basic_auth users locked out due to new password hashing algorithm

Created on 27 November 2023, 7 months ago
Updated 25 May 2024, 22 days ago

Problem/Motivation

User accounts that rely solely on basic_auth for authentication will be locked out after an upgrade to Drupal 10.1.x
The issue is caused by the new password hashing algorithm ( https://www.drupal.org/node/3322420 β†’ ).
basic_auth does not appear to be re-hashing the user password in the same way a UI login would resulting in a user being locked out.

This is especially concerning as many accounts using basic_auth will be automated json_api processes where a failure may not be immediately obvious. Accounts may end up in the flood table.

Steps to reproduce

- Setup a basic_auth user on a Drupal core 10.0.x site
- Upgrade from Drupal core 10.0.x to 10.1.x
- Attempt to authenticate using basic auth
- See failure to authenticate

Proposed resolution

Accounts authenticating using basic_auth should have their passwords re-hashed in the same way that users logging in via the UI do as documented in https://www.drupal.org/node/3322420 β†’ .

πŸ› Bug report
Status

Postponed: needs info

Version

11.0 πŸ”₯

Component
Basic authΒ  β†’

Last updated 22 days ago

Created by

πŸ‡¦πŸ‡ΊAustralia genebobmiller

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Issue created by @genebobmiller
  • Status changed to Postponed: needs info 7 months ago
  • πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

    @genebobmiller thanks for the bug report. I think that you might have not installed phpass or run the updates. I've just tested this and everything works as expected. Here's what I did.

    1. Checked out 10.0.x and composer install
    2. Installed standard
    3. Enabled basic_auth and router_test
    4. Used Postman to hit router_test/test11 with my user credentials as the basic auth. Got a 200.
    5. Checked out out 10.1.x and composer install
    6. Run the db updates
    7. On purpose disabled the new phpass module that was enabled by the update
    8. Used Postman to hit router_test/test11 with my user credentials as the basic auth. Got a 403.
    9. Enabled phpass
    10. Used Postman to hit router_test/test11 with my user credentials as the basic auth. Got a 200.
    11. Disabled phpass - to test that the hash has been updated
    12. Used Postman to hit router_test/test11 with my user credentials as the basic auth. Got a 200.

    Given this I'm setting this to postponed maintainer needs more info.

  • πŸ‡¦πŸ‡ΊAustralia genebobmiller

    Thanks for investigating Alex, I'll dig deeper and see why our instance is behaving differently.

  • πŸ‡³πŸ‡ΏNew Zealand quietone New Zealand

    @genebobmiller, did you determine why your instance was behaving differently? If you have resolved the problem, add a comment sharing what you did as it may help others.

    Since we need more information to move forward with this issue, I am keeping the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

Production build 0.69.0 2024