Contrib.social

Reset Password Feature not working when TFA is enabled

Open on Drupal.org →
Created on 22 January 2023, over 1 year ago
Updated 12 July 2023, 12 months ago

Problem/Motivation

When TFA module is enabled and a user goes through the forgot/reset password flow TFA doesn't seem to work.
There is a patch which I found which is for the same purpose ( https://www.drupal.org/files/issues/2021-10-26/2930355-32.patch ). But this also solves the problem partially. After adding this patch the tfa link keeps on redirecting recursively and than the request fails.

Steps to reproduce

1) Enable TFA module and enable it for a role.

2) Login with the account having TFA enabled and setup TFA.

3) Logout and click on forgot password link on login form.

4) Add the email address associated with that account.

5) Click on the link received in the mail.

6) Click on the login button on reset pass page.

6) If the above patch is enabled it will keep on redirecting else it will skip TFA altogether.

🐛 Bug report
Status

Closed: outdated

Version

1.0

Component

Code

Created by

🇮🇳India vikas_pal_1989

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @vikas_pal_1989
  • Comment over 1 year ago
    🇮🇳India vikas_pal_1989

    This patch is destroying the session before the TFA module initiates a fresh session for reset password.

  • Comment over 1 year ago
    🇮🇳India vikas_pal_1989
  • Comment over 1 year ago
    🇮🇳India vikas_pal_1989

    Fixed the issue on edit profile page where it is asking for old password which should not be the case.

  • Comment about 1 year ago
    🇺🇸United States cmlara

    Categorizing release blockers.

  • Status changed to Closed: outdated 12 months ago
  • Comment 12 months ago
    🇺🇸United States cmlara

    Closing as outdated on SA-CONTRIB-2023-030.

    Please note in the future for security related issues they should be reported privately, though I'll concede this issue was a bit more complex in that it was publicly known and yet a maintainer tagged a stable release with it present.

    NOTE: On January 29th 2023, as one of the reporters on SA-CONTRIB-2023-030 (I was not yet a maintainer) I requested the Drupal Security Team mark this issue private. When the security team and maintainer had not yet acted I used the April 13th update to ensure sites had a better chance to observe these known public faults and protect themselves.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024