Hi, when email_registration is enabled, the Drupal password reset page for one-time account activation links still shows the username rather than the email address, such as "This is a one-time login link for email_registration_fxb78KrJHe". This is a confusing experience for users as they never chose that username or are exposed to it elsewhere. It'd be nice if this page showed the email address instead.

I think this could be fixed by implementing hook_FORM_ID_alter for the user_pass_reset form with something like this:

function mymodule_form_user_pass_reset_alter(&$form, FormStateInterface $form_state, $form_id) {
  /* @var \Drupal\Core\StringTranslation\TranslatableMarkup $message */
  /* @var \Drupal\Core\Session\AccountInterface $user */
  $user = $form_state->getBuildInfo()['args'][0];
  $message = $form['message']['#markup'];
  $arguments = $message->getArguments();
  $arguments['%user_name'] = $user->getEmail();
  $form['message']['#markup'] = new TranslatableMarkup($message->getUntranslatedString(), $arguments);
}

It would be nice if this could be in email_registration rather than having to include this in a custom module.

Thanks!

Issue fork email_registration-3065842

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

JeremySkinner created an issue. See original summary.

Indrapatil’s picture

Indrapatil CreditAttribution: Indrapatil as a volunteer and commented
Assigned: Unassigned » Indrapatil
xmacinfo’s picture

xmacinfo
he/him
Primary language French
Location Canada
CreditAttribution: xmacinfo at xMac info commented

@Indra patil, please be careful when working in issues. You must not assign yourself if you do not work on a fix.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at Morris Animal Foundation commented
Version: 8.x-1.0-rc5 » 8.x-1.x-dev
Status: Active » Needs review
Issue tags: +dcco2019

That seems like a great idea. Here's a patch version of the original issue by @JeremySkinner.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at Morris Animal Foundation commented
Status: Needs review » Postponed

This should be postponed until #2828724: Username enumeration via one time login route is fixed.

xmacinfo’s picture

xmacinfo
he/him
Primary language French
Location Canada
CreditAttribution: xmacinfo at xMac info commented
Assigned: Indrapatil » Unassigned
Grevil’s picture

Grevil CreditAttribution: Grevil at DROWL.de commented
Title: Password reset page shows username rather than email when email_registration is enabled » [2.x] Password reset page shows username rather than email when email_registration is enabled
Version: 8.x-1.x-dev » 2.x-dev
Status: Postponed » Active
Issue tags: -dcco2019

Definitly makes sense!

Anybody’s picture

Anybody
Primary language German
Location Porta Westfalica
CreditAttribution: Anybody at DROWL.de commented

@Grevil: Could you check the status in 2.x tomorrow (shortly) perhaps and post it here? (without the submodule)

Grevil’s picture

Grevil CreditAttribution: Grevil at DROWL.de commented

@Anybody this shouldn't be a problem any more, since this username is only temporary. I'll check it.

Grevil’s picture

Grevil CreditAttribution: Grevil at DROWL.de commented

It still shows the username on password reset.
E.g., if we create a user with the email "admin@test.de", we'll get a reset mail along the line of:

admin,

A request to reset the password for your account has been made at Drush
Site-Install.

(or admin_1, admin_2, ..., if "admin" was already taken).

I agree, that using the mail address of the user might be better.

(For everyone still having usernames prefixed with "email_registration_" or other usernames which should be overwritten, there is a new "Update username (from email_registration)" batch action to use.

Update: Whoops, of course the reset link page was meant, not the mail, which can be manually configured differently already.

Grevil’s picture

Grevil CreditAttribution: Grevil at DROWL.de commented
Assigned: Unassigned » Grevil
Grevil’s picture

Grevil CreditAttribution: Grevil at DROWL.de commented
Assigned: Grevil » Unassigned
Status: Active » Reviewed & tested by the community

Thank you, @JeremySkinner! Code snippet works and looks great! I just did some tiny adjustments to it! RTBC!

Grevil opened merge request !22

Grevil’s picture

Grevil CreditAttribution: Grevil at DROWL.de commented
Status: Reviewed & tested by the community » Needs work

Adding a few security checks.

Grevil’s picture

Grevil CreditAttribution: Grevil at DROWL.de commented
Assigned: Unassigned » Anybody
Status: Needs work » Needs review

Alright, now there are enough changes to let somebody review this. Please review!

Anybody’s picture

Anybody
Primary language German
Location Porta Westfalica
CreditAttribution: Anybody at DROWL.de commented
Assigned: Anybody » Unassigned
Status: Needs review » Postponed

@Grevil I think the approach from #3396313: Move obfuscation logic of submodule into main module might be better. Until we have that in place I'll postpone this.
If that isn't enough we should keep the code here to add this later. Back to NR then, if that should be the case.

Anybody’s picture

Anybody
Primary language German
Location Porta Westfalica
CreditAttribution: Anybody at DROWL.de commented
Related issues: +#3396313: Move obfuscation logic of submodule into main module

@Grevil: You wrote:

It still shows the username on password reset.

What's the displayed username?

In the issue summary it was "email_registration_fxb78KrJHe"

if it's now "admin" for example for admin@example.com I think this could be seen as works as expected in 2.x and we could close this.
If it shows sth. like "email_registration_fxb78KrJHe" we should merge the MR.

I'm a bit unsure if the fix could introduce security risks, so if we don't need it, we shouldn't do it, I think!
Also, long-term #3396313: Move obfuscation logic of submodule into main module might be the better and more general approach.

Grevil’s picture

Grevil CreditAttribution: Grevil at DROWL.de commented
Status: Postponed » Fixed

@Anybody, the original prefixed username ("email_registration_") doesn't show up on the password reset any more. As discussed locally, the username will still show up in several places and having this exception ONLY on the password reset page, is kind of odd, as it doesn't change anywhere else.

For the use case to have the email-address shown instead of the username in every place, you can use the newly added submodule, which syncs your mail address with your username!

Original issue is fixed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.