LG-775 Do not present FIDO auth option if browser does not support FIDO#2642
LG-775 Do not present FIDO auth option if browser does not support FIDO#2642
Conversation
…s not support FIDO **Why**: So the user is not presented with 2FA options they can't use. **How**: Display the security key option as hidden in the list of 2FA options. Use javascript to determine if FIDO is supported. If it is supported unhide the security key option. If it is not supported make sure that the next 2FA option is selected by default.
stevegsa
force-pushed
the
stevegsa-no-fido-ui-if-no-browser-support
branch
from
6d20408 to
f392756
Compare
|
I was in the all-hands meeting where this was discussed. @brodygov and I discussed what we hoped for this. The concern was in defaulting to webauthn if the user was using a browser that didn't support it. Rather than change the options we show, we want to bounce them to the option list if we would otherwise show them the webauthn once they've submitted their username/password. That is, if we show them webauthn because of the logic in |
…o the option list
stevegsa
force-pushed
the
stevegsa-no-fido-ui-if-no-browser-support
branch
from
18f85cb to
a9ae917
Compare
|
@jgsmith-usds I updated the PR to include a redirect back to the option list if the user winds up on the webauthn login screen. |
|
@stevegsa What is supposed to happen when loading this with a browser that doesn't support WebAuthN? I tested this in Safari, and contrary to what I expected, it threw a JS error and stayed on the "Present your security key" page. |
|
Also is there a problem with our JS New Relic license key? An error appeared in |
|
@brodygov I see the problem. I hooked the redirect up to the setup js but not the auth js. The selection list does correctly not show webauthn but since we propel you to the first option bypassing the selection list it didn't catch the redirect which uses webauthn-authenticate.js. I will fix this. Good catch! Good thing it's not in prod yet. |
3 participants
Why: So the user is not presented with an option they can't use.
How: Display the security key option as hidden in the list of 2FA options. Use javascript to determine if FIDO is supported. If it is supported unhide the security key option. If it is not supported make sure that the next 2FA option is selected by default.
Hi! Before submitting your PR for review, and/or before merging it, please
go through the checklists below. These represent the more critical elements
of our code quality guidelines. The rest of the list can be found in
CONTRIBUTING.md
Controllers
authenticated, make sure to add
before_action :confirm_two_factor_authenticatedas the first callback.
Database
Unsafe migrations are implemented over several PRs and over several
deploys to avoid production errors. The strong_migrations gem
will warn you about unsafe migrations and has great step-by-step instructions
for various scenarios.
Indexes were added if necessary. This article provides a good overview
of indexes in Rails.
Verified that the changes don't affect other apps (such as the dashboard)
When relevant, a rake task is created to populate the necessary DB columns
in the various environments right before deploying, taking into account the users
who might not have interacted with this column yet (such as users who have not
set a password yet)
Migrations against existing tables have been tested against a copy of the
production database. See LG-228 Make migrations safer and more resilient #2127 for an example when a migration caused deployment
issues. In that case, all the migration did was add a new column and an index to
the Users table, which might seem innocuous.
Encryption
Routes
state or result in destructive behavior).
Session
user_sessionhelperinstead of the
sessionhelper so the data does not persist beyond the user'ssession.
Testing
and invalid inputs.