Page MenuHomeMiraheze
Create Task
Maniphest T10700

Extension request: WebAuthn
Closed, ResolvedPublic
Actions

Description

WebAuthn is a way to authenticate on the Web based on asymmetric cryptography. At a high level, it's intended to be used with hardware authenticators on the client, which hold the private key for an account and authenticate the client in their own way before proceeding with the log-in process.

Extension:WebAuthn, an extension used by Wikimedia, implements this in MediaWiki as an optional 2FA option, alongside the currently-used TOTP.

Related Objects

Event Timeline

OrangeStar triaged this task as Normal priority.Apr 5 2023, 18:53
OrangeStar created this task.
Herald added subscribers: Bukkit, BrandonWM, Agent_Isai. · View Herald TranscriptApr 5 2023, 18:53
BrandonWM moved this task from Backlog to Security Review Needed on the Extensions board.Apr 5 2023, 19:02
BrandonWM added a project: BrandonWM .
BrandonWM moved this task from Action Needed to Short Term on the BrandonWM board.
MacFan4000 moved this task from Security Review Needed to Reviewed, Approved on the Extensions board.Apr 5 2023, 19:12
MacFan4000 subscribed.

As this extension is used on WMF wikis it is exempt from security review.

BrandonWM added a comment.Apr 5 2023, 19:25

@MacFan4000 It hasn't necessarily been approved yet, it remains to be decided whether or not it will be implemented as it relates to 2FA.

BrandonWM moved this task from Short Term to Long Term on the BrandonWM board.Apr 5 2023, 19:28
OrangeStar added a comment.Apr 5 2023, 19:30

Well if it's up to a vote this gets a +1000 from me.

BrandonWM added a comment.Apr 5 2023, 19:33

If this is approved I'm happy to install today or tomorrow.

Reception123 subscribed.Apr 5 2023, 19:40

I personally don't see any issue that would prevent us from implementing this if it is wanted.

Agent_Isai added a comment.Apr 5 2023, 19:49

It seems to supplement OATHAuth so there shouldn't be any issue there though perhaps for now we can restrict it to Meta only to test it out if desired as it's in a beta status.

BrandonWM claimed this task.EditedApr 6 2023, 03:29
BrandonWM moved this task from Long Term to Short Term on the BrandonWM board.

Will proceed with install then.

BrandonWM added a comment.EditedApr 6 2023, 03:47

PR (MW): https://github.com/miraheze/mediawiki/pull/14365
PR (Conf.): https://github.com/miraheze/mw-config/pull/5183

@Reception123 Does this need an + to ManageWikiExtensions or will it be enabled globally?

Bukkit added a comment.Apr 6 2023, 04:23

I don't see why an authentication method would be on a wiki-to-wiki basis

BrandonWM added a comment.Apr 6 2023, 04:41

That's what I was assuming, I just wasn't positive on how local vs global extensions are configured.

Bukkit added a comment.Apr 6 2023, 04:52

Ah, so that's an addition to GlobalExtensions.php

Bukkit added a comment.Apr 6 2023, 04:53

in the mw-config repo

BrandonWM moved this task from Short Term to Action Needed on the BrandonWM board.Apr 15 2023, 02:45
BrandonWM added a comment.Apr 15 2023, 11:01

@OrangeStar If you're able to push PRs in MediaWiki and mw-config repos today, this should be done.

OrangeStar added a comment.Apr 15 2023, 17:59

It's taking time to merge it because I don't have a FIDO2 key yet (will get mine SoonTM, sometime next week), and in my experience the soft tokens that Firefox offers for development barely work, so it's not like I could test it if installed. As I'll have my key next week, I expect to install the extension next week too.

OrangeStar added a comment.Apr 19 2023, 13:56

I have a Yubikey now, so I'll proceed with installing the extension and testing it, fingers crossed.

Restricted Repository Identity mentioned this in R9:c9361110c8a5: T10700: Add WebAuthn (#5183).Apr 19 2023, 13:58
OrangeStar added a comment.Apr 19 2023, 14:17

Seems like it didn't work, the extension's i18n messages aren't loading, and there's an error in the API when registering keys.

