Add poller to fetch WebAuthn OTP

[jenshenny]

What was the end-user or developer problem that led to this PR?

Fixes: rubygems/rubygems.org#3826
Discussed in the issue, we decided to rely on a polling solution for Safari users

RubyGems.org PR: rubygems/rubygems.org#3873

What is your fix for the problem, implemented in this PR?

If the user is using Safari, instead of redirecting the user to localhost after successful webauthn verification in the browser, we'll show the success page (since the auth on the browser was successful).

On the CLI, a poller is added that would poll /api/v1/webauthn_verification/<token>/status every 5 seconds.

Since we can't be sure which browser the user will be using (finding the default browser won't be fool proof since a user can paste the link into any browser), so we'll have a socket and poller thread open.

Whichever thread terminates successfully with the otp will be used. This is done via a loop checking the status of the two threads.

Make sure the following tasks are checked

• Describe the problem / feature
• Write tests for features and bug fixes
• Write code to solve the problem
• Make sure you follow the current code style and write meaningful commit messages without tags

Testing

• Use this RubyGems.org branch Add polling fallback to Safari browsers rubygems.org#3873
• Have a Webauthn credential associated with your user.
• Run RUBYGEMS_HOST=http://localhost:3000 ruby -Ilib exe/gem signin and webauthn verify using Safari

[jenshenny]

util_gem_signin was getting too gnarly to add fetcher data so I extracted a helper class to setup the fetcher. After writing the rest of the tests for the other commands, I'm intending to follow up with another refactor to have some sort of a universal child fetcher for webauthn verifications since they all stub the same requests.

[jenshenny]

Done in f49fb73

[jenshenny]

Is there a better way to terminate once the poller or the listener succeeds?

[jenshenny]

Thinking of extracting this logic out into a class as a follow up

[simi]

Why in followup?

[jenshenny]

Mostly to get the current functionality out as soon as possible and wanted to get people's thoughts on it. If you feel that extracting would be good to do in this PR, I can do that 👍

[jenshenny]

commit to extract the logic to a class 78a8b8a

I also moved the webauthn listener class to the gemcutter utilities namespace fd92d0d

[ericherscovich]

If polling works for both Safari and any other browser, why not just use the polling alone instead?

[jenshenny]

Good question, I toiled with this a bit. The original reason sockets were chosen was that the connection between the browser and the CLI cannot be phished + responses would be immediate. With polling, while very limited, there's still a risk that someone else can retrieve an OTP code if they have access to credentials + your unique link while also having up to a 5 second delay. With those reasons, I still think it would be worth to have polling as just a fallback.

[indirect]

Yeah, I agree that the socket is preferred, and if Safari ever lets us remove polling, we should.

[ericherscovich]

Is it perhaps worth adding a timeout on these threads where if they're left hanging for a couple minutes you kill the threads?

[jenshenny]

I have added a 5 minute timeout for the poller since we don't want to hit the API indefinitely https://github.com/Shopify/rubygems/blob/polling-safari-fallback/lib/rubygems/gemcutter_utilities/webauthn_poller.rb#L47

Once 5 min is up, that thread would terminate safely which would trigger the other threads to terminate as well. Let me know if you think it makes more sense to move the timeout to this loop instead.

[ericherscovich]

Is it worth adding a bit more context here? I.e., "Success. You can return back to your terminal."

[jenshenny]

The body isn't user facing but more of a status for the application to use to determine if verification was successful. Modifying the body would be a breaking change

https://github.com/rubygems/rubygems.org/blob/2f0f168e1a2bdd95cb7c548599fb498dfc48085c/app/assets/javascripts/webauthn.js#L138

[jenshenny]

Is there anything blocking this from moving forward? cc: @indirect @simi @segiddins

[indirect]

Nothing from me!

[simi]

@deivid-rodriguez is it safe in here to require JSON? I did some experiment and we can also vendor pure Ruby JSON if needed. It is possible to also use YAML in API, but I'm not sure that will make any difference in here.

[deivid-rodriguez]

My understanding is that this is only used for gem push, gem yank, and gem owner. If that's the case I think it's fine, at least for now, since there's no user code involved in these commands, so there should not be any conflicts.

[jenshenny]

Thanks folks for taking a look at this!

Hmm after rebasing, the tests appear to be a bit flaky now with the changes 🤔
https://github.com/rubygems/rubygems/actions/runs/5600005188/jobs/10241758022
https://github.com/rubygems/rubygems/actions/runs/5600328937/jobs/10242557190

Going to dig into this before this gets merged in.

[jenshenny]

So to deal with the possibly flaky nature of using real TCPServers to test the commands (signin, owner add/remove, yank), I created a mock server object to mock that logic. I say possibly flaky since running ruby-core on the same test seed passes + I couldn't find a way to reproduce the errors.

I think it's better to mock the server as we aren't testing the WebAuthn listener logic (which interacts the TCPServer instance) in those tests but more on the output (we are stubbing the result of the WebAuthn listener anyways). We are still using real TCPServer instances on the Webauthn Listener tests to test requests coming in and out of the socket as realistically as possible.

Let me know if you all think differently! Open to other suggestions.

[indirect]

That sounds like a totally reasonable approach to me. 👍🏻

[deivid-rodriguez]

Happy to merge and release this whenever needed 👍.

[jenshenny]

Thanks @deivid-rodriguez 🙌 I tested everything again and it all works well. If this can be a part of the next rubygems release, that would be perfect!