Drupal login via POST bypass Drupal local login restriction

Created on 18 July 2024, about 2 months ago

Problem/Motivation

The setting of 'Allow authentication with local Drupal accounts' signifies whether a Drupal local account can login without SSO.
Currently, this setting working well with the user login route but not with the user login http route, which is used for login via a API request, such as REST API.

Steps to reproduce

Unselect the 'Allow authentication with local Drupal accounts' option.

curl --header "Content-type: application/json" --request POST \
  --data '{"name":"user name", "pass":"password"}' \
http://[yourdomain]/user/login?_format=json

The user login successfully with local Drupal account even it is not allowed.

Proposed resolution

Add the 'user.login.http' route into the checking list of a login attempt.

🐛 Bug report

Status

Needs review

Version

4.0

Component

Code

Created by

🇦🇺Australia Mingsong 🇦🇺

Live updates comments and jobs are added and updated live.

Merge Requests

!37Drupal login via POST bypass Drupal local login restriction
Open
🇦🇺Australia Mingsong
updated about 2 months ago

Comments & Activities

Issue created by @Mingsong
Merge request !37Issue #3462268 by Mingsong: Drupal login via POST bypass Drupal local login restriction → (Open) created by Mingsong
Pipeline finished with Success
about 2 months ago
Total: 133s
#227599
Status changed to Needs review about 2 months ago8:19am 18 July 2024
Comment about 2 months ago →
🇦🇺Australia Mingsong 🇦🇺
MR is ready for review.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024