We have uncovered an issue with shared collection in https://www.drupal.org/project/rest_register_verify_email and see the same potential issue here also. If you have several people resetting their passwords in a small space of time (minutes) the first person to reset would be wiped out by the next person and so on.

Does anyone else see this as an issue?

I have look at the code and it would seem that updating:

$service = \Drupal::service('tempstore.public'); -> $service = \Drupal::service('tempstore.private');

But I feel there is more to it than that.

Comments

glynster created an issue. See original summary.

taggartj’s picture

mmmm I don't really see it as its individual to the account

$collection = 'rest_password';
$tempstore = $service->get($collection, $account->id()); // AKA individual to user
$tempstore->set('temp_pass', $random_string);

The above kinda says hay SET user X's temp password something random in ... then later after the user changes (before it expires of corse) it then it is deleted or unsets..
can you please explain or point out where it is using a shared storage ? yes tempstorage but temp can be multiple and unique !?

Your welcome to create a patch if you like.

taggartj’s picture

Status: Active » Postponed (maintainer needs more info)
glynster’s picture

Interesting, your logic makes complete sense here... but with solid testing on the other module the bug is clear: https://www.drupal.org/project/rest_register_verify_email/issues/3167613

interesting enough I think this module was based on yours when I review the code.

Most of it is near identical!:

$collection = 'rest_password';
$tempstore = $service->get($collection, $account->id()); // AKA individual to user
$tempstore->set('temp_pass', $random_string);

Thanks for the explanation just need to find out where the issue is now.

anmolgoyal74’s picture

Issue summary: View changes
Status: Postponed (maintainer needs more info) » Active

I have also faced this issue.

let's say User1 request the password reset, and before User1 uses the temp password, User2 also request the password. Now If user1 uses the temp password, the response is "No valid temp password request."

            $service = \Drupal::service('tempstore.shared');
            $collection = 'rest_password';
            $tempstore = $service->get($collection, $uid);
            $temp_pass_from_storage = $tempstore->getIfOwner('temp_pass');

This is returning null.

$tempstore = $service->get($collection, $account->id());
this just set's the owner of the key. So when User2 create password request, the owner of key "temp_pass" changed to User2 and also the value changed.

anmolgoyal74’s picture

Status: Active » Needs review
StatusFileSize
new2.21 KB

I have used user id with key "temp_pass" to make it unique for the account.
I hope this works.

glynster’s picture

@anmolgoyal74 you are a legend. This works perfectly now with these small adjustments. Less support tickets to deal with now!! I will provide a patch for the other module as that is the one we have the bulk of the support tickets on.

Your patch has been tested on production +1 RTBC.

qzmenko’s picture

Why we can't use service tempstore.private instead tempstore.shared?

taggartj’s picture

Assigned: Unassigned » taggartj
Status: Needs review » Fixed

Ok both issues are not in the 1.7 release
I have merged patch in # 6 , thanks again @anmolgoyal74.

also qzmenko please don't hijack threads :) but i have refactored the code to use the tempstore.private

so ... closing this.

glynster’s picture

Hi @taggartj,

I upgraded to the latest version 1.7 and removed the patch but then we get:

no valid temp password request

I reverted back to 1.6 with the patch and all works as it should.

Also I see you wrote 'Ok both issues are not in the 1.7 release' so not sure if that meant it was not included in 1.7 release.

taggartj’s picture

Version: 8.x-1.6 » 8.x-1.7
Status: Fixed » Postponed (maintainer needs more info)

what workflow did you use to get that ?
any other modules in use such as email reg ?
Note changing this to bug with 8.1.7 release

i did see a small issue where the temp_pass is never being deleted so 8.1.8 will include the following fix

// Delete temp password.
- $tempstore->delete('temp_pass');
+ // Delete temp password because next time it will be not valid.
+ $tempstore->delete('temp_pass_' . $uid);

please use https://www.drupal.org/files/issues/2021-01-05/8.1.7_small_delete_issue.... untill 8.1.8 release

taggartj’s picture

StatusFileSize
new1.38 KB
glynster’s picture

Hi @taggartj,

The following modules are installed:
REST Register User with Email Verification 8.1.rc1
Email Registration - email_registration 8.1.1 (this module I created a patch based on what @anmolgoyal74 supplied which resolved the issue there as well)

To reproduce this you would follow the same procedure:
Request temp password: user/lost-password
Email is sent with temp code
Sent data to: user/lost-password-reset

and the result is: no valid temp password request

I will go ahead and tested latest release (1.7) with patch provided (8.1.7_small_delete_issue.patch). Will test on our dev and let you know if this resolves the issue.

taggartj’s picture

ok ill try to test with the same modules ect

fyi -> the patch wont work though in your case:
it just removes the temp pass, so the next call will result in the error message
as you can see...
// Delete temp password.
- $tempstore->delete('temp_pass'); <--- that does not delete anything ever :(
+ // Delete temp password because next time it will be not valid.
+ $tempstore->delete('temp_pass_' . $uid); < --- this does

glynster’s picture

Hi @taggartj,

Right I was just hoping I guess!

Ran some tests and as you say this did not help on dev. The patch I created is here:
https://www.drupal.org/project/rest_register_verify_email/issues/3167613

Totally based on @anmolgoyal74 work.

FYI: there have been no updates to those modules in awhile, just to rule out any changes they might have brought to the table.

taggartj’s picture

ok looking at your patch please note that this 8.1.7 release now uses
$service = \Drupal::service('tempstore.private'); not shared. so there may be conflict ? as you use the shared service ?

eg (https://www.drupal.org/project/rest_register_verify_email/issues/3167613)
- $service = \Drupal::service('tempstore.shared');
+ $service = \Drupal::service('tempstore.private');
$collection = 'rest_register_verify_email';
$tempstore = $service->get($collection, $uid);
- $temp_token = $tempstore->getIfOwner('temp_token_' . $uid);
+ $temp_token = $tempstore->get('temp_token_' . $uid);

Ill try it with you patch what Drupal core are you using (if i may ask) because I am just testing with 8.9.1

glynster’s picture

Ah ha right.
We have the latest version of Drupal 8.9.11.
If this is an issue then I guess I can see what you have done and try to replicate the same solution to that module.

glynster’s picture

I have been running some tests and your changes are very minor and I assume when you use tempstore.private there is no need to use getIfOwner. I also used what you have with a small change of get -> getIfOwner to see if that made any difference but then the response is a 500. So on my end no luck other than 1.6 with the original patch. I don't see why there would be a conflict as REST Register User with Email Verification 8.1.rc1 is only for the initial account setup. I am testing on accounts that have already been verified as well.....

glynster’s picture

@taggartj just wanted to check in with you and see if you could replicate the same issue as us?

ujin’s picture

I had the same issue, actually everything worked fine if I tested via the postman but it didn't work from the react app, so as a temprorary solution downgraded to 8.16 and applied patch.

anmolgoyal74’s picture

Hi
tempstore.private cannot be used here since it is user-specific. In our case, the requests come from an anonymous user.
IMHO, tempstore.shared is the only solution here.

glynster’s picture

@anmolgoyal74 thanks for the heads up. Your patch is working well none the less!

glynster’s picture

@taggartj any chance we can get a new commit revert patch as per @anmolgoyal74 logic and reasoning?

taggartj’s picture

glynster is this now working for you with release 8.1.8 ?
- sorry been flat out with work and home life

glynster’s picture

@taggartj confirmed latest version resolves the issue!! Invaluable module when it comes to decoupling!!

glynster’s picture

Status: Postponed (maintainer needs more info) » Fixed
glynster’s picture

Status: Fixed » Closed (fixed)