Problem/Motivation
The module does not restrict login when using the REST login route.
Steps to reproduce
1. Enabling the module
2. Browse to /admin/config/people/restrict-login-ip and set an allowed IP range
3. Try to login from another IP with the login form: it does not work
4. Send this HTTP request:
curl --header "Content-type: application/json" --request POST --data '{"name":"username", "pass":"password"}' 'http://example.com/user/login?_format=json'
You get logged-in.
Proposed resolution
The easiest solution would probably be to add the _restrict_login_ip_access requirement to the user.login.http route.
Remaining tasks
User interface changes
API changes
Data model changes
Comments
Comment #2
prudloff commentedNote that other authentication methods (basic auth for example) could also be vulnerable but it might be impossible to support every authentication provider.
The module could display a warning when a method it does not support is enabled. Something similar to this: https://git.drupalcode.org/project/one_time_password/-/blob/37a3c61bc1ab...
Comment #5
alex.bukach commented@prudloff thanks for catching it, both of your suggestions are implemented.