verification
This drupal module provides the foundation to implement verification for various operations (e.g. reset password, change email or passwordless logins) that a drupal user can do. That is done by having multiple VerificationProvider services verifying a request.
Motivation
In decoupled scenarious, some operations like updating a user email, resetting the password or cancelling a user account need additional verification as an additional security measure.
Additionally some operations must also be preceeded by a login, because the user might not be able to login (e.g. when performing a password reset). The verification must then be able to verify the login AND the operation (e.g. the password reset).
This module tries to solve this problem by providing the foundation for a sophisticated verification system.
Functionality
The Verification API revolves around having Tagged Services that implement the VerificationProviderInterface interface. The providers job is to verify a given request and return a VerificationResult.
Given that a login may preceed the actual operation, the verification is split into two parts:
- (optional) Verify if the verification method is eligible for a login
- Verify if the verification method is eligible for the operation
The verification method MUST be independendtly invalidated for login and the operation!
Therefore each provider must implement the verifyLogin and verifyOperation methods.
Note Each provider is responsible to invalidate the verification method once it has been used, and to implement appropriate security measures, like prohibiting brute force attacks!
The verification is strictly tied to the following aspects:
- Operation - A string describing what operation should be made
- User - The drupal user that the operation is performed on
- Email - If a different email address then the user's should be used
If these change between verification start and finish, the verification MUST fail.
Verification Providers
Here is a curated list of verification providers that utilize the Verification API:
If you want your verification provider listed, feel free to open an issue.
More information about the module can be found in the project readme:
> View Readme <