Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
canLoginWithouTfa is intended to be a helper that decides if a user is permitted to login without a token.
We should bring this forward from the 8.x-1.x branch.
One item we may want to reconsider after looking at #3378072: Decorate the user.auth service is that we likely want to remove the hasSkipped() call to make it more functional, since we may want to call it before authentication for a user has occurred.
Steps to reproduce
NA
Proposed resolution
Remaining tasks
User interface changes
None
API changes
All changes are to @internal classes.
Data model changes
None
Issue fork tfa-3394219
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
cmlaraComment #3
nigelcunningham commentedThere's already support for logging in without a token via the TfaLoginInterface's loginAllowed method. This should be factored in.
Comment #4
cmlaraCurrently for our code execution that would be best classified as 'logging in with tfa" while
canLoginWithoutTfa()is (currently) intended to be called when neither TfaLoginInterface or TfaValidationInterface is used to grant access.Looking closer, this is actually a move of TfaLoginForm::loginWithoutTfa() to the LoginContext, I was originally thinking it was mostly new code for the security fix however it was just centralized in 1.x as we needed to use it in multiple places as we will in 2.x
canLoginWithoutTfa()in 1.x (and essentially its equivalent in 2.x) is called when TFA is enabled and the user is suppose to have TFA (such as a required role) but has not yet configured it.It is mostly message handling and unified validation of remaining skip counts to prevent the need to duplicate the same code in multiple places.
Comment #6
cmlaraComment #8
cmlara