This module determines if a user logged in via a one-time login link by checking if the route name matches "user.reset". This is the wrong route name. It should be "user.reset.login".

CommentFileSizeAuthor
#2 2874696.patch485 bytesbkosborne

Comments

bkosborne created an issue. See original summary.

bkosborne’s picture

Status: Active » Needs review
StatusFileSize
new485 bytes
prashant.c’s picture

@bkosborne

In my opinion you are correct but let the module author/maintainer review it.

bkosborne’s picture

Priority: Major » Critical

Bumping to critical. This could really cause confusion if someone is investigating an unauthorized login.

greggles’s picture

To make this easy to review, can you point to the file in core that defines this route?

bkosborne’s picture

It's in user.routing.yml, part of the user module. That's the route that the user will actually be on when they use the password reset.

greggles’s picture

Status: Needs review » Fixed

Makes sense to me - thanks!

  • greggles committed 6500ca0 on 8.x-1.x authored by bkosborne
    Issue #2874696 by bkosborne, Prashant.c, greggles: One-time login link...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.