shy_one_time
Introduction
When requesting a one-time login link (request new password or password forgotten function), it often comes to the fact that the link arrives invalidated/invalid via e-mail.
This can be observed especially with applications from Microsoft, e.g. Outlook or Bing, but also with Gmail (possibly other services). The reason for this is that the link is crawled in advance by security tools before it is delivered via email. Malicious bots, crawlers or spiders can cause this problem in the same way.
The result is the following message, which is certainly familiar to some:
You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.
This module prevents the crawling of the One-Time reset/login link, no separate configuration for the module is necessary. All add-on modules that access the One-Time Login logic of Drupal are supported.
Versions
Shy One Time 2.x
- Reliably blocks crawlers and bots that are included in the CrawlerDetect library.
- Additional user agents can be configured in the module to be blocked when a request is made via the
user.resetroute. - These bots are redirected via route
user.loginto the login form with status code 302. The reset/login link will not be invalidated. - An experience database of possible user agents that can be blocked is maintained here in the issue #3373364.
Requirements
This module requires no modules outside of Drupal core, if the installation is performed via Composer.
Installation
It's recommended to install module via Composer.
- Install the
Shy One-Timemodule as you would normally install a contributed Drupal module, further information.
Configuration
The module works out of the box, if no individual user agents are entered, only CrawlerDetect library checks whether the access comes from a bot/crawler.
After installing the module, the configuration interface can be reached via the
link /admin/config/system/shy_one_time. User agents that are unwanted and should be blocked are entered in the text field. Only ONE user agent may be inserted per line.
The format for custom user agents looks as follows, e.g.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us; rv:1.9.2.3) Gecko/20100401 YFF35 Firefox/3.6.3
Mozilla/5.0 Windows NT 10.0; Win64; x64 AppleWebKit/537.36 KHTML, like Gecko Chrome/65.0.3286.0 Safari/537.36 RigorNote
From now on, all requests made via the route user.reset will be logged in the dblog. If a login does not work, it is possible to quickly check which user agent is involved and transfer it to the check routine.
Note
It especially affects modules that offer login by only email, e.g.:
- Passwordless (Recommended module)
- Mail Login (Recommended module)
- Login with Email only
If these modules are used, a single valid login link is sent, this can be invalidated and thus a login into the system is not possible. In a pure Drupal installation without additional modules that do not change the behavior of the login, Shy One-Time is to be used only if necessary.
Further information on the problem
- Bingpreview invalidates one time login links (d.o issue)
- Safe Links in Microsoft Defender for Office 365
This module uses 'CrawlerDetect', a PHP class for detecting bots/crawlers/spiders via the user agent and http_from header. Currently able to detect 1,000's of bots/spiders/crawlers, further information.
Sponsors
Development on Shy One Time is sponsored and testet by TRENDKRAFT.