Problem/Motivation

User accounts that rely solely on basic_auth for authentication will be locked out after an upgrade to Drupal 10.1.x
The issue is caused by the new password hashing algorithm (https://www.drupal.org/node/3322420).
basic_auth does not appear to be re-hashing the user password in the same way a UI login would resulting in a user being locked out.

This is especially concerning as many accounts using basic_auth will be automated json_api processes where a failure may not be immediately obvious. Accounts may end up in the flood table.

Steps to reproduce

- Setup a basic_auth user on a Drupal core 10.0.x site
- Upgrade from Drupal core 10.0.x to 10.1.x
- Attempt to authenticate using basic auth
- See failure to authenticate

Proposed resolution

Accounts authenticating using basic_auth should have their passwords re-hashed in the same way that users logging in via the UI do as documented in https://www.drupal.org/node/3322420.

Comments

genebobmiller created an issue. See original summary.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Active » Postponed (maintainer needs more info)

@genebobmiller thanks for the bug report. I think that you might have not installed phpass or run the updates. I've just tested this and everything works as expected. Here's what I did.

  1. Checked out 10.0.x and composer install
  2. Installed standard
  3. Enabled basic_auth and router_test
  4. Used Postman to hit router_test/test11 with my user credentials as the basic auth. Got a 200.
  5. Checked out out 10.1.x and composer install
  6. Run the db updates
  7. On purpose disabled the new phpass module that was enabled by the update
  8. Used Postman to hit router_test/test11 with my user credentials as the basic auth. Got a 403.
  9. Enabled phpass
  10. Used Postman to hit router_test/test11 with my user credentials as the basic auth. Got a 200.
  11. Disabled phpass - to test that the hash has been updated
  12. Used Postman to hit router_test/test11 with my user credentials as the basic auth. Got a 200.

Given this I'm setting this to postponed maintainer needs more info.

genebobmiller’s picture

genebobmiller commented

Thanks for investigating Alex, I'll dig deeper and see why our instance is behaving differently.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Issue tags: +Bug Smash Initiative

@genebobmiller, did you determine why your instance was behaving differently? If you have resolved the problem, add a comment sharing what you did as it may help others.

Since we need more information to move forward with this issue, I am keeping the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

Thanks!

pameeela’s picture

pameeela commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Closing since no info was provided after it was requested in May.