Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
As our goal moving forward is to allow multiple plugins to be enabled for TFA, having plugins classified as fallbacks causes a bit of ambiguity between a fallback plugin and other plugins so this patch aims to remove fallback plugins as a whole and make recovery codes a permanent option for authentication as a backup method.
Comment | File | Size | Author |
---|---|---|---|
#31 | interdiff.txt | 5.65 KB | daggerhart |
#31 | 2924691-31.patch | 51.12 KB | daggerhart |
| |||
#29 | 2924691-29.patch | 50.47 KB | daggerhart |
| |||
#16 | 2924691-15-16-interdiff.txt | 401 bytes | daggerhart |
#16 | 2924691-16.patch | 45.3 KB | daggerhart |
|
Comments
Comment #2
therealssj CreditAttribution: therealssj commentedComment #3
therealssj CreditAttribution: therealssj commentedComment #4
daggerhart CreditAttribution: daggerhart commentedThis looks good @therealssj.
Not sure why, but I couldn't get #2 to apply cleanly against 8.x-1.x branch. It was having trouble with the EntryForm.php changes. So I applied your patch and fixed EntryForm by hand. Attached is a re-roll of your patch. Results should be the same.
Comment #5
ryan.gibson CreditAttribution: ryan.gibson at Mediacurrent commentedIs this ready for review?
Comment #6
daggerhart CreditAttribution: daggerhart commentedYes please. I didn’t have a chance to test thoroughly, just looked over the patch and tried applying it.
Not sure why #2 wouldn’t apply, could you try it first in case there’s something off about my local repo?
Comment #7
daggerhart CreditAttribution: daggerhart commentedComment #8
daggerhart CreditAttribution: daggerhart commentedNote on testing this patch. The recovery code form is currently broken. See: #2924970: Recovery code form broken- checking for code value in non-existent field
Comment #9
therealssj CreditAttribution: therealssj commentedTested against latest branch and minor change for removing
tfa_recovery_code
from validation plugins list.Comment #10
benjifisherI see that #2924970: Recovery code form broken- checking for code value in non-existent field has been fixed, so that should simplify testing.
Please update the issue description to explain further what the goal is. I think the idea is to entirely remove the idea of a "fallback plugin". Currently, recovery codes are implemented as a fallback plugin, and the goal is to make them more like any other TFA plugin. That seems like a good idea, but it seems that there is just as much code in
EntryForm.php
. I would expect more savings. Is that because this is just an intermediate step? Maybe it would be simpler to postpone this issue until #2923786: Allow users to select from multiple 2nd-Factor approaches is fixed.For now, here is a partial code review. The first two items are picky (but easy to fix). The third is more important.
1. Comments should be full sentences, starting with a capital letter:
2. Do we need two blank lines?
3. It looks as though this patch removes one setting and adds another. We should add an update function to remove the obsolete setting. If we can create the new setting at the same time, that will help users upgrading from the alpha1 release. If that is not possible, then we should at least add upgrade instructions to the README.
Update: I just noticed that #2923786: Allow users to select from multiple 2nd-Factor approaches is listed as a child issue of this one. If you think it makes more sense to handle this one first, that is OK with me. I expect we will get savings in
EntryForm.php
once the two issues are done, in whichever order.Comment #11
daggerhart CreditAttribution: daggerhart commentedI was about to review the patch and re-roll it with some adjustments but I realized that the patch will need to be re-rolled after #2928728: Remove Totp and Hotp validation plugins after they are moved to ga_login due to some changes that were necessary to get tests working. I'm going to hold off for the moment.
Also, we might need to discuss the approach a little more on this issue. I don't see the value in making a new setting for "Enable Recovery Codes" and treating it like a special validation plugin. As this is currently written, we're removing the concept of a fallback plugin in name only because we continue to treat recovery codes as a fallback plugin by making it a special case.
I think instead, recovery codes should just be another Validation plugins listed with the others. Then when we deal with #2923786: Allow users to select from multiple 2nd-Factor approaches, it will appear within the list of other Validation plugins and can be enabled just like everything else. We can recommend in the UI that site owners enable the recovery code validation plugin without treating it as a special case.
Thoughts?
@benjifisher - thanks for these notes
> We should add an update function to remove the obsolete setting.
We definitely need to consider this within this issue or the related
#2923786
. Data structures will be changing.> I expect we will get savings in EntryForm.php once the two issues are done, in whichever order.
