Contrib.social

Self-service password reset not working when tfa is enabled

Open on Drupal.org →
Created on 4 March 2019, about 6 years ago
Updated 4 October 2023, over 1 year ago

The issue presents with tfa and tfa_duo enabled. We are using DUO as the 2-factor login service.

Having tfa and tfa_duo enabled prevents self-service password reset.

To reproduce:

  • Request a new password link via the "Request new password" tab on the /user page
  • You'll receive a link though email
  • You'll go through Duo authentication and then be routed straight to the /user page

At no time will you see the password reset screen.

🐛 Bug report
Status

Active

Version

2.0

Component

Code

Created by

🇺🇸United States anthonyf

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇮🇳India virajrajankar Pune

    I was facing this same issue for reset password workflow, Have implemented this solution to bypass the TFA for reset password screen.

    Note: If you are implementing this then drupal user can bypass the TFA auth by using the reset password feature.

  • Open in Jenkins → Open on Drupal.org →
    Core: 7.x + Environment: PHP 8.1 & MySQL 8
    last update over 1 year ago
    12 pass
  • Open in Jenkins → Open on Drupal.org →
    Core: 7.x + Environment: PHP 8.1 & MySQL 8
    last update over 1 year ago
    12 pass
  • Open in Jenkins → Open on Drupal.org →
    Core: 7.x + Environment: PHP 8.2 & MySQL 8
    last update over 1 year ago
    11 pass, 1 fail
  • Open in Jenkins → Open on Drupal.org →
    Core: 7.x + Environment: PHP 5.3 & MySQL 5.5
    last update over 1 year ago
    3 pass, 10 fail
  • Comment over 1 year ago
    🇺🇸United States cmlara

    Until a 7.x branch maintainer reviews this issue I would advise against using patch #10.

    I'm not a D7 branch maintainer however I'm 'hiding' Patch #10 based on the following initial analysis:

    • Bypassing TFA for Password Reset is a security vulnerability, see SA-CONTRIB-2023-030 ,
    • The patch checks for a user supplied header that can easily be spoofed by an attacker. On initial glance this appears to allow an attacker to bypass TFA at will.
  • Comment over 1 year ago
    🇺🇸United States cmlara
  • Status changed to Postponed: needs info over 1 year ago
  • Comment over 1 year ago
    🇸🇰Slovakia poker10

    Thanks all for working on this.

    Re #7: I have tested this with only TFA + TFA Basic enabled with an account configured with TOTP and after I have clicked the one-time login link and tried to login, I was redirected to the TFA code form. When entered successfully, then I was redirected correctly to the user edit form, where I was able to change the password. So maybe I am missing something, but it seems like this is a problem only in combination with another TFA contrib module?

    Also this basic scenario seems to work on drupal.org as well - if you have TFA enabled and you request a password reset link, you need to enter TFA code and then you are able to reset password without any problems.

    Can you please provide more information how to simulate this issue without TFA Duo? And if it is present only with TFA Duo, what are the reasons to consider this a bug in TFA instead of TFA Duo?

    Re #10: The patch is wrong and we are not going to commit such patch which is going to bypass TFA form while resetting the password. You need to enter the TFA code, otherwise the TFA module will be useless.

    Thanks!

  • Status changed to Closed: cannot reproduce about 2 months ago
  • Comment about 2 months ago
    🇺🇸United States cmlara

    Drupal 7 end-of-life triage:
    Drupal 7 reached end of life on January 5th.

    The 7.x branches of TFA do not have any additional planned releases.

    The requests in this issue do not appear to exist in the 8.x-1.x and newer branches.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024