Support `user.reset` route that can be used by Drush or Simple Pass Reset module

Created on 10 February 2025, 12 days ago

Problem/Motivation

We are using Simple Pass Reset module, which uses `user.reset` route. It is not protected by TFA.

Steps to reproduce

- Install and configure TFA.
- Install Simple Pass Reset module.
- Enable TFA for a user.
- Logout and reset the password.
- You will receive a reset link like: `/user/reset/3/1739210206/o8OHnH5G_FTPE6yjn33t_B1MPngWCeFnYx0SrE4_weY`
- When clicked you can change your password bypassing TFA.

Proposed resolution

Update event listener to listen for this route.

✨ Feature request

Status

Needs work

Version

1.0

Component

Code

Created by

🇰🇬Kyrgyzstan elaman

Live updates comments and jobs are added and updated live.

Merge Requests

!115Support `user.reset` route that can be used by Drush or Simple Pass Reset module
Closed
🇰🇬Kyrgyzstan elaman
updated 9 days ago

Comments & Activities

Issue created by @elaman
Merge request !115Listen to `user.reset` route. → (Closed) created by elaman
Comment 12 days ago →
🇰🇬Kyrgyzstan elaman
Pipeline finished with Success
12 days ago
Total: 329s
#420224
Comment 12 days ago →
🇰🇬Kyrgyzstan elaman
I mean ideally the `TfaUserController` and `EntryForm` would detect whether request is `user.reset.login` or `user.reset`, then based on that will behave correctly after TFA auth. In this MR the `user.reset` behaves the same way as `user.reset.login`.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024