-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add possibility of enabling WebAuthn as a second factor authentication #1
Conversation
89b4533
to
d4ed665
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent work so far!
Left a couple of comments on my first review pass.
I know a few comments I made are recommending changes in code that is consistent with what we have in the webauthn-rails-demo-app, but still commented what I think might be better and then we can go back and refactor in the other app.
81f96ae
to
398f6fe
Compare
end | ||
|
||
test 'verify_key should require initiated login and 2FA enabled' do | ||
post verify_key_second_factor_authentication_path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure we are POSTing anything in the request, sounds more like a GET?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All is doing is asking the server for the options for credentails.get
call. Just "asking for information", "getting information".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah but how we get to execute the stimultus controllers' actions if we don't post a request with json
format? I got a little lost here 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work!
test/controllers/second_factor_authentication_controller_test.rb
Outdated
Show resolved
Hide resolved
398f6fe
to
3885a0a
Compare
3885a0a
to
8ac62b7
Compare
8ac62b7
to
fb9742b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! 👏
Sorry for the delay in the code review.
This adds a basic UI for enabling WebAuthn 2FA, with a basic button that takes users to a new credential page that asks them for their credential's nickname. After they hit the `Add Security Key` button, they'll be prompted to enter their security key by their browser. Once that's done, the process will be completed and you users will added their security key. * Used stimulus to comunicate between our server and the user client * Used WebAuthnJson gem for calling the browser to create the credentials * Created Credential model that belongs to User. * Add `current_challenge` to Users
fb9742b
to
a899df2
Compare
This commit adds verification of second factor when attempting to sign in, if enabled. It adds a few conditions when checking if a user is authenticated, making that a user that has second factor enabled is authenticated only after the second factor is authenticated. So now, we'll still be storing the `user_id` in the session, after users sign in, but we'll also store the boolean `user_authenticated`, which will be true if user's second factor its authenticated. The flow for authenticating a credential is pretty similar to the one that we did for registering them, with the difference that we want to fetch an existing one instead of creating it, therefore we use methods like `WebAuthn::Credential#options_for_get` and `WebAuthn::Credential#from_get`.
a899df2
to
a85a3e4
Compare
What
New Feature: Allow users to enable Webauthn as a Second-Factor Authentication
This adds a basic UI for enabling WebAuthn 2FA, with a basic button that takes users to a page were users can add their security keys. After they hit the
Add Security Key
button, they'll be prompted to enter their security key by their browser. Once that's done, the process will be completed and you users will added their security key.It also adds a second page after signing in where users are asked to authenticate using their second factor – if enabled.
How
It adds a few conditions when checking if a user is authenticated, making that a user that has second factor enabled is authenticated only after the second factor is authenticated.
So now, we'll still be storing the
user_id
in the session, after users sign in, but we'll also store the booleanuser_authenticated
, which will be true if user's second factor its authenticated.Steps
Screenshots
Credential Registration
Credential Authentication
How to Review
References
https://www.pivotaltracker.com/story/show/172354931