Commit a8729aad authored by Nathaniel Catchpole's avatar Nathaniel Catchpole
Browse files

Issue #992540 by valthebald, ndobromirov, jec006, kid_icarus, rickmanelius,...

Issue #992540 by valthebald, ndobromirov, jec006, kid_icarus, rickmanelius, mr.baileys, pguillard, joseph.olstad, vijaycs85, paulocs, voleger, Matt V., aerozeppelin, ravi.shankar, quietone, Munavijayalakshmi, ranjith_kumar_k_u, evilehk, swentel, gaurav.kapoor, yogeshmpawar, klidifia, pradhumanjainOSL, louis-cuny, catch, Everett Zufelt, alexpott, cilefen, xjm, grendzy, cashwilliams, borisson_, lachezar.valchev, tstoeckler, Heine: Nothing clears the "5 failed login attempts" security message when a user resets their own password
parent 1d6b90e8
......@@ -235,6 +235,17 @@ public function resetPassLogin($uid, $timestamp, $hash, Request $request) {
return $redirect;
}
$flood_config = $this->config('user.flood');
if ($flood_config->get('uid_only')) {
$identifier = $user->id();
}
else {
$identifier = $user->id() . '-' . $request->getClientIP();
}
$this->flood->clear('user.failed_login_user', $identifier);
$this->flood->clear('user.http_login', $identifier);
user_login_finalize($user);
$this->logger->info('User %name used one-time login link at time %timestamp.', ['%name' => $user->getDisplayName(), '%timestamp' => $timestamp]);
$this->messenger()->addStatus($this->t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please set your password.'));
......
......@@ -2,6 +2,7 @@
namespace Drupal\Tests\user\Functional;
use Drupal\Core\Test\AssertMailTrait;
use Drupal\Core\Url;
use Drupal\Tests\BrowserTestBase;
use Drupal\user\Entity\User;
......@@ -14,6 +15,10 @@
*/
class UserLoginTest extends BrowserTestBase {
use AssertMailTrait {
getMails as drupalGetMails;
}
/**
* {@inheritdoc}
*/
......@@ -75,6 +80,13 @@ public function testGlobalLoginFloodControl() {
// A login with the correct password should also result in a flood error
// message.
$this->assertFailedLogin($user1, 'ip');
// A login attempt after resetting the password should still fail, since the
// IP-based flood control count is not cleared after a password reset.
$this->resetUserPassword($user1);
$this->drupalLogout();
$this->assertFailedLogin($user1, 'ip');
$this->assertSession()->responseContains('Too many failed login attempts from your IP address.');
}
/**
......@@ -98,7 +110,8 @@ public function testPerUserLoginFloodControl() {
$this->assertFailedLogin($incorrect_user1);
}
// A successful login will reset the per-user flood control count.
// We're not going to test resetting the password which should clear the
// flood table and allow the user to log in again.
$this->drupalLogin($user1);
$this->drupalLogout();
......@@ -115,6 +128,12 @@ public function testPerUserLoginFloodControl() {
// Try one more attempt for user 1, it should be rejected, even if the
// correct password has been used.
$this->assertFailedLogin($user1, 'user');
$this->resetUserPassword($user1);
$this->drupalLogout();
// Try to log in as user 1, it should be successful.
$this->drupalLogin($user1);
$this->assertSession()->responseContains('Member for');
}
/**
......@@ -300,4 +319,23 @@ public function assertFailedLogin(User $account, string $flood_trigger = NULL):
}
}
/**
* Reset user password.
*
* @param object $user
* A user object.
*/
public function resetUserPassword($user) {
$this->drupalGet('user/password');
$edit['name'] = $user->getDisplayName();
$this->submitForm($edit, 'Submit');
$_emails = $this->drupalGetMails();
$email = end($_emails);
$urls = [];
preg_match('#.+user/reset/.+#', $email['body'], $urls);
$resetURL = $urls[0];
$this->drupalGet($resetURL);
$this->submitForm([], 'Log in');
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment