzerland znerol

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024