Disable U2F Interface unless already configured.#571
Open
dd32 wants to merge 6 commits intoWordPress:masterfrom
Open
Disable U2F Interface unless already configured.#571dd32 wants to merge 6 commits intoWordPress:masterfrom
dd32 wants to merge 6 commits intoWordPress:masterfrom
Conversation
ravinderk
approved these changes
May 26, 2023
Member
|
@dd32 do you want to pull this into 0.8.2 or leave for 0.9.0? |
Member
|
Besides the merge conflicts @georgestephanis @TimothyBJacobs does this look good to you? |
Member
|
Yeah I think this makes sense to me. |
Open
Collaborator
|
This is pretty much a requirement to start removing U2F from the codebase. |
Member
|
@kasparsd seems like resolving merge commits and then this should be good to merge? |
kasparsd
reviewed
Dec 3, 2024
Collaborator
kasparsd
left a comment
kasparsd
left a comment
There was a problem hiding this comment.
I sometimes forget to click on "submit review" after adding the inline comments. Did these earlier in the morning today.
| if ( | ||
| ! $security_keys && | ||
| /** This filter is documented in class-two-factor-core.php */ | ||
| apply_filters( 'two_factor_u2f_disabled', true ) |
Collaborator
There was a problem hiding this comment.
Should we pass the user object to the filter to match the original?
| if ( | ||
| ! Two_Factor_FIDO_U2F::get_instance()->is_available_for_user( $user ) && | ||
| /** This filter is documented in class-two-factor-core.php */ | ||
| apply_filters( 'two_factor_u2f_disabled', true ) |
Collaborator
There was a problem hiding this comment.
Same here -- should we pass the $user as the second argument to the filter?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
This PR disables the U2F / Fido interface, unless keys are already configured for the user.
Fixes #511
Why?
U2F / FIDO no longer works in modern browsers, until #423 is resolved having this provider enabled only causes confusion to end users (See #511)
Ideally, we wouldn't need to do this, as we've been assuming that #423 would be resolved, but 6+ months later it's no closer to being merged. I'd like to merge this into a 0.8.2.
Alternatives
Alternatively, the Javascript could be updated to detect FIDO/U2F not being viable, and displaying an error message about the browser not supporting it too..
How?
This simply disables the UI by:
If for some reason, it needs to be re-enabled a filter is included:
Testing Instructions
Screenshots or screencast
Changelog Entry
Deprecated: The FIDO/U2F integration has been hidden unless already configured. This is because modern browsers no longer support the standard, and we've not yet finalised our WebAuthn implementation.