Page MenuHomePhabricator
Create Task
Maniphest T303495

Merge WebAuthn extension into OATHAuth
Open, LowPublic
Actions

Assigned To
None
Authored By
Legoktm
Mar 10 2022, 4:10 AM
Tags
Referenced Files
None
Subscribers
Aklapper
alistair3149
Legoktm
Nikerabbit
Reedy
Tgr
Tokens
"Love" token, awarded by taavi."Love" token, awarded by alistair3149."Love" token, awarded by Krinkle.

Description

OATHAuth provides the infrastructure for 2FA support, and contains a TOTP code-based module provider. It's also bundled with the tarball. WebAuthn extends upon that by adding a provider for Yubikeys and similar devices.

It would be easier to make changes to OATHAuth if all the code was contained in the same Git repository. Also these days WebAuthn is an well-known standard and for 2FA purposes, using security keys is generally expected as an addition to TOTP. It would be good if we could ship both with minimal setup.

Given that we do want to bundle WebAuthn (T258007: Bundle WebAuthn extension with MediaWiki), merging would be another way to get to that goal.

The main blocker is the current WebAuthn library depends on the gmp extension, which the tarball currently doesn't. That dependency should be removed or be made a core dependency.

Related Objects

Event Timeline

Legoktm triaged this task as Low priority.Mar 10 2022, 4:10 AM
Legoktm created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2022, 4:10 AM
Legoktm mentioned this in T258007: Bundle WebAuthn extension with MediaWiki.Mar 10 2022, 4:11 AM
Legoktm mentioned this in T303404: ArgumentCountError: Too few arguments to function MediaWiki\Extension\OATHAuth\OATHUserRepository::remove(), 2 passed in /srv/mediawiki/php-1.38.0-wmf.25/extensions/WebAuthn/src/HTMLForm/WebAuthnDisableForm.php on line 114 and exactly 3 expected.
Nikerabbit subscribed.Mar 10 2022, 6:58 AM
Reedy subscribed.Mar 10 2022, 1:19 PM

The main blocker is the current WebAuthn library depends on the gmp extension, which the tarball currently doesn't. That dependency should be removed or be made a core dependency.

Unless I'm missing something, it doesn't actually.

A few of the dependencies in require have ext-bcmath and/or ext-gmp in suggest... And that is only for performance reasons, suggesting there's fallbacks in most (all?) of them

Krinkle awarded a token.Mar 10 2022, 6:01 PM
alistair3149 awarded a token.Nov 22 2022, 6:47 AM
alistair3149 subscribed.
Tgr subscribed.Dec 21 2022, 11:00 PM

They both provide secondary authenication factors, and quite different ones. Conceptually there shouldn't be much reason to merge. If one depends on the other, that might be a sign that the common piece of functionality should be in core?

Legoktm added a comment.Jan 31 2023, 3:53 PM
In T303495#8485761, @Tgr wrote:

They both provide secondary authenication factors, and quite different ones. Conceptually there shouldn't be much reason to merge.

Indeed, it's mostly for practical reasons:

  • Easier to refactor OATHAuth if all the code was in one Git repository
  • Easier for sysadmins to enable 2FA support on their wiki if it's just one extension rather than two

If one depends on the other, that might be a sign that the common piece of functionality should be in core?

Maybe... 🤔

Reedy added a comment.Jan 31 2023, 8:36 PM

FWIW, the main reason it was split originally was it required newer PHP version than WMF had at the time, so it was easier to split it and allow development in a seperate (non deployed, at the time) repo...

Tgr mentioned this in T348206: Improve logging, monitoring and test coverage for MediaWiki Platform team authentication extensions.Oct 23 2023, 2:09 AM
taavi awarded a token.Dec 25 2023, 12:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL