Remove user password token

Created on 24 December 2024, 15 days ago

Problem/Motivation

This module adds the [user:password] token back into a site, allowing a password to be emailed to a user on creation. This support was removed from core because it is considered a security issue to send plaintext passwords in emails.

The functionality works in testing as the "password" attribute exists on a test user, but does not seem to work in practice as the password is hashed when the user is saved, which happens before the new user email is sent out.

Discussion on removing the password attribute completely:
🐛 Remove outdated code that sets password on $account during user registration Needs work

It would be possible to work around this, but it is already considered bad practice, and there is already a module specifically written to provide this functionality already.

If a user continues to need this functionality, it is available in the Registration Password Token → module.

Proposed resolution

Remove implementation of hook_token_info() and hook_tokens().
Update tests to remove any mention of these
Ask Registration Password Token module maintainers limit their module to do only the RPT functionality, and not generating a password as that directly conflicts with this module, causing the displayed generated password to be wrong. Ideally RPT would only provide the password token, and GP would only generate secure passwords.

Remaining tasks

✅ File an issue
➖ Addition/Change/Update/Fix
➖ Testing to ensure no regression
➖ Automated unit testing coverage
➖ Automated functional testing coverage
➖ UX/UI designer responsibilities
➖ Readability
➖ Accessibility
➖ Performance
➖ Security
➖ Documentation
➖ Code review by maintainers
➖ Full testing and approval
➖ Credit contributors
➖ Review with the product owner
➖ Release notes snippet
❌ Release

User interface changes

API changes

Module will no longer provide [user:password] and [account:password] tokens and their values.

Data model changes

Release notes snippet

The Generate Password module no longer provides the [user:password] and [account:password] tokens. Those site admins still needing the functionality should use the Registration Password Token → module. These tokens never made it into Drupal 7 or 8 core, but were unofficially included by a number of modules.

It is considered BCP to never send a password by email, but instead to use the one time password reset links.

📌 Task

Status

Active

Version

2.1

Component

Code

Created by

🇦🇺Australia elc

Live updates comments and jobs are added and updated live.

Merge Requests

!43Remove user password token
Open
🇦🇺Australia elc
updated 15 days ago

Comments & Activities

Issue created by @elc
Comment 15 days ago →
🇦🇺Australia elc
Add reference to core issue.
First commit to issue fork.
Merge request !43[#3495763] Remove password token. → (Open) created by elc
Comment 15 days ago →
🇦🇺Australia elc
Interop with Registration Password Token module ✨ Compatibility with Generate Password module Active .
Comment 5 days ago →
🇦🇺Australia elc
@todo Add a change notice/record regarding the removal.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024