- Issue created by @cmlara
- Merge request !119Issue #3514249: Public followup for SA-CONTRIB-2025-023 β (Merged) created by cmlara
-
cmlara β
committed 84d7a20e on 8.x-1.x
Issue #3514249: Public followup for SA-CONTRIB-2025-023
-
cmlara β
committed 84d7a20e on 8.x-1.x
- πΊπΈUnited States cmlara
Merged to 8.x-1.x
For 2.x we do not have the same concerns for design, however we can learn from 8.x-1.x fix and consider adding hook_requirements () checks for our core security concerns.
TfaUserSetSubscriber::class would be our prime candidate to monitor, to warn if another subscriber is before it so that site owners can validate security. We would likely want to implement this with an 'approve' list so site owners can approve a subscriber to move it from warning to notice.
We may also wish to monitor the logon routes unless π Evaluate restoring using a form alter instead of extending UserLoginForm Active is adopted, however unlike 8.x-1.x where that monitoring is security critical in 2.x it (should) be only advisory as TfaUserSetSubscriber provides the backend security.