Contrib.social

Disable the user.login.http route by default

Open on Drupal.org →
Created on 17 June 2025, 4 months ago

Problem/Motivation

Core provides two ways to login:

  • The login form
  • The REST login route

It is pretty common for modules that add additional protection to the login process (for example OTP) to not protect the REST login.
See for example https://www.drupal.org/sa-contrib-2025-056 .

I think most websites don't use the REST login so we could disable it by default, this would harden websites using modules that forget to protect this route.

Steps to reproduce

curl --header "Content-type: application/json" --request POST --data '{"name":"username", "pass":"password"}'  'http://example.com/user/login?_format=json'

Proposed resolution

We could add a new config to enable/disable this login method and disable it by default on new installs.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

📌 Task
Status

Active

Version

11.0 🔥

Component

user.module

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @prudloff
  • Comment 4 months ago
    🇫🇷France prudloff Lille

    I also had a look at how WordPress handles this: it is not possible to use a standard password to login with REST.
    Users have to generate an application password that can then be used to login with the REST API.
    These passwords are always long and randomly generated, this makes it more OK to not have 2FA on this login method because application passwords would be very hard to brute-force.

  • Comment 4 months ago
    🇫🇷France prudloff Lille

    The change could be similar to this: https://www.drupal.org/node/3359827

  • Comment 4 months ago
    🇬🇧United Kingdom longwave UK

    Should the route move to rest.module? We could either enable it by default only if rest.module is enabled, or add it as a config option there?

  • Comment 4 months ago
    🇬🇧United Kingdom catch

    More than once I wondered why this wasn't provided by REST module so that makes sense to me.

  • Merge request !13508Add route aliases → (Open) created by prudloff
  • Pipeline finished with Failed
    13 days ago
    Total: 175s
    #630319
  • Pipeline finished with Failed
    13 days ago
    Total: 1455s
    #630331
  • Pipeline finished with Failed
    13 days ago
    Total: 166s
    #630346
  • Pipeline finished with Failed
    12 days ago
    Total: 1290s
    #630348
  • Pipeline finished with Canceled
    12 days ago
    Total: 86s
    #630369
  • Pipeline finished with Success
    12 days ago
    Total: 692s
    #630370
  • Pipeline finished with Canceled
    12 days ago
    Total: 697s
    #630705
  • Pipeline finished with Failed
    12 days ago
    Total: 239s
    #630715
  • Pipeline finished with Failed
    12 days ago
    Total: 160s
    #630766
  • Pipeline finished with Failed
    12 days ago
    Total: 540s
    #631242
  • Pipeline finished with Failed
    12 days ago
    #631288
  • Pipeline finished with Failed
    12 days ago
    #631317
  • Pipeline finished with Failed
    12 days ago
    #631553
  • Pipeline finished with Success
    12 days ago
    Total: 624s
    #631562
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024