Submitted a patch with the proposed fix
Mon, Jan 27
Tue, Jan 21
Mon, Jan 20
Dec 20 2019
Nov 9 2019
Great! Yes, probably all DB access should go through OATHAuth, especially since this is just reading all keys. I will commit a patch for that in the following days
Nov 8 2019
Thank you, i got in.
I would like to know if this line is executed or not
I guess i would need to put some debugging statement in there
I managed to log into bastion-eqiad1-01, is that the right server? How do I get to WebAuthn from there?
Can you please provide me with the shell access?
I debugged locally the whole path of authentication and this seems like an impossible bug...
if the statement from the previous post is true, that means that key is found that would mean that this condition is true
Nov 7 2019
Thank you for admin access, now i do have the option to enable 2FA.
This error occus after calling https://github.com/wikimedia/mediawiki-extensions-WebAuthn/blob/master/src/WebAuthnCredentialRepository.php#L66-L71
It appears this does not return a valid credential.
From how PublicKeyCredentialSource::createFromArray works, it would either return a valid credential or throw another error, so my guess given credentialId is not found in the DB
Seems that relevant messages are written to log at this level, this is the error coming from the library, just unfortunatelly, not very helpful
How can i set up WebAuthn for myself on https://en.wikipedia.beta.wmflabs.org? (i dont see the entry for 2FA)
I have just updated our dev system to master and pulled latest versions of both extensions, and was able to login normally using my phone's fingerprint sensor (left the FIDO key in the office).
I did some debugging and found out that verification will fail when php extension gmp is not enabled. However, without it you would not be able to register the key in the first place.
Verfication failed occurs when authentication ceremony fails, most likely in the library. ( MediaWiki\Extension\WebAuthn\Key\WebAuthnKey::authenticationCeremony).
Any error coming from the library should be logged into the logger, on channel 'authentication'. Can you check the log?
Also, please check the DB if the key has been saved correctly
Nov 4 2019
This error occurs when module that user has registered cannot be instantiated, like if WebAuthn module has been enabled, and user enabled it, but then WebAuthn was disabled.
Oct 28 2019
Yes, support check is done very early, before any of the fancy code gets executed
Oct 25 2019
Removed all (hopefully) ES6 features. However, any browser that supports WebAuthn is likely to support ES6 as well
Oct 23 2019
Did not find any orphaned messages in OATHAuth extension
This was set up to ask for re-auth only on "enable" action, but the action remains the same even after the form has been submitted, and if it happens that re-auth period expires between starting the enabling process and submitting it, then is when this issue will occur.
Sep 20 2019
Switched to jsonSerializing objects before putting them into session.
These changes are made on top of existing changes to avoid merge conflicts
Sep 18 2019
Hm, it cant be an array, key can only be generated from
Sep 11 2019
Should we provide a warning when enabling a 2FA method, in case you already have one enabled?
Sep 4 2019
This should do it. Make sure type is actually what we expect, and not just "not null"
Aug 28 2019
Re-introduction of empty "Available methods" section is now fixed
Aug 3 2019
Sent a mail to both lists
Edit: well I guess i cannot send mails right after subscribing to the lists. I will try again later, or someone else can send the mail
@JoeWalsh Due to refactoring and moving towards namespaced classes
class name is expected.
No refactoring was done (from our side) on Wikipedia apps
Jul 31 2019
Is this issue still relevant? This message key is actually not used anymore, as error SpecialPage is gone now. I could not reproduce the issue
Jul 17 2019
This warning indicates that database table (oathauth_users) is not updated
Jul 10 2019
@Sebastian.Schmid91: Thank you for opening this ticket.
The issue is resolved in the patch above
Jul 4 2019
This is fixed in https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OATHAuth/+/499183/30/src/Special/OATHManage.php L124
Whole section is not added if its empty.
It could have regressed in later commits, i will pay attention to this as commits get merged
Jun 28 2019
Jun 24 2019
Jun 19 2019
Jun 13 2019
Jun 12 2019
Recently, requirement for ExtJSBase in BlueSpiceFoundation@REL1_31_dev was changed to "~3.1" which should match version "1.34" of ExtJSBase@master, but the tests still fail with the same error
Jun 7 2019
May 29 2019
May 27 2019
May 24 2019
May 23 2019
May 17 2019
May 15 2019
May 10 2019
May 9 2019
May 8 2019
Apr 25 2019
Apr 15 2019
Apr 8 2019
Biggest technical problem i see with this is that we must have authenticated user set in order to register WebAuthn key. It would be fine for new users, but existing users would have to register WebAuthn key while logged-in, so we would need separate UIs for exisiting and new users, which i dont think is nice (in addition to other issues).
Of course, there is a question of schedule and deadlines, this would require a lot of work on refactoring of OATHAuth, since OATHAuth is now set to explicitly verify second factor, as well as on WebAuthn.
Apr 1 2019
There is a library for WebAuthn that fits our need very well. It is https://packagist.org/packages/web-auth/webauthn-lib#v1.0.1
Basic PoC implementation done successfully.
Mar 29 2019
Mar 25 2019
Mar 21 2019
Mar 19 2019
SO878 is our internal project number, the name of this ticket is the same as the name of our internal ticket
Mar 18 2019
I have seen that one of the APIs is a meta API, I still dont know where the other one is used, but i did refactor both, so disregard that question.
Mar 14 2019
@Bawolff Hello Brian, at this point of the refactoring i have a couple of questions:
- Both API modules seem to be unused, as well as the OATHAuthUtils class. Can I remove this code?
- With the possibility of having multiple modules (auth methods), should we offer the user possibility to choose which Auth method to use (rought version implemented), or should it be set on wiki level?
Mar 11 2019
Mar 6 2019
Feb 27 2019
Feb 26 2019
Feb 25 2019
Thank you for your support and willingness to help.
Feb 22 2019
Problem here was that in docker settings DNS server was set to fixed 188.8.131.52 and could not resolve the host. Setting it to automatic solved the issue. NOTE: Running Docker on Windows! It might help someone if they come accross the same issue
I have done the testing, it appears to be an issue related to my system, cURLing https://docker-registry.wikimedia.org/v2/_catalog gives me response (36s), but at least it is available, while docker pull timesout after full 80sec.
I had a colleague of mine run the same command (on the same network), it works for him, so it must be something related to my system, dont have problems pulling other docker images though.