Same here, I'd hope we can simplify much by removing an entire concept. I'm not really sure this issues has to be before
#2923786
. Now that I'm thinking about it more, it might be easier to do#2923786
first, make the data structure adjustments as needed. Then in this issue we remove the fallback concept and enable recovery_codes validation plugin in an update hook if the site had them enabled in the old structure.Also, I'm going to change
#2923786
to be related to this issue rather than a child of it.Thoughts?
Comment #12
benjifisherI think we agree. First priority is #2928728: Remove Totp and Hotp validation plugins after they are moved to ga_login. Then let's do #2923786: Allow users to select from multiple 2nd-Factor approaches before returning to this issue.
Comment #13
daggerhart CreditAttribution: daggerhart commentedComment #14
daggerhart CreditAttribution: daggerhart commentedCircling back around to this a bit today. This is a work in progress patch, but you can see where I'm going with it.
I've:
TfaRandomTrait
for generating cryptographically secure random strings.And maybe a little more...
Still needs work around the tests as well as manual testing of various other aspects of TFA.
Comment #15
daggerhart CreditAttribution: daggerhart commentedUpdated patch, now with passing tests.
Also did a lot of manual testing around the settings page, setting up the plugin, and validation using the plugin.
Comment #16
daggerhart CreditAttribution: daggerhart commentedThis change would make the tfa module no longer dependent on the
"christian-riesen/otp": "2.*"
library.Updated patch that removes this dependency. Note, doing this means GA_Login module will need to include the dependency on its own. I'll make an issue in that module queue for it.
Comment #17
JeroenTPatch no longer applies. Needs reroll.
Comment #18
Waldoswndrwrld CreditAttribution: Waldoswndrwrld at iO commentedRerolled the patch.
Comment #20
Waldoswndrwrld CreditAttribution: Waldoswndrwrld at iO commentedUpdated patch, now with passing tests.
Comment #22
Waldoswndrwrld CreditAttribution: Waldoswndrwrld at iO commentedAdded the required modules in the composer.json file so the patch will pass the tests.
Comment #24
Waldoswndrwrld CreditAttribution: Waldoswndrwrld at iO commentedMade changes to the composer.json file so the patch will pass the tests.
Comment #25
daggerhart CreditAttribution: daggerhart at Hook 42 commentedPatch fails to apply in a lot of ways (that's what I get for waiting 1 year).
Attempted re-roll. Getting a number of errors during tests relate to deprecated methods, so this may be a WIP patch.
Went ahead and replaced drupal_set_message() calls with new messenger service to mitigate some of the errors.
Comment #26
daggerhart CreditAttribution: daggerhart at Hook 42 commentedFound one of the errors. Let's see how this goes.
Comment #27
daggerhart CreditAttribution: daggerhart at Hook 42 commentedReroll because I commited another patch that made one of the changes that this patch was making.
Comment #28
idebr CreditAttribution: idebr at iO commentedThe patch #27 works correctly on my local environment. I did an initial pass on the patch, but I will try to take a more in-depth look at the new classes later.
The indentation change here is incorrect: composer json/lock files have a different code style. See https://git.drupalcode.org/project/drupal/blob/8.8.x/.editorconfig
Other labels in the schema file use 'TFA' instead of 'Tfa'. Let's keep this TFA for consistency
These interface texts are inconsistent. Drupal uses American English (cancelled)
These interface texts are inconsistent. Let's stick with 'Recovery codes'
Comment #29
daggerhart CreditAttribution: daggerhart at Hook 42 commentedThanks for the review!
Here is an updated patch that addresses the items you listed. There are more inconsistencies throughout the module along the same lines as the items you mention, but I didn't address them here. Would be nice to standardize a lot of that in another issue.
Comment #30
idebr CreditAttribution: idebr at iO commentedDid some more local testing and the patch works great!
A few nitpicks as a final review:
This trait is already added in \Drupal\tfa\Plugin\TfaValidation\TfaRecoveryCode
Comment indentation must be 3 spaces
Type hint "array" missing for $params
$reset is expected to be an integer (a boolean would make more sense though)
The \Drupal::config() call should be replaced with dependency injection (config.factory service)
Missing @return statement
These changes are incorrect: The capitalized group names are referring to core component names.
See https://www.drupal.org/project/drupal/issues/2301481
Comment #31
daggerhart CreditAttribution: daggerhart at Hook 42 commentedThanks!
I have most of these resolved in this patch, but skipped number 3. Details:
Comment #32
idebr CreditAttribution: idebr at iO commentedLooking good, nice work!
Comment #34
daggerhart CreditAttribution: daggerhart at Hook 42 commentedCommitted. Thanks for everyone for the help!