Users have to enter their current password when trying to reset password using reset url token, while 2fa and login_redirect_per_role module is enabled

Created on 2 August 2023, 11 months ago

Problem/Motivation

Users have to enter their current password when trying to reset password using reset url token, when 2fa and login_redirect_per_role module is enabled.

Steps to reproduce

Download drupal core
composer require 'drupal/tfa:^1.2'
composer require 'drupal/login_redirect_per_role:^1.9'
composer require 'drupal/sodium:^2.4'
Go to admin/modules make sure to install tfa, login_redirect_per_role, and sodium
Go to admin/people/login-and-logout-redirect-per-role and set a login Redirect URL to /admin/content for authenticated users

Go to admin/config/system/keys/add
Choose any key name
Set key type to Encryption
Set the default Key size to 256 bytes
Keep Key provider as Configuration
Set a 32 digit key as the key value (Random letters are fine if it's a test site, but generate something more securely for real site)
Go to /admin/config/system/encryption/profiles/add
Add encryption profile
Choose Sodium as Encryption Method
Choose {Encryption key created earlier} as Encryption Key
Click Save
Go to /admin/config/people/tfa
Check Enable TFA checkbox
Keep other values as default
Press Save Configuration button
Give the following permissions to the user in /admin/people/permissions
Grant permission Node > Access the Content overview page to Authenticated user
Grant permission Set up TFA for account to Authenticated user

Go to /admin/people/create
Create a new user
Open a private browsing window
Login with the new user
Go to /user
Click tfa tab beside edit
Setup the TFA
Logout from the newly created user

Go to user/login and log in with the newly create user
Enter your tfa credentials
Ensure you get redirected to the /admin/content page
Log out from the newly create user
Go to the user/password (forgot password)
Enter the username and press submit
Go to mailhog and copy the generated url with the token
Go back to the private window and paste and go to the link
Since you'll be redirected to the content page, you'll lose the temporary authorization and therefore when going to edit profile you need to enter the current password

Proposed resolution

The issue is that the “Login And Logout Redirect Per Role” module redirects the user to a set page after the user logs in, but it shouldn’t intervene after the reset. It does this by checking the route name isn’t user.reset, as shown in LoginRedirectPerRole.php. However, now that 2FA kicks in when resetting password, the route name isn’t user.reset any more but is tfa.entry instead.
We can patch the “Login And Logout Redirect Per Role” module so that it no longer intervenes when the user came to the 2FA screen (tfa.entry) from password reset, and we can determine this by whether the "pass-reset-token" query string parameter is present. When this query string parameter is absent, the module should continue to redirect the user to the desired view after logging in.

Remaining tasks

Write a patch
Review and feedback
RTBC and feedback
Commit and release

User interface changes

None

API changes

None

Data model changes

None

🐛 Bug report

Status

Needs review

Version

1.0

Component

Code

Created by

🇨🇦Canada alireza.tayari Ontario

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @alireza.tayari
Open in Jenkins → Open on Drupal.org →
Core: 10.0.7 + Environment: PHP 7.4 & MySQL 5.7
last update 11 months ago
Composer require failure
@alirezatayari opened merge request.
Status changed to Needs review 11 months ago2:49pm 2 August 2023
Comment 11 months ago →
🇨🇦Canada alireza.tayari Ontario
The merge request is ready to review. Feedback welcome.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024