UserAuth BC layer not working for modules that use username

Created on 25 June 2024, 8 days ago

Problem/Motivation

In 🐛 UserAuth BC layer is not working for modules that use it to provide email based logins Active the calls to $uid = $this->userAuth->authenticate($form_state->getValue('name'), $password); was removed

/UserLoginForm.php b/core/modules/user/src/Form/UserLoginForm.php
index e3df158e0f5146635b89bafaa8acbf76fa84e850..8fe696d15a53f7dd4a76f3702b0c5c538a123055 100644
--- a/core/modules/user/src/Form/UserLoginForm.php
+++ b/core/modules/user/src/Form/UserLoginForm.php
@@ -246,10 +246,10 @@ public function validateAuthentication(array &$form, FormStateInterface $form_st
         if ($this->userAuth instanceof UserAuthenticationInterface) {
           $form_state->set('uid', $this->userAuth->authenticateAccount($account, $password) ? $account->id() : FALSE);
         }
-        else {
-          $uid = $this->userAuth->authenticate($form_state->getValue('name'), $password);
-          $form_state->set('uid', $uid);
-        }
+      }
+      elseif (!$this->userAuth instanceof UserAuthenticationInterface) {
+        $uid = $this->userAuth->authenticate($form_state->getValue('name'), $password);
+        $form_state->set('uid', $uid);
       }
     }
   }

However this breaks modules that decorate the User.Auth service (without UserAuthenticationInterface)

Logic flow analysis of https://git.drupalcode.org/project/drupal/-/blob/77d19f7abb3875c41fb388d...

L203: Auth service does not implement new method.
L206-208: Account is loaded from old system as the username exists in the database
L213: Account exists and is active, enter the if block.
L246: Service does not implement UserAuthenticationInterface no call to authenticate
L250: This if check is superseded by the L213 check as the account existed and is valid, as such the fallback is never called.

Steps to reproduce

TFA 2.x dev branch installed
Any module that decorates the UserAuth service without implementing UserAuthenticationInterface and utilize real account names can be used to validate this.

Proposed resolution

TBD. This might be as simple as adding back the else condition that was removed above.

Remaining tasks

TBD

User interface changes

None

API changes

TBD

Data model changes

None

Release notes snippet

TBD

🐛 Bug report

Status

Closed: duplicate

Version

10.3 ✨

Component

User system →

Last updated 38 minutes ago

Maintained by
🇺🇸United States @moshe weitzman
🇧🇪Belgium @kristiaanvandeneynde

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @cmlara
Comment 8 days ago →
🇺🇸United States cilefen
Is this the same as 🐛 BC break in login auth changes from #3444978 Active ?
Status changed to Closed: duplicate 8 days ago1:50am 25 June 2024
Comment 8 days ago →
🇺🇸United States cmlara
On high level glance it sounds like it is

Closing as a duplicate

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024