Problem/Motivation
A new well-known resource was added to RFC5785 which allows password managers to direct users to a standard URL, which then redirects the user to the password change form.
Description of resource here - https://github.com/WICG/change-password-url
Once implemented by password managers and browsers, this would make rotating passwords for Drupal accounts very simple for end users.
The htaccess rule to support /.well-known
URLs was added in #2408321: Support RFC 5785 by whitelisting the .well-known directory
Proposed resolution
The path in the RFC document is /.well-known/change-password
. Lets add a new route, which redirects this path to user.pass
with a 301 response.
This should probably live in user module.
Remaining tasks
TBC
User interface changes
- Adds a new route
/.well-known/change-password
API changes
TBC
Data model changes
TBC
Release notes snippet
The user module now provides a route to the RFC5785 well-known resource for password changes. Requests to /.well-known/change-password will receive a 301 redirect to the password reset form.
Comment | File | Size | Author |
---|---|---|---|
#11 | 3018673-well-known-change-password-10.patch | 2.55 KB | dhirendra.mishra |
Comments
Comment #2
nicksanta CreditAttribution: nicksanta as a volunteer commentedComment #3
nicksanta CreditAttribution: nicksanta as a volunteer commentedComment #4
nicksanta CreditAttribution: nicksanta as a volunteer commentedHeres an initial stab at it. The implementation is pretty simple - just a new route and method on the UserController class.
Tests to come.
Comment #5
nicksanta CreditAttribution: nicksanta as a volunteer commentedTests added.
Comment #6
nicksanta CreditAttribution: nicksanta as a volunteer commentedFixed whitespace issue.
Comment #7
jibranThanks for creating the issue and the patch. The patch looks good. Just two observations:
user.well-known.change_password
Comment #8
nicksanta CreditAttribution: nicksanta as a volunteer commentedThanks for the feedback Jibran! I've implemented your suggestions.
Comment #9
jibranThanks for addressing the feedback. Please also create the interdiff for easy reviews.
I think you changed the wrong line.
Comment #10
dhirendra.mishra CreditAttribution: dhirendra.mishra at Srijan | A Material+ Company commentedComment #11
dhirendra.mishra CreditAttribution: dhirendra.mishra at Srijan | A Material+ Company commentedHope it hepls.Thanks
Comment #12
jibranThanks, for addressing the feedback. This looks good now. Let's add a change record and "Release notes snippet". I think it is worth mentioning in the next release notes.
Comment #13
nicksanta CreditAttribution: nicksanta as a volunteer commentedAdded Release notes snippet
Comment #14
nicksanta CreditAttribution: nicksanta as a volunteer commentedDraft change record added - https://www.drupal.org/node/3038171
Its my first time writing one of these, would appreciate a review.
Comment #15
jibranThanks, for that.
Comment #16
webchickThis is a sweet little patch! Thanks!
One question I had was... when reviewing the spec document that this repo links to (https://wicg.github.io/change-password-url/index.html), I notice the following:
I guess that is my only real concern, is if we were to commit this, and later this does go on the standards track, but the recommended URL changes, then we'd be kinda stuck with this legacy URL to support. So from that POV, the safest thing to do may be to postpone it until it does become part of the standards.
Are you able to provide additional context as to where this recommendation came from, and/or the likelihood of it getting adopted more "formally" by the W3C?
Comment #17
nicksanta CreditAttribution: nicksanta as a volunteer commentedThanks for looking into this @webchick!
I think thats a fair concern, and I honestly do not have the answer at this stage. I've opened a ticket on the WICG repository requesting more information on the pathway to adoption - https://github.com/WICG/change-password-url/issues/12
Comment #18
jibranHi! @webchick, thanks, for looking into it. I think creating the issue for this is the right way to go so thanks for that @nicksanta. Marking it postpone for now.
Comment #20
jibranHere is the reply from one of the collaborator:
I think the above addresses @webchick's concerns so setting it back to RTBC.
Comment #21
larowlanComment #22
larowlanissue credits
Comment #23
larowlanpublished change record
Committed 3b6f89b and pushed to 8.8.x. Thanks!
Comment #26
pameeela CreditAttribution: pameeela commentedSwitching tag to highlights since this is cool but isn't disruptive :)
Comment #27
dhirendra.mishra CreditAttribution: dhirendra.mishra at Valuebound for Valuebound commented