Problem/Motivation

The module does not restrict login when using the REST login route.

Steps to reproduce

1. Enabling the module
2. Browse to /admin/config/people/restrict-login-ip and set an allowed IP range
3. Try to login from another IP with the login form: it does not work
4. Send this HTTP request:

curl --header "Content-type: application/json" --request POST --data '{"name":"username", "pass":"password"}'  'http://example.com/user/login?_format=json'

You get logged-in.

Proposed resolution

The easiest solution would probably be to add the _restrict_login_ip_access requirement to the user.login.http route.

Remaining tasks

User interface changes

API changes

Data model changes

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

prudloff created an issue. See original summary.

prudloff’s picture

Note that other authentication methods (basic auth for example) could also be vulnerable but it might be impossible to support every authentication provider.
The module could display a warning when a method it does not support is enabled. Something similar to this: https://git.drupalcode.org/project/one_time_password/-/blob/37a3c61bc1ab...

alex.bukach made their first commit to this issue’s fork.

alex.bukach’s picture

Status: Active » Fixed

@prudloff thanks for catching it, both of your suggestions are implemented.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.