Problem/Motivation

A new well-known resource was added to RFC5785 which allows password managers to direct users to a standard URL, which then redirects the user to the password change form.

Description of resource here - https://github.com/WICG/change-password-url

Once implemented by password managers and browsers, this would make rotating passwords for Drupal accounts very simple for end users.

The htaccess rule to support /.well-known URLs was added in #2408321: Support RFC 5785 by whitelisting the .well-known directory

Proposed resolution

The path in the RFC document is /.well-known/change-password. Lets add a new route, which redirects this path to user.pass with a 301 response.

This should probably live in user module.

Remaining tasks

TBC

User interface changes

  • Adds a new route /.well-known/change-password

API changes

TBC

Data model changes

TBC

Release notes snippet

The user module now provides a route to the RFC5785 well-known resource for password changes. Requests to /.well-known/change-password will receive a 301 redirect to the password reset form.

CommentFileSizeAuthor
#11 3018673-well-known-change-password-10.patch2.55 KBdhirendra.mishra
#11 8-10_interdiff.txt865 bytesdhirendra.mishra
#8 3018673-well-known-change-password-8.patch2.75 KBnicksanta
#6 3018673-well-known-change-password-6.patch2.52 KBnicksanta
#5 3018673-well-known-change-password-5.patch2.52 KBnicksanta
#4 3018673-well-known-change-password-4.patch1.5 KBnicksanta
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

nicksanta created an issue. See original summary.

nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented
Issue summary: View changes
nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented
Issue summary: View changes
nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented
FileSize
3018673-well-known-change-password-4.patch1.5 KB

Heres an initial stab at it. The implementation is pretty simple - just a new route and method on the UserController class.

Tests to come.

nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented
Status: Active » Needs review
FileSize
3018673-well-known-change-password-5.patch2.52 KB

Tests added.

nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented
FileSize
3018673-well-known-change-password-6.patch2.52 KB

Fixed whitespace issue.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran as a volunteer commented
Status: Needs review » Needs work

Thanks for creating the issue and the patch. The patch looks good. Just two observations:

  1. The route name should be user.well-known.change_password
  2. The redirect code should be 301.
nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented
Status: Needs work » Needs review
FileSize
3018673-well-known-change-password-8.patch2.75 KB

Thanks for the feedback Jibran! I've implemented your suggestions.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran as a volunteer commented
Status: Needs review » Needs work

Thanks for addressing the feedback. Please also create the interdiff for easy reviews.

+++ b/core/modules/user/src/Controller/UserController.php
@@ -259,7 +259,22 @@ public function resetPassLogin($uid, $timestamp, $hash) {
-    return $this->redirect('entity.user.canonical', ['user' => $this->currentUser()->id()]);
+    return $this->redirect('entity.user.canonical', ['user' => $this->currentUser()->id()], [], 301);
...
+    return $this->redirect('entity.user.edit_form', ['user' => $this->currentUser()->id()]);

I think you changed the wrong line.

dhirendra.mishra’s picture

dhirendra.mishra CreditAttribution: dhirendra.mishra at Srijan | A Material+ Company commented
Assigned: Unassigned » dhirendra.mishra
dhirendra.mishra’s picture

dhirendra.mishra CreditAttribution: dhirendra.mishra at Srijan | A Material+ Company commented
Assigned: dhirendra.mishra » Unassigned
Status: Needs work » Needs review
FileSize
8-10_interdiff.txt865 bytes
3018673-well-known-change-password-10.patch2.55 KB

Hope it hepls.Thanks

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran at PreviousNext commented
Component: other » user system
Issue summary: View changes

Thanks, for addressing the feedback. This looks good now. Let's add a change record and "Release notes snippet". I think it is worth mentioning in the next release notes.

nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented
Issue summary: View changes

Added Release notes snippet

nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented

Draft change record added - https://www.drupal.org/node/3038171

Its my first time writing one of these, would appreciate a review.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran at PreviousNext commented
Status: Needs review » Reviewed & tested by the community

Thanks, for that.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick at Acquia commented

This is a sweet little patch! Thanks!

One question I had was... when reviewing the spec document that this repo links to (https://wicg.github.io/change-password-url/index.html), I notice the following:

It is not a W3C Standard nor is it on the W3C Standards Track.

I guess that is my only real concern, is if we were to commit this, and later this does go on the standards track, but the recommended URL changes, then we'd be kinda stuck with this legacy URL to support. So from that POV, the safest thing to do may be to postpone it until it does become part of the standards.

Are you able to provide additional context as to where this recommendation came from, and/or the likelihood of it getting adopted more "formally" by the W3C?

nicksanta’s picture

nicksanta CreditAttribution: nicksanta as a volunteer commented

Thanks for looking into this @webchick!

I think thats a fair concern, and I honestly do not have the answer at this stage. I've opened a ticket on the WICG repository requesting more information on the pathway to adoption - https://github.com/WICG/change-password-url/issues/12

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran at PreviousNext commented
Status: Reviewed & tested by the community » Postponed (maintainer needs more info)

Hi! @webchick, thanks, for looking into it. I think creating the issue for this is the right way to go so thanks for that @nicksanta. Marking it postpone for now.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Sydney, Australia
CreditAttribution: jibran at PreviousNext commented
Version: 8.8.x-dev » 8.7.x-dev
Status: Postponed (maintainer needs more info) » Reviewed & tested by the community

Here is the reply from one of the collaborator:

It's very unlikely that the URL would change at this point. If we end up changing the scope of the work sufficiently to call for another endpoint, it'll be in addition to, not instead of, this existing URL.

I think the above addresses @webchick's concerns so setting it back to RTBC.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Version: 8.7.x-dev » 8.8.x-dev
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented

issue credits

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Status: Reviewed & tested by the community » Fixed
Issue tags: +8.8.0 release notes

published change record

Committed 3b6f89b and pushed to 8.8.x. Thanks!

  • larowlan committed 3b6f89b on 8.8.x 
    Issue #3018673 by nicksanta, dhirendra.mishra, jibran: Add support for...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

pameeela’s picture

pameeela CreditAttribution: pameeela commented
Issue tags: -8.8.0 release notes +8.8.0 highlights

Switching tag to highlights since this is cool but isn't disruptive :)

dhirendra.mishra’s picture

dhirendra.mishra CreditAttribution: dhirendra.mishra at Valuebound for Valuebound commented