Support Simple Password Reset module

Open on Drupal.org →

Created on 8 September 2024, 6 months ago

Updated 9 September 2024, 6 months ago

Problem/Motivation

If both TFA and Simple Password Reset modules are enabled, the TFA will be skipped.

Steps to reproduce

Enable both modules and configure. Try to reset password.

Proposed resolution

Obviously here, we need to decide which module should support the other. On the one hand, since TFA module introduces the MFA feature, logically it should strive to provide support here. On the other hand, the regular user password reset is covered by TFA module and it is understandable that TFA doesn't support Simple Password Reset module out of the box.

If we look from the who has more tools to solve this, it is TFA module, as it controls the code necessary for MFA to happen. Proposed solution is:
- Create a custom controller specifically for Simple Password Rest module.
- Create a custom TFA form based on `EntryForm` specifically with support of Simple Password Reset module.
- Alter the `user.reset` route to use that controller.
- In the custom controller, redirect user to TFA form OR perform regular Simple Password Reset routine if no MFA validation is required.

✨ Feature request

Status

Postponed

Version

2.0

Component

Code

Created by

🇰🇬Kyrgyzstan elaman

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @elaman
Status changed to Postponed 6 months ago6:57am 9 September 2024
Comment 6 months ago →
🇺🇸United States cmlara
If both TFA and Simple Password Reset modules are enabled, the TFA will be skipped.

🐛 Installing contrib modules can lead to TFA accidently being bypassed Fixed Should have made it so that bypassing TFA is no longer possible (note: only in the 2.x branch)

This might end up being a duplicate on 📌 Use an EventSubscriber to process one time login links Needs work . Thanks to this post and another post I realize I had been ignoring the user.reset route while focusing on the user.reset.login route. The code in there currently hard redirects to entity.user.edit_form

I'm not 100% sure how tfa and simple_pass_reset will interact, however feedback on 📌 Use an EventSubscriber to process one time login links Needs work may be better location

I'm going to set this as postponed in any case we can't evaluate this until we have resets working with core in 2.x

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024