Issue #3374265: Overriding the user.reset route is unnecessary

This effectively breaks #2641148, but implementing hook_user_login() should make up for it.

passwordless.api.php

-<?php
-/**
- * @file
- * Describe hooks provided by the Passwordless module.
- */
-
-/**
- * Allows other modules to customize the landing page after a successful login.
- *
- * @param string $route_name
- * @param array $route_parameters
- */
-function hook_passwordless_login_redirect_alter(string &$route_name, array &$route_parameters = []) {
-  $route_name = '<front>';
-}

passwordless.module

 <?php
+
+use Drupal\Component\Utility\NestedArray;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Url;
 use Drupal\Core\Block\BlockPluginInterface;
@@ -71,6 +73,23 @@ function passwordless_form_alter(&$form, FormStateInterface $form_state, $form_i
       }
       unset($form['account']['pass'], $form['account']['current_pass']);
     break;
+
+    case 'user_pass_reset':
+      $form['#title'] = t('Log in');
+      $build_info = $form_state->getBuildInfo();
+      // See arguments at \Drupal\user\Form\UserPasswordResetForm::buildForm().
+      /** @var Drupal\Core\Session\AccountInterface $user */
+      $user = NestedArray::getValue($build_info, ['args', 0]);
+
+      if ($expiration_date = NestedArray::getValue($build_info, ['args', 1])) {
+        $message = t('<p>This is a one-time login for %user_name and will expire on %expiration_date.</p><p>Click on this button to log in to the site.</p>', ['%user_name' => $user->getAccountName(), '%expiration_date' => $expiration_date]);
+      }
+      else {
+        $message = t('<p>This is a one-time login for %user_name.</p><p>Click on this button to log in to the site.</p>', ['%user_name' => $user->getAccountName()]);
+      }
+
+      $form['message'] = ['#markup' => $message];
+      break;
   }
 }
 

src/Controller/PasswordlessUserController.php

@@ -2,93 +2,26 @@
 
 namespace Drupal\passwordless\Controller;
 
-use Drupal\Core\Url;
+use Drupal\Core\Messenger\MessengerInterface;
 use Drupal\user\Controller\UserController;
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
 /**
- * Controller routines for Passwordless routes.
+ * Overrides core's UserController methods.
  */
 class PasswordlessUserController extends UserController {
 
   /**
-   * {@inheritdoc}
+   * {@inheritDoc}
    */
-  public function resetPass(Request $request, $uid, $timestamp, $hash) {
-    $account = $this->currentUser();
-    $config = $this->config('user.settings');
-    // When processing the one-time login link, we have to make sure that a user
-    // isn't already logged in.
-    if ($account->isAuthenticated()) {
-      // The current user is already logged in.
-      if ($account->id() == $uid) {
-        $this->messenger()
-          ->addMessage($this->t('You are logged in as %user.', ['%user' => $account->getDisplayName()]));
-      }
-      // A different user is already logged in on the computer.
-      else {
-        /** @var \Drupal\user\UserInterface $reset_link_user */
-        if ($reset_link_user = $this->userStorage->load($uid)) {
-          $this->messenger()
-            ->addMessage($this->t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href=":logout">log out</a> and try using the link again.',
-              [
-                '%other_user' => $account->getDisplayName(),
-                '%resetting_user' => $reset_link_user->getDisplayName(),
-                ':logout' => Url::fromRoute('user.logout')->toString(),
-              ]), 'warning');
-        }
-        else {
-          // Invalid one-time link specifies an unknown user.
-          $this->messenger()
-            ->addMessage($this->t('The one-time login link you clicked is invalid.'), 'error');
-        }
-      }
-      return $this->redirect('<front>');
-    }
-    else {
-      // The current user is not logged in, so check the parameters.
-      // Time out, in seconds, until login URL expires.
-      $timeout = $config->get('password_reset_timeout');
-      $current = \Drupal::time()->getRequestTime();
-      /* @var \Drupal\user\UserInterface $user */
-      $user = $this->userStorage->load($uid);
-      // Verify that the user exists and is active.
-      if ($user && $user->isActive()) {
-        // No time out for first time login.
-        if ($user->getLastLoginTime() && $current - $timestamp > $timeout) {
-          $this->messenger()
-            ->addMessage($this->t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'warning');
-          return $this->redirect('user.page');
-        }
-        elseif ($user->isAuthenticated() && ($timestamp >= $user->getLastLoginTime()) && ($timestamp <= $current) && ($hash === user_pass_rehash($user, $timestamp))) {
-          $expiration_date = $user->getLastLoginTime() ? $this->dateFormatter->format($timestamp + $timeout) : NULL;
-
-          /** @see Drupal\user\Form\UserController::resetPassLogin */
-          user_login_finalize($user);
-          $this->logger->notice('User %name used one-time login link at time %timestamp.', [
-            '%name' => $user->getDisplayName(),
-            '%timestamp' => $timestamp,
-          ]);
-          $this->messenger()
-            ->addMessage($this->t('You have just used your one-time login link.'));
-          $user->pass = sha1(\Drupal::service('password_generator')->generate());
-          $user->save();
-          $route_name = 'user.page';
-          $route_parameters = [];
-          \Drupal::moduleHandler()
-            ->alter('passwordless_login_redirect', $route_name, $route_parameters);
-          return $this->redirect($route_name, $route_parameters);
-        }
-        else {
-          $this->messenger()
-            ->addMessage($this->t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'), 'warning');
-          return $this->redirect('user.page');
-        }
-      }
-    }
-    // Blocked or invalid user ID, so deny access. The parameters will be in the
-    // watchdog's URL for the administrator to check.
-    throw new AccessDeniedHttpException();
+  public function resetPassLogin($uid, $timestamp, $hash, Request $request) {
+    $redirect = parent::resetPassLogin($uid, $timestamp, $hash, $request);
+    // This is pretty safe, since at this point there shouldn't be any other
+    // status messages.
+    $this->messenger()->deleteByType(MessengerInterface::TYPE_STATUS);
+    // We don't want to tell the user to set their password.
+    $this->messenger()->addStatus($this->t('You have just used your one-time login link. It is no longer necessary to use this link to log in.'));
+    return $redirect;
   }
-}
+
\ No newline at end of file
+}

src/Routing/RouteSubscriber.php

@@ -22,11 +22,11 @@ class RouteSubscriber extends RouteSubscriberBase {
       $route->setDefaults(['_controller' => '\Drupal\passwordless\Controller\PasswordlessController::redirectUserPassPage']);
     }
 
-    if ($route = $collection->get('user.reset')) {
+    if ($route = $collection->get('user.reset.login')) {
       $route->setDefaults([
-        '_controller' => '\Drupal\passwordless\Controller\PasswordlessUserController::resetPass',
-        '_title' => 'Log-in',
+        '_controller' => '\Drupal\passwordless\Controller\PasswordlessUserController::resetPassLogin',
       ]);
     }
   }
-}
+
\ No newline at end of file
+}