Problem/Motivation
User accounts that rely solely on basic_auth for authentication will be locked out after an upgrade to Drupal 10.1.x
The issue is caused by the new password hashing algorithm (https://www.drupal.org/node/3322420).
basic_auth does not appear to be re-hashing the user password in the same way a UI login would resulting in a user being locked out.
This is especially concerning as many accounts using basic_auth will be automated json_api processes where a failure may not be immediately obvious. Accounts may end up in the flood table.
Steps to reproduce
- Setup a basic_auth user on a Drupal core 10.0.x site
- Upgrade from Drupal core 10.0.x to 10.1.x
- Attempt to authenticate using basic auth
- See failure to authenticate
Proposed resolution
Accounts authenticating using basic_auth should have their passwords re-hashed in the same way that users logging in via the UI do as documented in https://www.drupal.org/node/3322420.