Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The way one-time login attempts are currently handled, it takes up to one second for the link to become active. This is caused by the fact that the timestamps (in seconds) are compared using GT/LT instead of GTE/LTE).
While this would probably not lead to any issues in a real-world scenario, it leads to some hacks during testing (for example the use of "sleep(1)" in the current version of user.test and the "test sometimes fail"-message in #293487: TestingParty08: User password reset).
I propose we make the one-time link work immediately. Patch attached.
// Time out, in seconds, until login URL expires. 24 hours = 86400 seconds.
$timeout = 86400;
$current = REQUEST_TIME;
// *snip*
if ($timestamp < $current && $account = reset($users)) {
// No time out for first time login.
if ($account->login && $current - $timestamp > $timeout) {
// *snip expiration message*
}
elseif ($account->uid && $timestamp > $account->login && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->pass, $timestamp, $account->login)) {
Comment | File | Size | Author |
---|---|---|---|
#2 | one-time-login-1.patch | 2.06 KB | mr.baileys |
one-time-login.patch | 1.49 KB | mr.baileys | |
Comments
Comment #1
catchCan we remove the sleep(1) here too?
Comment #2
mr.baileysMakes sense, patch attached...
Comment #3
catchLooks great. We should keep an eye on the test bot just in case there's more voodoo involved with that sleep(1), but patch itself is good and passed this time.
Comment #4
Dries CreditAttribution: Dries commentedLooks good to me. Can't think of any reason why this would break. Committed!