Rebase webauthn / passkey PR onto main #2153
Conversation
|
I've now added the option to manage individual passkeys. It's a bit more involved, because passkeys themselves don't really make it easy so you have to add it yourselves, the protocol doesn't supply user friendly names and being able to delete passkeys based on their random binary data didn't seem super helpful. Would gladly take some tips if you think there's a better structure for the data or if I should organise the code differently. |
There was a problem hiding this comment.
Thank you for taking the time to do this. I was able to test it and that seems to work.
I added few minor comments. Other than that, it would be nice if you can update the man page with the new config option.
I would also appreciate if somebody could help with the go.mod and go.sum files. I'm still new to Go and not entirely sure if those files are purely PR changes or if I accidentally updated unrelated modules. The rebase was a bit complex so I may have messed things up in the process.
It should be fine if you rebase against latest changes in main, and run go mod tidy.
| "page.settings.webauthn.passkey_name": "Passkey Name", | ||
| "page.settings.webauthn.added_on": "Added On", | ||
| "page.settings.webauthn.last_seen_on": "Last Used", | ||
| "page.settings.webauthn.register": "Enregistrer le mot de passe", |
There was a problem hiding this comment.
The french translation is incorrect: mot de passe is the translation for password. clé d'accès might be more appropriate here.
You can leave the text in English and I will translate later.
There was a problem hiding this comment.
Fixed: ceaec0c
I've removed all the French text and left it in English, wasn't sure if you meant just the one.
Note that for all languages, I didn't do any translation: If it looks translated, it's based on the old PR and where I introduced new strings, I didn't translate them, probably best to get native speakers to do that. I can do the German one if you need help there. I took the easy route here so far and just didn't touch it.
| @@ -0,0 +1,49 @@ | |||
| package model // import "miniflux.app/v2/internal/model" | |||
There was a problem hiding this comment.
Minor detail: The license header is missing in the new files.
There was a problem hiding this comment.
Added: fbf9aaa
I followed the example and only added it for .go files, but not .js or .html, hope that was right.
internal/storage/webauthn.go
Outdated
| // attestation_type varchar(255) not null, | ||
| // aaguid bytea, | ||
| // sign_count bigint, | ||
| // clone_warning bool |
There was a problem hiding this comment.
These comments looks unnecessary
internal/storage/webauthn.go
Outdated
| // handle storage of webauthn credentials | ||
| func (s *Storage) AddWebAuthnCredential(userID int64, handle []byte, credential *webauthn.Credential) error { | ||
| query := ` | ||
| insert into webauthn_credentials |
There was a problem hiding this comment.
Minor detail: it would be nice to have the SQL queries follow the existing naming convention: INSERT INTO webauthn_credentials ...
There was a problem hiding this comment.
Fixed in 9611ac0 - is this what you had in mind? Looks better like this, I think :)
| @@ -0,0 +1,135 @@ | |||
| {{ define "title"}}{{ t "page.settings.title" }}{{ end }} | |||
There was a problem hiding this comment.
Looks like this file should not be there after the rebase.
There was a problem hiding this comment.
You're right! Totally missed that, thanks! 4c0975c
internal/model/webauthn.go
Outdated
| import ( | ||
| "database/sql/driver" | ||
| "encoding/hex" | ||
| jsonenc "encoding/json" |
There was a problem hiding this comment.
the jsonenc should not be necessary here?
There was a problem hiding this comment.
Huh don't even know where that came from, I assume you meant the "alias" wasn't needed? See 774a479
This was missed in the original rebase and accidentally added in its old path.
Introduce a list of passkeys and options to remove and rename them. Because the native library data structure does not have space for this new metadata, this change introduces a wrapping struct to old on to that data and hence there are quite a few changes to interfaces. It is also quite tricky to identify passkeys just based on the information they give you, so inspired by Github, you are now prompted to create a name for your passkey. Combined with when they were created and last used that should make management easier. The field is intentionally optional if users don't want to enter a name. When registering one they will now be prompted, but can choose to ignore that or enter an empty name. Registration has already succeeded at that point.
I hope I did that correctly: 6206738 I've addressed the comments, let me know if this is good or if you'd like me to do something else. Thanks for taking a look. I also get the feeling we might want to squash this before merging, I messed up quite a bit with the rebases so condensing it down / cleaning it up might make for a nicer history (not sure how important that is to you). |
This is a rebase of #1618 in which @dave-atx added webauthn support. All credit to them for doing the hard work of adding this feature. Due to the significant changes since this PR on the main branch, there's quite a few things that have moved around, but it's mostly still recognisably the feature dave-atx implemented.
Notable changes I made from that PR:
id_IDfor webauthn since that language wasn't there back thenallowCredentialsandexcludeCredentials. Note that the webauthn spec documents a slight privacy and security risk forallowCredentials, but I don't think miniflux needs to worry about this narrow case.rp.iconwhich is deprecated and makes Firefox fail if it's present. The current spec doesn't include it any more.The original description & instructions from the PR still apply, which I'll repeat here (with edits) to make it easier:
WEBAUTHNconfig option to allow WebAuthn to be used instead of a manual password. The config option defaults totrue. When enabled, a new "login with passkey" button shows on the login page and an option to register a passkey appears on the settings page.BASE_URLmust be set tohttp://localhost:8080(or equivalent) or passkeys will fail.I would also appreciate if somebody could help with the
go.modandgo.sumfiles. I'm still new to Go and not entirely sure if those files are purely PR changes or if I accidentally updated unrelated modules. The rebase was a bit complex so I may have messed things up in the process.Do you follow the guidelines?