Contrib.social

Remove TOTP/HOTP plugins from TFA module (adding was a regression)

Open on Drupal.org β†’
Created on 11 April 2023, over 1 year ago
Updated 13 April 2023, over 1 year ago

Problem/Motivation

πŸ“Œ Merge ga_login module Fixed regressed #2928728: Remove Totp and Hotp validation plugins after they are moved to ga_login β†’

By forcing TOTP and HOTP as part of the base TFA module we compel sites to install additional libraries that may not be necessary in their environment., specifically chillerlan/php-qrcode and christian-riesen/otp

A site administrator may wish to use a TOTP or HOTP implementation different from the ones provided by the TFA module and having multiple plugins providing similar names can lead to confusion in the UI.

Steps to reproduce

N/A

Proposed resolution

Move TOTP/HOTP back to a separate module.

Remaining tasks

Patch

User interface changes

None

API changes

None

Data model changes

None

πŸ“Œ Task
Status

Closed: works as designed

Version

2.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States cmlara

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @cmlara
  • Status changed to Closed: works as designed over 1 year ago
  • Comment over 1 year ago β†’
    πŸ‡΅πŸ‡ΉPortugal jcnventura

    The module should cater for the 99%. For those 99% of uses, as seen by the fact that there's essentially a 1:1 install rate between ga_login and tfa in Drupal 8+, it is clear that the vast majority of users used the ga_login module.

    The fact that these modules were in a separate module led to a few confused users raising support tickets for not understanding how the module worked.

    Any user sufficiently advanced to want to use their own TOTP plugins should also know how to do the following two easy steps if the presence of the provided plugins is a nuisance:

    • Add a line to their project's root composer.json to replace the undesired libraries
    • Patch the module to disable the current plugins from being shown as options
  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Patch the module to disable the current plugins from being shown as options

    As I'm sure you are aware as the modules maintainer, keeping a TFA module secure is not a simple task, it takes skill to do so, as such patching of security modules is generally not recommended, yes it can be done, however any reasonable security audit should be raising significant questions if it is.

    The fact that these modules were in a separate module led to a few confused users raising support tickets for not understanding how the module worked.

    Couldn't this be solved by adding UI "No Authentication modules detected, consider installing drupal/ga_login" (or whatever replacement module there is)

    Add a line to their project's root composer.json to replace the undesired libraries

    Not currently an option without also patching the module, since the plugins are always loaded by the UI, and do not use DI for the additional libraries. Addtionaly even if a generic OTP library existed and the plugins supported DI this would still require a library to be installed, even if its not used.

    as seen by the fact that there's essentially a 1:1 install rate between ga_login and tfa in Drupal 8+

    I will agree I would expect it to be common, making drupal/tfa require drupal/ga_login would actually be easier to replace as a contributing module could have a composer replace drupal/ga_login entry without requiring patching to TFA itself. As an added bonus this would also help limit potential SA notices scope to only their target audiance, no need to upgrade the full TFA module if its just a token module that isn't installed on a site. This is the concept of "small packages focus on limited tasks and use other packages to extend" similar to Drupal core.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024