Skip to content

2FA (Webauthn) #5795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 84 commits into from
Jun 17, 2019
Merged

2FA (Webauthn) #5795

merged 84 commits into from
Jun 17, 2019

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented May 6, 2019
edited
Loading

Begins work on Webauthn as a supported 2FA method.

TODO:

  • Fill out the utils.webauthn helper methods
  • Link the helpers up to the Webauthn model via IUserService
  • Frontend integration (navigator.credentials)
  • Provisioning, removing, authentication with security keys
  • Allow multiple security keys
  • Unit tests

cc @brainwane @nlhkabu @di @ewdurbin @dstufft

@woodruffw woodruffw mentioned this pull request May 6, 2019
Merged
dstufft
dstufft reviewed May 6, 2019
View reviewed changes
woodruffw
woodruffw commented May 14, 2019
View reviewed changes
@brainwane brainwane mentioned this pull request May 16, 2019
Closed
@brainwane brainwane added this to the OTF Security work milestone May 16, 2019
woodruffw
woodruffw commented May 16, 2019
View reviewed changes
woodruffw
woodruffw commented May 16, 2019
View reviewed changes
@nlhkabu nlhkabu mentioned this pull request May 19, 2019
Closed
@woodruffw woodruffw mentioned this pull request May 24, 2019
Merged
@woodruffw woodruffw mentioned this pull request Jun 3, 2019
Closed
@woodruffw woodruffw changed the title [WIP] 2FA (Webauthn) 2FA (Webauthn) Jun 3, 2019
@woodruffw
Copy link
Member Author

Hey @brainwane @di @dstufft @ewdurbin -- this should be good for a review!

We're still waiting on duo-labs/py_webauthn#41 for multiple WebAuthn credential support; we can either push forwards with this PR and begin a new one for multiple credentials, or wait on that (and begin another task) while they cut a release. Thoughts?

@di
Copy link
Member

di commented Jun 3, 2019

I think I'd prefer to merge this for support w/ multiple credentials if the Duo team's timeline is compatible with ours.

@mschwager, is there anything you can do to help us resolve duo-labs/py_webauthn#41?

@ewdurbin
Copy link
Member

ewdurbin commented Jun 3, 2019
edited
Loading

This seems functionally excellent.

Looks like we still need to sort out:

  • Two skipped tests Edit: looks like I was viewing outdated comments
  • Design concern on the TOTP vs WebAuthn forms/routes
  • UX/UI @nlhkabu will you have time to review?
  • Multiple registered devices, blocked on webauthn release

woodruffw added 16 commits June 4, 2019 10:26
@woodruffw
warehouse: Initial Webauthn model, relationship
8e47b68
@woodruffw
models: Remove unused properties
cfbc1a3
@woodruffw
requirements: webauthn
623f3da
@woodruffw
warehouse: WIP webauthn utilities
df1519d
@woodruffw
warehouse: Add more view/route/template structure
86100cc
@woodruffw
warehouse: WebAuthn provisioning groundwork
fc44a1b 
Adds requisite view behavior, client-side handling,
templates, interfaces, and services.

Still incomplete.
@woodruffw
warehouse: Functional WebAuthn provisioning and deprovisioning
172dfc7
@woodruffw
warehouse: Provisioning splashes
215aab2
@woodruffw
warehouse: WebAuthn mixin, refactor JS
c2b5a57 
Initial login work.
@woodruffw
warehouse: Implicit lambda
15a5bf9
@woodruffw
warehouse: More login work
ca4a1a5 
Adds the client-side JS needed for login, some of the
form validation, some of the views, some of the services.
@woodruffw
warehouse: Functional WebAuthn authentication
14a65c8
@woodruffw
migrations: Rebase migration
9a0b2a9
@woodruffw
warehouse: Fix TOTP login, add redirection to WebAutnn
a004189
@woodruffw
warehouse: Simplify 2FA data retrieval during login
2691825 
Set cookie properly on WebAuthn login.
@woodruffw
warehouse: Update service interface, autoformatting
9d6b68a
woodruffw
woodruffw commented Jun 10, 2019
View reviewed changes
woodruffw
woodruffw commented Jun 10, 2019
View reviewed changes
@nlhkabu
Copy link
Contributor

nlhkabu commented Jun 13, 2019
edited
Loading

@woodruffw I've now updated the UI:

No 2fa

Screenshot from 2019-06-13 06-33-12

2fa by TOTP only

Screenshot from 2019-06-13 06-34-06

Single security key

Screenshot from 2019-06-13 06-35-12

Multiple security keys

Screenshot from 2019-06-13 06-56-46

Add key page

Screenshot from 2019-06-13 06-44-38

Remove key modal

Screenshot from 2019-06-13 06-38-01

@nlhkabu
Copy link
Contributor

nlhkabu commented Jun 13, 2019

@woodruffw it seems I've broken the remove modal - when trying to remove a key, I am getting a 404 error. I can't work out how to fix it - could you please look into this?

@woodruffw
Copy link
Member Author

Sure, I'll take a look in a moment.

ewdurbin
ewdurbin approved these changes Jun 13, 2019
View reviewed changes
Copy link
Member

@ewdurbin ewdurbin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once we get the signing counter issues sorted, this looks 💯 to me.

@ewdurbin ewdurbin merged commit 59ab1f2 into pypi:master Jun 17, 2019
@woodruffw woodruffw deleted the tob-webauthn branch June 17, 2019 15:13
@brainwane brainwane mentioned this pull request Jun 18, 2019
Open
merwok
merwok reviewed Jul 23, 2019
View reviewed changes
warehouse/templates/pages/help.html
@@ -83,6 +84,7 @@ <h2><a href="#my-account">My Account</a></h2>
<li><a href="#compromised-password">{{ compromised_password() }}</a></li>
<li><a href="#2fa">{{ twoFA() }}</a></li>
<li><a href="#totp">{{ totp() }}</a></li>
<li><a href="#utfkey">{{ utfkey() }}</a></li>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a double-take at utf 🙂
IIUC this is about U2F keys, not Unicode’s UTF, right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is about U2F keys and not Unicode's UTF; the T stands for "two". I'm ok with this since it's just an anchor tag, but if you want to change it I figure a PR would be pretty easy!

@justinmayer justinmayer mentioned this pull request Aug 16, 2019
Open
@ewdurbin ewdurbin mentioned this pull request May 31, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dstufft dstufft dstufft left review comments

@merwok merwok merwok left review comments

@brainwane brainwane brainwane left review comments

@gbdlin gbdlin gbdlin left review comments

@ewdurbin ewdurbin ewdurbin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
OTF Security work
Development

Successfully merging this pull request may close these issues.
9 participants
@woodruffw @di @ewdurbin @brainwane @nlhkabu @alex @dstufft @merwok @gbdlin