Improve WebAuthn user experience
Created by: melanger
- translation improvements
- change message in page instead of
alert() - new messageOverride option for replacing default trigger messages
- improve WebAuthn user experience
- support users without JavaScript
BREAKING CHANGE: renamed and removed some dictionary keys, booleans in config have to be real booleans instead of strings
Merge request reports
Merged by
(Mar 13, 2025 11:43am UTC)
Activity
Created by: xpavlic
Probably we also want to change this: Utils.php. This cause, that OTP is supported although user does not have otp (totp) tokens. Also this is the section where preffered mode is set.
-
Created by: melanger
Probably we also want to change this: Utils.php. This cause, that OTP is supported although user does not have otp (totp) tokens. Also this is the section where preffered mode is set.
I know what you mean, but the always shown OTP field (perhaps inadvertently) solves a couple of issues:
- the template does not have to deal with the situation when user has no usable tokens (e.g. only WebAuthn but the browser does not support it)
- it allows users without JavaScript to use OTP (at least when
preferredTokenis not used, it needs to be fixed forpreferredToken=WebAuthn) - it gives less information about user's registered tokens to a potential attacker
On the other hand, if we hide OTP for users who don't have any OTP tokens (e.g. TOTP and paper codes), they have a better idea about what to do (and whether they can log in at all in case of WebAuthn-less browser). Since it means quite a few changes, I would rather solve this separately. I will create an issue for that.
-
Created by: melanger
The always shown OTP field will be resolved in #2.
- without JS, preferredToken=otp, only OTP
✔ 
- without JS, preferredToken=otp, only WebAuthn
✅ - same as "without JS, preferredToken=otp, both" but there is no way to log in (#2)
- without JS, preferredToken=otp, both
✔ (only OTP works because WebAuthn needs JavaScript)
- with JS, preferredToken=otp, only OTP
✔ - same as "without JS, preferredToken=otp, only OTP"
- with JS, preferredToken=otp, only WebAuthn
✔ - same as "with JS, preferredToken=otp, both", but OTP cannot be used (#2)
- with JS, preferredToken=otp, both
✔ 
- without JS, preferredToken=webauthn, only OTP
✔ - same as "without JS, preferredToken=otp, only OTP"
- without JS, preferredToken=webauthn, only WebAuthn
✅ - same as "without JS, preferredToken=webauthn, both" but there is no way to log in (#2)
- without JS, preferredToken=webauthn, both
✔ 
- with JS, preferredToken=webauthn, only OTP
✔ - same as "without JS, preferredToken=otp, only OTP"
- with JS, preferredToken=webauthn, only WebAuthn
✅ - same as "with JS, preferredToken=webauthn, both" but OTP cannot be used (#2)
- with JS, preferredToken=webauthn, both
✔ 
- without JS, preferredToken=otp, only OTP
-
Created by: github-actions[bot]
🎉 This PR is included in version 5.0.0🎉 The release is available on GitHub release
Your semantic-release bot :package::rocket: