Page MenuHomePhabricator

Merge WebAuthn extension into OATHAuth
Open, LowPublic

Assigned To
None
Authored By
Legoktm
Mar 10 2022, 4:10 AM
Referenced Files
None
Tokens
"Love" token, awarded by taavi."Love" token, awarded by alistair3149."Love" token, awarded by Krinkle.

Description

OATHAuth provides the infrastructure for 2FA support, and contains a TOTP code-based module provider. It's also bundled with the tarball. WebAuthn extends upon that by adding a provider for Yubikeys and similar devices.

It would be easier to make changes to OATHAuth if all the code was contained in the same Git repository. Also these days WebAuthn is an well-known standard and for 2FA purposes, using security keys is generally expected as an addition to TOTP. It would be good if we could ship both with minimal setup.

Given that we do want to bundle WebAuthn (T258007: Bundle WebAuthn extension with MediaWiki), merging would be another way to get to that goal.

The main blocker is the current WebAuthn library depends on the gmp extension, which the tarball currently doesn't. That dependency should be removed or be made a core dependency.

Event Timeline

Legoktm created this task.

The main blocker is the current WebAuthn library depends on the gmp extension, which the tarball currently doesn't. That dependency should be removed or be made a core dependency.

Unless I'm missing something, it doesn't actually.

A few of the dependencies in require have ext-bcmath and/or ext-gmp in suggest... And that is only for performance reasons, suggesting there's fallbacks in most (all?) of them

They both provide secondary authenication factors, and quite different ones. Conceptually there shouldn't be much reason to merge. If one depends on the other, that might be a sign that the common piece of functionality should be in core?

They both provide secondary authenication factors, and quite different ones. Conceptually there shouldn't be much reason to merge.

Indeed, it's mostly for practical reasons:

  • Easier to refactor OATHAuth if all the code was in one Git repository
  • Easier for sysadmins to enable 2FA support on their wiki if it's just one extension rather than two

If one depends on the other, that might be a sign that the common piece of functionality should be in core?

Maybe... 🤔

FWIW, the main reason it was split originally was it required newer PHP version than WMF had at the time, so it was easier to split it and allow development in a seperate (non deployed, at the time) repo...