Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Logging in via the one-time link (and the "Log in" button on the user_pass_reset form) causes the user to be logged out immediately. The message in watchdog reveals that TFA is the culprit:
1515833 17/Jun 12:13 notice tfa Session closed for example_user.
TFA should redirect the user to a TFA form in this case, instead of logging him/her out.
Comment | File | Size | Author |
---|---|---|---|
#2 | tfa-avoid_hook_user_logout-2507409-2.patch | 455 bytes | pjcdawkins |
Comments
Comment #1
gregglesOn a site using 7.x...beta2 series:
I just went through the process with a trusted browser (logged in directly) and without a trusted browser (required input of totp code) and both flowed as expected.
My account does have tfa-totp setup but it is not required for any of my roles.
Can you provide more information about your configuration and user so it's possible to reproduce the issue?
Comment #2
pjcdawkins CreditAttribution: pjcdawkins at Centarro commentedAh.
I think it's because I'm using OpenID Connect SSO at the same time.
That module triggers a redirect on hook_user_logout(), and it seems that TFA invokes hook_user_logout() during the process.
I wonder if this patch would be appropriate? (since you're not actually logging the user out, you're sort of temporarily doing so)
Otherwise, I'll patch OpenID Connect SSO to detect it's in the TFA context, somehow.
Comment #3
eelkeblokFWIW, I see this same behaviour, but do not have OpenID enabled. This is on a vanilla D7, installed with the Standard profile and nothing special enabled except this module and tfa_basic. This *is* with a user who has not set up TFA yet. Basically, I'm trying to figure out what a sane workflow would be for creating a new user, with a role that requires TFA. I was also considering to open an issue about that, but wanted to see what happens when trying to use the reset password (or the reset link in the welcome email). I hoped the user would be forced to setup TFA, I suppose.
Comment #4
Leeteq CreditAttribution: Leeteq commentedI think that it would be generally useful if we took this discussion on a general level that would constitute a "best practise" behaviour and guideline for other module developers that are also figuring out such workflow and cross-module compatibilities.
The following modules have similar/related considerations and "reported bugs" up for discussion and needs to play nicer together, including (perhaps especially) with this module. (I will check and post related issue links back here.)
https://www.drupal.org/project/issues/legal (compatibility/workflow challenge when incidentally required to accept new Terms-of-service version at the same time as having a login problem and using a reset link)
https://www.drupal.org/project/issues/yubikey
https://www.drupal.org/project/issues/passwordless
https://www.drupal.org/project/issues/login_destination
Comment #5
coltrane@eelkeblok can you please detail the steps to repeat?
Comment #6
eelkeblokThe same sort of thing seems to happen when you enable requiring TFA on a role that already has users, when a user with that role tries to log in (I actually locked my self out of my development system doing that for the admin role). It's basically a catch-22, where you need to be logged in in your account to be able to set up TFA, but you can not log in because TFA is required for your role and you don't have it set up.
Comment #7
pjcdawkins CreditAttribution: pjcdawkins commentedeelkeblok is that similar to the issue I had? can you run
drush ev 'print_r(module_implements("user_logout"));'
to find out?(I'm no longer using OpenID Connect so I'm not so interested in this issue anymore...)
Comment #8
eelkeblokThe list turns up empty (like I said, fresh install of the "Standard" install profile, plus tfa and tfa_basic modules, and now devel to execute the code). My issue is similar in that I see the same behaviour. Root cause might well be different. I am using a role that has mandatory TFA, which causes a problem for accounts that do not have TFA set up yet.
Comment #9
bakshis CreditAttribution: bakshis commentedI am facing the same issue. As Leeteq said we should took this to general level discussion. Can anybody tell me where and how can I find the solution and contribute to solution for this issue.
Comment #10
eelkeblokI traced my problem back to how tfa_basic and tfa work together to implement the tfa required functionality. I've created a new issue: #2564813: UI feedback ("Login disallowed") can disappear
Comment #11
banviktor CreditAttribution: banviktor at CARD.com commentedIMO it's not safe to neglect all hook_user_logout() implementations.
edit: removed most of my comment after looking into OpenID's code
Comment #12
pjcdawkins CreditAttribution: pjcdawkins as a volunteer commentedClosing this (I'm not a maintainer but I am the OP) - I think it's OK to invoke the hook. Comments below my #2 seem to relate to other issues (eelkeblok) or unknown issues (Leeteq, bakshis) that would warrant a different discussion.