Contrib.social

Users have to enter their current password when trying to reset password using reset url token, while 2fa and login_redirect_per_role module is enabled

Open on Drupal.org →
Created on 2 August 2023, almost 2 years ago

Problem/Motivation

Users have to enter their current password when trying to reset password using reset url token, when 2fa and login_redirect_per_role module is enabled.

Steps to reproduce

  • Download drupal core
  • composer require 'drupal/tfa:^1.2'
  • composer require 'drupal/login_redirect_per_role:^1.9'
  • composer require 'drupal/sodium:^2.4'
  • Go to admin/modules make sure to install tfa, login_redirect_per_role, and sodium
  • Go to admin/people/login-and-logout-redirect-per-role and set a login Redirect URL to /admin/content for authenticated users
  • Go to admin/config/system/keys/add
  • Choose any key name
  • Set key type to Encryption
  • Set the default Key size to 256 bytes
  • Keep Key provider as Configuration
  • Set a 32 digit key as the key value (Random letters are fine if it's a test site, but generate something more securely for real site)
  • Go to /admin/config/system/encryption/profiles/add
  • Add encryption profile
  • Choose Sodium as Encryption Method
  • Choose {Encryption key created earlier} as Encryption Key
  • Click Save
  • Go to /admin/config/people/tfa
  • Check Enable TFA checkbox
  • Keep other values as default
  • Press Save Configuration button
  • Give the following permissions to the user in /admin/people/permissions
  • Grant permission Node > Access the Content overview page to Authenticated user
  • Grant permission Set up TFA for account to Authenticated user
  • Go to /admin/people/create
  • Create a new user
  • Open a private browsing window
  • Login with the new user
  • Go to /user
  • Click tfa tab beside edit
  • Setup the TFA
  • Logout from the newly created user
  • Go to user/login and log in with the newly create user
  • Enter your tfa credentials
  • Ensure you get redirected to the /admin/content page
  • Log out from the newly create user
  • Go to the user/password (forgot password)
  • Enter the username and press submit
  • Go to mailhog and copy the generated url with the token
  • Go back to the private window and paste and go to the link
  • Since you'll be redirected to the content page, you'll lose the temporary authorization and therefore when going to edit profile you need to enter the current password

Proposed resolution

The issue is that the “Login And Logout Redirect Per Role” module redirects the user to a set page after the user logs in, but it shouldn’t intervene after the reset. It does this by checking the route name isn’t user.reset, as shown in LoginRedirectPerRole.php. However, now that 2FA kicks in when resetting password, the route name isn’t user.reset any more but is tfa.entry instead.
We can patch the “Login And Logout Redirect Per Role” module so that it no longer intervenes when the user came to the 2FA screen (tfa.entry) from password reset, and we can determine this by whether the "pass-reset-token" query string parameter is present. When this query string parameter is absent, the module should continue to redirect the user to the desired view after logging in.

Remaining tasks

  1. Write a patch
  2. Review and feedback
  3. RTBC and feedback
  4. Commit and release

User interface changes

None

API changes

None

Data model changes

None

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇨🇦Canada alireza.tayari Ontario

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024