Add WebAuthn 2FA in UI #2108
Add WebAuthn 2FA in UI #2108
Conversation
Also, use `disable_with` in the 'Register a new credential' button
config/routes.rb
Outdated
|
|
||
| resources :webauthn_credentials, only: %i[index create destroy] do | ||
| collection do | ||
| get :create_options |
There was a problem hiding this comment.
get :create_options route is not protected against CSRF. Consider if this should use post instead to gain CSRF protection.
There was a problem hiding this comment.
This action is not a state-changing action.
We renamed it, create_options was a bit confusing.
config/routes.rb
Outdated
| @@ -169,6 +176,10 @@ | |||
|
|
|||
| resource :session, only: %i[create destroy] do | |||
| post 'mfa_create', to: 'sessions#mfa_create', as: :mfa_create | |||
| collection do | |||
| get :webauthn_authentication_options, constraints: { format: :json }, defaults: { format: :json } | |||
There was a problem hiding this comment.
Consider altering the :webauthn_authentication_options route to use post instead of get to take advantage of Rails' CSRF protection.
There was a problem hiding this comment.
Was coded as a GET because not a state-changing action.
WebAuthn code that isn't realted to the UI is now on two controllers under 'internal'. This fixes two failing tests regarding UI routes.
|
Would any of the new WebAuthn routes need throttling to mitigate brute force attacks? |
Use 'security key' instead of 'credential'. Also, add missing translations on languages other than english (fixes failing test)
Avoid getting mixed with top-level default params
| <%= render "sessions/webauthn_prompt" %> | ||
| <% end %> | ||
|
|
||
| <%= render "sessions/otp_prompt" %> |
There was a problem hiding this comment.
Can we please this a horizontal split? vertical looks clunky. l-half--l and l-half--r may be helpful.
| @@ -16,6 +16,8 @@ de: | |||
| please_sign_in: | |||
| otp_incorrect: | |||
| otp_missing: | |||
| use_key: Sign in with Security Key | |||
There was a problem hiding this comment.
Just add keys (empty value) for non-english locales.
| @@ -102,6 +102,8 @@ | |||
| </div> | |||
| <%= submit_tag t('.mfa.update'), :class => 'form__submit' %> | |||
| <% end %> | |||
|
|
|||
| <h2><%= link_to t('webauthn_credentials.index.title'), webauthn_credentials_path %></h2> | |||
There was a problem hiding this comment.
As this stands, the user can only add webauth security keys after they have registered a TOTP authenticator device. I am not sure I understand this requirement. Shouldn't the user be able to enable mfa and only register webauth keys?
|
Please add a section in CONTRIBUTING.md (or a new doc page) for steps to tests this locally. I was able to use https://github.com/google/virtual-authenticators-tab but it would nice to have this or perhaps an alternate method documented where we may not have to purchase a yubikey. We will also need guides (for users) similar to https://guides.rubygems.org/setting-up-multifactor-authentication/ |
| @user = current_user | ||
| end | ||
|
|
||
| def destroy |
There was a problem hiding this comment.
Is it acceptable to allow users to delete the key without verifying that they have access to the key?
| @@ -218,6 +224,26 @@ def otp_verified?(otp) | |||
| save!(validate: false) | |||
| end | |||
|
|
|||
| def webauthn_verified?(current_challenge, webauthn_credential) | |||
There was a problem hiding this comment.
I am not sure I understand why this method is in User model. Would it be better if we asked WebauthnCredential object if it was valid/verified? Do we want to ensure that webauthn_credential belongs to the user?
|
Closing this in favour of #2865 |
First stab at #1948 in collaboration with @padulafacundo.
Prototype adding experimental support for WebAuthn as a 2nd factor.
Goal of this first prototype is to have a working solution that can be tested by rubygems.org and community developers to get early feedback and start the discussion.
What it does
Pending:
webauthngemwebauthngem released version, notmaster(after gem release)Follow up items: