2.x-dev incompatible with other modules calling user_login_finalize()

This is related to 🐛 Installing contrib modules can lead to TFA accidently being bypassed Fixed .

I'm not a user of social_auth so I will have basic questions trying to understand where this is occurring from:

When does this occur during the social_auth process?
Does social_auth provide an authentication_provider that can be exempted that will allow this to bypass?

In case it is helpful in narrowing down how social_auth authentication is triggering our protection we have a technical documentation of its operations https://project.pages.drupalcode.org/tfa/technical/set-user-protection/

Quick glanced the social_auth module code.

I believe I understand why this is occurring.

social_auth calls user_login_finalize() to complete login. This sets the authentication into the session. This appears to be an approved use of the API that I was not expecting, I had (incorrectly) planned for user_login_finalize() to only be called for logins that occurred through Drupal's normal methods and that 3rd party would always use an auth provider without calling user_login_finalize()

user_login_finalize() calls \Drupal::currentUser()->setAccount($account); as its first action https://git.drupalcode.org/project/drupal/-/blob/bd4b8b98a7a70f2efccef48... which will reject the request as none of the TFA code was processed.

I had originally written TfaUserSetSubscriber:;rejectUserIfTfaBypassed() to avoid making any calls to the plugin as, in our current architecture this can be 'high latency'. It appears we may indeed need this as a final check before refusing the connection along with populating the memory cache.

An alternative would be that we perform the check in tfa_user_login() however that would require patching the core user.module file to use the user switcher (which bypasses TFA enforcement. 📌 Deprecate user_logout() and user_login_finalize() and replace with a service Needs review would allow us to avoid this.

@grasmash

Does the attached MR solve the issues for your site?

@grasmash Have you been able to confirm if the proposed MR resolves your issue with Social Auth?

Automatically closed - issue fixed for 2 weeks with no activity.