[c919f48a05d94a77cef39b6d] Caught exception of type Error

@Reception123 ^ what does the stack trace say?

Reception123 added a comment.Apr 19 2023, 14:28
Class 'Webauthn\PublicKeyCredentialRpEntity' not found
from /srv/mediawiki/w/extensions/WebAuthn/src/Authenticator.php(424)
#0 /srv/mediawiki/w/extensions/WebAuthn/src/Authenticator.php(261): MediaWiki\Extension\WebAuthn\Authenticator->getRegisterInfo()
#1 /srv/mediawiki/w/extensions/WebAuthn/src/Api/WebAuthn.php(223): MediaWiki\Extension\WebAuthn\Authenticator->startRegistration()
#2 [internal function]: MediaWiki\Extension\WebAuthn\Api\WebAuthn->getRegisterInfo(array)
#3 /srv/mediawiki/w/extensions/WebAuthn/src/Api/WebAuthn.php(52): call_user_func_array(array, array)
#4 /srv/mediawiki/w/includes/api/ApiMain.php(1900): MediaWiki\Extension\WebAuthn\Api\WebAuthn->execute()
#5 /srv/mediawiki/w/includes/api/ApiMain.php(875): ApiMain->executeAction()
#6 /srv/mediawiki/w/includes/api/ApiMain.php(846): ApiMain->executeActionWithErrorHandling()
#7 /srv/mediawiki/w/api.php(90): ApiMain->execute()
#8 /srv/mediawiki/w/api.php(45): wfApiMain()
#9 {main}
OrangeStar added a comment.Apr 19 2023, 14:29

Maybe we need to run composer? The extension does say to do that.

OrangeStar added a comment.Apr 19 2023, 14:36

https://meta.miraheze.org/wiki/Tech:MediaWiki_appserver#Composer looks like it needs to be added to Puppet.

Restricted Repository Identity mentioned this in rPUPC1d6953b0c130: T10700: Add WebAuthn's composer (#3202).Apr 19 2023, 14:41
OrangeStar added a comment.Apr 19 2023, 15:41

i18n issues fixed by redeploying, however API errors when registering keys remain ([8bc0bcb740f6e78563458099] Caught exception of type Error). Maybe Puppet didn't run yet, though apparently it runs every 30 minutes. That class is from the web-auth/webauthn-lib composer package (https://github.com/web-auth/webauthn-lib/blob/v4.0/src/PublicKeyCredentialRpEntity.php), should be fixed once Puppet runs I guess. I'll try re-registering my key later on see if anything changes, and if not I think we could try manually running Puppet on mw*.

MacFan4000 added a comment.Apr 19 2023, 22:35

That above error no longer happens, however when I attempt to add a key, I get internal_api_error_Error. There is nothing helpful in the logs.

BrandonWM added a comment.Apr 20 2023, 05:38

We're sure this extension is compatible with Miraheze right?

OrangeStar added a comment.EditedApr 20 2023, 08:55
In T10700#217001, @BrandonWM wrote:

We're sure this extension is compatible with Miraheze right?

It is, we just have to get Composer running for this extension which I'm not having much luck at doing.

In T10700#216963, @MacFan4000 wrote:

That above error no longer happens, however when I attempt to add a key, I get internal_api_error_Error. There is nothing helpful in the logs.

Unfortunately it is the same error. You can get a stack trace via watching network requests on the developer tools after giving the key a nickname. I just tried right now and got [93a3e5b384e48f0e98b3c6d2] Caught exception of type Error.

OrangeStar added a comment.Apr 20 2023, 08:56
This comment was removed by OrangeStar.
OrangeStar added a comment.Apr 20 2023, 10:38

Maybe Composer doesn't run automatically, because it is only run at deploy time and expects that extensions be added to Composer at the same time as installation? I think if we redeploy world Composer will run. Maybe the solution here is the classic turn it off/turn it on.

OrangeStar closed this task as Resolved.Apr 20 2023, 15:52

Extension installed and working!

OrangeStar mentioned this in T9913: Check if load time is considerably slower depending on number of attached accounts and consider disabling COV.Apr 24 2023, 19:22