Evaluate restoring using a form alter instead of extending UserLoginForm

Uploaded a prototype that was based on some code from last year along with some newer edits of what converting to a form alter could look like.

This ends up being larger than I expected it to be. In hindsight it makes sense as much of the TfaUserLoginForm was our unique code.

This does however have the advantage that it should remain generally compatible with core, and I believe contrib as well. The largest advantage is we are no longer extending an internal core class.

The negative is we are tied to the form_state UID value usage.

Key Design Concepts:

• While Core and Contrib are attempting to validate passwords in the form Validate stage TfaUserAuth is instructed to not expect a token to be present.
• Any module that sets the form_state uid value can be combined with TFA.
• tfaValidateSubmit will check if a token is necessary and if so redirect to the TfaEntryForm.

All this is backed up by TfaUserSetSubscriber preventing logins occurring during the validation or submit stage for a user who needs to visit the TfaEntryForm.

If tfaLoginFormPreValidation() is removed by another module users can still log in similar to REST by providing token at the end of the password (failsafe to broken site).

Note: This currently doesn't work with mail_login as TFA needs to know the account name during the pre_auth stage.

Drupal\user\UserAuthenticationInterface::lookupAccount() could resolve this, although it will not be until D12 that it is fully implemented.

I would suggest 🐛 Implement Drupal\user\UserAuthenticationInterface Needs review handle that scenario after this issue is merged (unless that issue is merged first).

We likely need a post_update hook to remove/convert the Tfa User Login block.

Created CR: https://www.drupal.org/node/3527521 →

Added admin facing documentation in GitLab Pages format.

Automatically closed - issue fixed for 2 weeks with no activity.