Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
It took a bit of digging to follow #3374260: Allow TFA authentication through REST routes and #3378072: Decorate the user.auth service to figure out how to instruct users to use TFA and REST.
Steps to reproduce
Try as a new dev never having used before
Proposed resolution
Make it easier by documenting on the configuration page if REST is enabled.
Maybe in the README too? Though that duplicates homepage at the moment and maybe its too edge case for homepage?
Remaining tasks
MR
User interface changes
Configuration page has helptext if REST is enabled.
API changes
N/A
Data model changes
N/A
Issue fork tfa-3521300
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #3
scott_euser commentedSmall change, but will at least be helpful for future me and perhaps other devs
phpstan issue unrelated and occurs on 2.x
Comment #4
cmlaraFor the 2.x we are embracing using GitLab Pages for the documentation/manual. This is rendered by mkdocs from the markdown files in the docs folder and published on each 2.x pipeline execution. It is also currently included in each download for offline viewing.
We likely should place this somewhere in the docs (there may be no great location for it at the moment as they are sparsly populated, a new section may be necessary).
I'm going to set back to NW for including in the
For REST logins I would suggest sites I would recommend the site owner consider using an API token auth provider (unless we are talking about the post login to obtain a cookie).
This will impact password access that uses the
user.authservice to validate a use. Known scenarios this is relevant for:Given the above not sure it if makes sense to limit this to just the
restmodule enabled.To me it feels a bit unusual to inline this, though at the moment it is indeed not documented anywhere except in the deep issues logs.
Comment #7
scott_euser commentedMakes sense and thank you for the detailed explanation. I added a documentation page nested within configuration with options + tried to capture your recommendation with examples.
Comment #8
cmlaraLooks good.
I did add the new page to the menu above exempting authentication provides.
Minor suggestion on possible text change to be a bit more agnostic on providers provided in text.
Comment #9
scott_euser commentedSorry was slow getting back to you here! Thanks for resolving, after the changes the wording is clear and would help future travellers trying to figure out how it works.
And thanks for the great module overall, much appreciated!
Comment #10
cmlaraThanks for the confirmation you find the suggested tweaks acceptable.
Committing MR!129 to Dev (should show up on GitLab pages in a few minutes).
Do you find the documentation pages sufficient that we can also close out MR!126?
Comment #13
scott_euser commentedYes thank you :) Closed the MR.
Comment #14
cmlaraThank you for confirming.
Closing the issue out as fixed.
Thank you again for the primary work on this commit.
This is the rendered page:
https://project.pages.drupalcode.org/tfa/configuration/tfa-with-rest/