Closed (fixed)
Project:
REST Password Request
Version:
8.x-1.7
Component:
Code
Priority:
Major
Category:
Bug report
Assigned:
Reporter:
Created:
10 Nov 2020 at 05:16 UTC
Updated:
12 Aug 2022 at 00:52 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
taggartj commentedmmmm I don't really see it as its individual to the account
$collection = 'rest_password';
$tempstore = $service->get($collection, $account->id()); // AKA individual to user
$tempstore->set('temp_pass', $random_string);
The above kinda says hay SET user X's temp password something random in ... then later after the user changes (before it expires of corse) it then it is deleted or unsets..
can you please explain or point out where it is using a shared storage ? yes tempstorage but temp can be multiple and unique !?
Your welcome to create a patch if you like.
Comment #3
taggartj commentedComment #4
glynster commentedInteresting, your logic makes complete sense here... but with solid testing on the other module the bug is clear: https://www.drupal.org/project/rest_register_verify_email/issues/3167613
interesting enough I think this module was based on yours when I review the code.
Most of it is near identical!:
Thanks for the explanation just need to find out where the issue is now.
Comment #5
anmolgoyal74 commentedI have also faced this issue.
let's say User1 request the password reset, and before User1 uses the temp password, User2 also request the password. Now If user1 uses the temp password, the response is "No valid temp password request."
This is returning null.
$tempstore = $service->get($collection, $account->id());this just set's the owner of the key. So when User2 create password request, the owner of key "temp_pass" changed to User2 and also the value changed.
Comment #6
anmolgoyal74 commentedI have used user id with key "temp_pass" to make it unique for the account.
I hope this works.
Comment #7
glynster commented@anmolgoyal74 you are a legend. This works perfectly now with these small adjustments. Less support tickets to deal with now!! I will provide a patch for the other module as that is the one we have the bulk of the support tickets on.
Your patch has been tested on production +1 RTBC.
Comment #8
qzmenkoWhy we can't use service
tempstore.privateinsteadtempstore.shared?Comment #9
taggartj commentedOk both issues are not in the 1.7 release
I have merged patch in # 6 , thanks again @anmolgoyal74.
also qzmenko please don't hijack threads :) but i have refactored the code to use the tempstore.private
so ... closing this.
Comment #10
glynster commentedHi @taggartj,
I upgraded to the latest version 1.7 and removed the patch but then we get:
no valid temp password requestI reverted back to 1.6 with the patch and all works as it should.
Also I see you wrote 'Ok both issues are not in the 1.7 release' so not sure if that meant it was not included in 1.7 release.
Comment #11
taggartj commentedwhat workflow did you use to get that ?
any other modules in use such as email reg ?
Note changing this to bug with 8.1.7 release
i did see a small issue where the temp_pass is never being deleted so 8.1.8 will include the following fix
// Delete temp password.
- $tempstore->delete('temp_pass');
+ // Delete temp password because next time it will be not valid.
+ $tempstore->delete('temp_pass_' . $uid);
please use https://www.drupal.org/files/issues/2021-01-05/8.1.7_small_delete_issue.... untill 8.1.8 release
Comment #12
taggartj commentedComment #13
glynster commentedHi @taggartj,
The following modules are installed:
REST Register User with Email Verification 8.1.rc1
Email Registration - email_registration 8.1.1 (this module I created a patch based on what @anmolgoyal74 supplied which resolved the issue there as well)
To reproduce this you would follow the same procedure:
Request temp password: user/lost-password
Email is sent with temp code
Sent data to: user/lost-password-reset
and the result is: no valid temp password request
I will go ahead and tested latest release (1.7) with patch provided (8.1.7_small_delete_issue.patch). Will test on our dev and let you know if this resolves the issue.
Comment #14
taggartj commentedok ill try to test with the same modules ect
fyi -> the patch wont work though in your case:
it just removes the temp pass, so the next call will result in the error message
as you can see...
// Delete temp password.
- $tempstore->delete('temp_pass'); <--- that does not delete anything ever :(
+ // Delete temp password because next time it will be not valid.
+ $tempstore->delete('temp_pass_' . $uid); < --- this does
Comment #15
glynster commentedHi @taggartj,
Right I was just hoping I guess!
Ran some tests and as you say this did not help on dev. The patch I created is here:
https://www.drupal.org/project/rest_register_verify_email/issues/3167613
Totally based on @anmolgoyal74 work.
FYI: there have been no updates to those modules in awhile, just to rule out any changes they might have brought to the table.
Comment #16
taggartj commentedok looking at your patch please note that this 8.1.7 release now uses
$service = \Drupal::service('tempstore.private'); not shared. so there may be conflict ? as you use the shared service ?
eg (https://www.drupal.org/project/rest_register_verify_email/issues/3167613)
- $service = \Drupal::service('tempstore.shared');
+ $service = \Drupal::service('tempstore.private');
$collection = 'rest_register_verify_email';
$tempstore = $service->get($collection, $uid);
- $temp_token = $tempstore->getIfOwner('temp_token_' . $uid);
+ $temp_token = $tempstore->get('temp_token_' . $uid);
Ill try it with you patch what Drupal core are you using (if i may ask) because I am just testing with 8.9.1
Comment #17
glynster commentedAh ha right.
We have the latest version of Drupal 8.9.11.
If this is an issue then I guess I can see what you have done and try to replicate the same solution to that module.
Comment #18
glynster commentedI have been running some tests and your changes are very minor and I assume when you use tempstore.private there is no need to use getIfOwner. I also used what you have with a small change of get -> getIfOwner to see if that made any difference but then the response is a 500. So on my end no luck other than 1.6 with the original patch. I don't see why there would be a conflict as REST Register User with Email Verification 8.1.rc1 is only for the initial account setup. I am testing on accounts that have already been verified as well.....
Comment #19
glynster commented@taggartj just wanted to check in with you and see if you could replicate the same issue as us?
Comment #20
ujin commentedI had the same issue, actually everything worked fine if I tested via the postman but it didn't work from the react app, so as a temprorary solution downgraded to 8.16 and applied patch.
Comment #21
anmolgoyal74 commentedHi
tempstore.privatecannot be used here since it is user-specific. In our case, the requests come from an anonymous user.IMHO,
tempstore.sharedis the only solution here.Comment #22
glynster commented@anmolgoyal74 thanks for the heads up. Your patch is working well none the less!
Comment #23
glynster commented@taggartj any chance we can get a new commit revert patch as per @anmolgoyal74 logic and reasoning?
Comment #24
taggartj commentedglynster is this now working for you with release 8.1.8 ?
- sorry been flat out with work and home life
Comment #25
glynster commented@taggartj confirmed latest version resolves the issue!! Invaluable module when it comes to decoupling!!
Comment #26
glynster commentedComment #27
glynster commented