Submitted a patch with the proposed fix

Great! Yes, probably all DB access should go through OATHAuth, especially since this is just reading all keys. I will commit a patch for that in the following days

Thank you, i got in.
I would like to know if this line is executed or not
https://github.com/wikimedia/mediawiki-extensions-WebAuthn/blob/master/src/WebAuthnCredentialRepository.php#L69
I guess i would need to put some debugging statement in there

I managed to log into bastion-eqiad1-01, is that the right server? How do I get to WebAuthn from there?

Thanks

Can you please provide me with the shell access?

I debugged locally the whole path of authentication and this seems like an impossible bug...
if the statement from the previous post is true, that means that key is found that would mean that this condition is true

Thank you for admin access, now i do have the option to enable 2FA.

This error occus after calling https://github.com/wikimedia/mediawiki-extensions-WebAuthn/blob/master/src/WebAuthnCredentialRepository.php#L66-L71
It appears this does not return a valid credential.
From how PublicKeyCredentialSource::createFromArray works, it would either return a valid credential or throw another error, so my guess given credentialId is not found in the DB

Seems that relevant messages are written to log at this level, this is the error coming from the library, just unfortunatelly, not very helpful

How can i set up WebAuthn for myself on https://en.wikipedia.beta.wmflabs.org? (i dont see the entry for 2FA)

I have just updated our dev system to master and pulled latest versions of both extensions, and was able to login normally using my phone's fingerprint sensor (left the FIDO key in the office).

I did some debugging and found out that verification will fail when php extension gmp is not enabled. However, without it you would not be able to register the key in the first place.
Verfication failed occurs when authentication ceremony fails, most likely in the library. ( MediaWiki\Extension\WebAuthn\Key\WebAuthnKey::authenticationCeremony).
Any error coming from the library should be logged into the logger, on channel 'authentication'. Can you check the log?
Also, please check the DB if the key has been saved correctly

This error occurs when module that user has registered cannot be instantiated, like if WebAuthn module has been enabled, and user enabled it, but then WebAuthn was disabled.

Yes, support check is done very early, before any of the fancy code gets executed

Removed all (hopefully) ES6 features. However, any browser that supports WebAuthn is likely to support ES6 as well

Did not find any orphaned messages in OATHAuth extension

This was set up to ask for re-auth only on "enable" action, but the action remains the same even after the form has been submitted, and if it happens that re-auth period expires between starting the enabling process and submitting it, then is when this issue will occur.

Switched to jsonSerializing objects before putting them into session.
These changes are made on top of existing changes to avoid merge conflicts

Hm, it cant be an array, key can only be generated from

Should we provide a warning when enabling a 2FA method, in case you already have one enabled?

This should do it. Make sure type is actually what we expect, and not just "not null"

Re-introduction of empty "Available methods" section is now fixed

Sent a mail to both lists
Edit: well I guess i cannot send mails right after subscribing to the lists. I will try again later, or someone else can send the mail

@JoeWalsh Due to refactoring and moving towards namespaced classes

MediaWiki\Extension\OATHAuth\Auth\TOTPAuthenticationRequest

class name is expected.
No refactoring was done (from our side) on Wikipedia apps

Is this issue still relevant? This message key is actually not used anymore, as error SpecialPage is gone now. I could not reproduce the issue

This warning indicates that database table (oathauth_users) is not updated

@Sebastian.Schmid91: Thank you for opening this ticket.
The issue is resolved in the patch above

This is fixed in https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OATHAuth/+/499183/30/src/Special/OATHManage.php L124
Whole section is not added if its empty.
It could have regressed in later commits, i will pay attention to this as commits get merged

Recently, requirement for ExtJSBase in BlueSpiceFoundation@REL1_31_dev was changed to "~3.1" which should match version "1.34" of ExtJSBase@master, but the tests still fail with the same error

Biggest technical problem i see with this is that we must have authenticated user set in order to register WebAuthn key. It would be fine for new users, but existing users would have to register WebAuthn key while logged-in, so we would need separate UIs for exisiting and new users, which i dont think is nice (in addition to other issues).
Of course, there is a question of schedule and deadlines, this would require a lot of work on refactoring of OATHAuth, since OATHAuth is now set to explicitly verify second factor, as well as on WebAuthn.

There is a library for WebAuthn that fits our need very well. It is https://packagist.org/packages/web-auth/webauthn-lib#v1.0.1
Basic PoC implementation done successfully.

SO878 is our internal project number, the name of this ticket is the same as the name of our internal ticket

I have seen that one of the APIs is a meta API, I still dont know where the other one is used, but i did refactor both, so disregard that question.

@Bawolff Hello Brian, at this point of the refactoring i have a couple of questions:

• Both API modules seem to be unused, as well as the OATHAuthUtils class. Can I remove this code?
• With the possibility of having multiple modules (auth methods), should we offer the user possibility to choose which Auth method to use (rought version implemented), or should it be set on wiki level?

Thank you for your support and willingness to help.

Problem here was that in docker settings DNS server was set to fixed 8.8.8.8 and could not resolve the host. Setting it to automatic solved the issue. NOTE: Running Docker on Windows! It might help someone if they come accross the same issue

I have done the testing, it appears to be an issue related to my system, cURLing https://docker-registry.wikimedia.org/v2/_catalog gives me response (36s), but at least it is available, while docker pull timesout after full 80sec.
I had a colleague of mine run the same command (on the same network), it works for him, so it must be something related to my system, dont have problems pulling other docker images though.