Page MenuHomePhabricator

Support asynchronous reauthentication
Open, MediumPublic


WebAuthn / T100373: WebAuthn (U2F) integration for Extension:OATHAuth enables authentication methods which don't really involve the browser (tap the hardware key, touch the fingerprinte reader, or just let the camera scan your face). There are other lightweight authentication options as well (e.g. once we have the infrastructure for push notification, we could provide functionaries with a browser extension that receives a push message and shows a little verification dialog). Instead of the very intrusive web redirects we are currently doing for reauthenticaion, we should support asynchronous reuath.

I am using the term "asynchronous" here loosely - this could be a popup window, a small warning bar at the top of the wiki page, a lock overlay on the submit button that you remove before submitting the form etc. The reauth process would happen via an AJAX request, without navigating away. If the reauthentication expires, the popup/lock/whatever would be shown again via Javascript. (Of course, this mainly makes sense on forms, where it's OK to display the form even if the user has not reauthenticated yet, but not OK to process the form submission. For sensitive non-form-based pages like Checkuser this is less straightforward, but could be still useful.) This would make the user experience much more pleasant (no unexpected redirections, no lost form data) and business logic less coupled to authentication (specifically, forms would not have to deal with faking POST data on reauth).

Internally, this would require:

  • A way to get the elevated security expiry time, so the client-side logic can trigger a new async reauth when needed. (This would be a trivial change, except that the SecuritySensitiveOperationStatus hook might need to signal that the expiry time is not actually relevant, might want to change the expiry time etc.)
  • An API to do the reauthentication. There doesn't seem to be any reason why the already existing clientlogin API could not be it. (Also, a poor man's version could be just opening the login page in a separate window/tab, no API needed.)
  • Some Javascript module for handling the client-side logic - display the need, handle the user interaction (if it's needed at all - e.g. with WebAuthn it's just a Javascript call, and everything else is done outside the browser), set up a timer to reauth when the elevated security expires.
  • Either the module would have to be able to update form tokens, or the auth framework should avoid resetting form tokens when extending an elevated-security period (reauthenticating with some security level while that security level is already active).