Add support for Web Authentication API

[MauricioFauth]

Adds a two factor authentication plugin that supports FIDO2/WebAuthn security keys.

The automatic migration from FIDO U2F to FIDO2 WebAuthn is not implemented yet.

• Fixes 2FA U2F FIDO - U2F API deprecating soon  #17229

Some of the functions in webauthn.js file are copied from the @web-auth/webauthn-helper Yarn package. I'll probably rewrite them to avoid installing this package or I'll install another package. It's basically for encoding and decoding base64url strings.

@williamdes, Do you have more than one security key? If you do, could you please test using a different key?

[codecov]

Codecov Report

Base: 48.58% // Head: 46.45% // Decreases project coverage by -2.13% ⚠️

Coverage data is based on head (fb62602) compared to base (0314730).
Patch coverage: 7.10% of modified lines in pull request are covered.

Additional details and impacted files

@@             Coverage Diff              @@
##             QA_5_2   #17972      +/-   ##
============================================
- Coverage     48.58%   46.45%   -2.14%     
- Complexity    16747    16808      +61     
============================================
  Files           602      603       +1     
  Lines         62308    71634    +9326     
============================================
+ Hits          30275    33278    +3003     
- Misses        32033    38356    +6323     

Flag	Coverage Δ
dbase-extension	47.19% <13.33%> (-0.02%)	⬇️
recode-extension	47.18% <13.33%> (-1.17%)	⬇️
unit-7.2-ubuntu-latest	47.20% <13.33%> (-0.03%)	⬇️
unit-7.3-ubuntu-latest	47.59% <7.40%> (-3.42%)	⬇️
unit-7.4-ubuntu-latest	47.60% <7.40%> (-3.41%)	⬇️
unit-8.0-ubuntu-latest	47.71% <6.87%> (-2.17%)	⬇️
unit-8.1-ubuntu-latest	47.68% <6.87%> (-2.20%)	⬇️
unit-8.2-ubuntu-latest	47.66% <6.87%> (-2.22%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...es/classes/Controllers/Export/ExportController.php	57.54% <0.00%> (+15.51%)	⬆️
libraries/classes/Export.php	6.36% <0.00%> (-0.19%)	⬇️
libraries/classes/Plugins/Export/ExportCsv.php	93.16% <0.00%> (-0.82%)	⬇️
libraries/classes/Plugins/Export/ExportLatex.php	95.15% <0.00%> (+0.06%)	⬆️
...braries/classes/Plugins/Export/ExportMediawiki.php	93.52% <0.00%> (-1.60%)	⬇️
libraries/classes/Plugins/Export/ExportOds.php	94.85% <0.00%> (+3.03%)	⬆️
libraries/classes/Plugins/Export/ExportOdt.php	95.44% <0.00%> (+6.24%)	⬆️
libraries/classes/Plugins/Export/ExportPdf.php	56.55% <0.00%> (-0.08%)	⬇️
...ibraries/classes/Plugins/Export/ExportPhparray.php	88.50% <0.00%> (-2.96%)	⬇️
libraries/classes/Plugins/Export/ExportSql.php	80.24% <0.00%> (+0.09%)	⬆️
... and 326 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[williamdes]

@williamdes, Do you have more than one security key? If you do, could you please test using a different key?

Yes, it's a recommendation. I will test using my two keys :)

[williamdes]

As it adds one more library and it costs a lot of maintenance for me, maybe we can pick the code or add the support on the actual library

[MauricioFauth]

What do you mean by pick the code?

[MauricioFauth]

I could try to write a simple implementation myself, to simplify the packaging, but we should add that package for master branch.

[williamdes]

This should also be for QA
We can maybe cherry pick or adapt the current library to handle webauthn

The cost of a new library to package in Debian is so high

If we can have only one library it would be awesome

[MauricioFauth]

This should also be for QA

I meant writing a simple implementation for QA to avoid needing to package, but requiring the third party package in master.

We can maybe cherry pick or adapt the current library to handle webauthn

The cost of a new library to package in Debian is so high

If we can have only one library it would be awesome

I'm not sure if I'm following you here. What do you mean by having only one library?

[williamdes]

Thank you, let me know
Reducing it to only one library is a good idea, whatever the lib is

That's okay if I packaged a lib for nothing
It's better if I know it now before debian freezes

[MauricioFauth]

When it will freeze?

[williamdes]

Start of 2023, I found this article https://www.linuxadictos.com/en/they-already-released-the-debian-12-bookworm-freeze-date.html
It was twitter or mailing list announced if you want to see the official dates

I am currently pending acceptation for slim psr7 to be able to package 5.2
Yeah here we are ^^

[MauricioFauth]

Is there another PSR-7 debian package? Use can use those instead.

[williamdes]

yes, niholm's but we depend on some cool things from slim

dont worry it should be accepted soon

[williamdes]

I configured my key using Firefox https and tried to use it on Brave http

TypeError: Cannot read properties of undefined (reading 'get')

This is because you need to do like the other implementation, prevent if HTTPS is not active. It does not work without as far as i know

[williamdes]

@williamdes, Do you have more than one security key? If you do, could you please test using a different key?

There is no way to add a second one in the preferences page :/ So I can not test it for now ;)

[MauricioFauth]

@williamdes, Do you have more than one security key? If you do, could you please test using a different key?

There is no way to add a second one in the preferences page :/ So I can not test it for now ;)

This is a phpMyAdmin's limitation. I meant test if using a different key to authenticate shows an error. Could you also test the custom server in #17989?

[MauricioFauth]

Closing this in favor of #17989.