Contrib.social

Remove user password token

Open on Drupal.org →
Created on 24 December 2024, 3 months ago

Problem/Motivation

This module adds the [user:password] token back into a site, allowing a password to be emailed to a user on creation. This support was removed from core because it is considered a security issue to send plaintext passwords in emails.

The functionality works in testing as the "password" attribute exists on a test user, but does not seem to work in practice as the password is hashed when the user is saved, which happens before the new user email is sent out.

Discussion on removing the password attribute completely:
🐛 Remove outdated code that sets password on $account during user registration Needs work

It would be possible to work around this, but it is already considered bad practice, and there is already a module specifically written to provide this functionality already.

If a user continues to need this functionality, it is available in the Registration Password Token module.

Proposed resolution

  • Remove implementation of hook_token_info() and hook_tokens().
  • Update tests to remove any mention of these
  • Ask Registration Password Token module maintainers limit their module to do only the RPT functionality, and not generating a password as that directly conflicts with this module, causing the displayed generated password to be wrong. Ideally RPT would only provide the password token, and GP would only generate secure passwords.

Remaining tasks

  • ✅ File an issue
  • ➖ Addition/Change/Update/Fix
  • ➖ Testing to ensure no regression
  • ➖ Automated unit testing coverage
  • ➖ Automated functional testing coverage
  • ➖ UX/UI designer responsibilities
  • ➖ Readability
  • ➖ Accessibility
  • ➖ Performance
  • ➖ Security
  • ➖ Documentation
  • ➖ Code review by maintainers
  • ➖ Full testing and approval
  • ➖ Credit contributors
  • ➖ Review with the product owner
  • ➖ Release notes snippet
  • ❌ Release

User interface changes

  • N/A

API changes

  • Module will no longer provide [user:password] and [account:password] tokens and their values.

Data model changes

  • N/A

Release notes snippet

The Generate Password module no longer provides the [user:password] and [account:password] tokens. Those site admins still needing the functionality should use the Registration Password Token module. These tokens never made it into Drupal 7 or 8 core, but were unofficially included by a number of modules.

It is considered BCP to never send a password by email, but instead to use the one time password reset links.

📌 Task
Status

Active

Version

2.1

Component

Code

Created by

🇦🇺Australia elc

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024