Use the Rest API for setting up individual providers #504
Conversation
|
Tested and both backup codes and TOTP work - the only slight complication (and not directly related to this PR) is the introduction of the TOTP JS via #487 meaning you have to build and compile in order to use it, perhaps we should consider committing the JS file for qrcode generator into the repo so this step isn't necessary - it seems like the only thing we are building that isn't part of the development tools (unit tests etc) |
|
Installing it via npm is important IMO so that we get notifications of security vulns in the package. We could still leave it in I'm somewhat hesitant to disconnect them, because that introduces the opportunity for them to get out of sync (which could disguise any potential security issues if it weren't noticed). I'm open to it if there's a way to document it clearly; or even better if there's a way to automatically enforce the sync (especially for the built version). |
|
This is pretty off-topic, but.. While I don't necessarily see using In the future, it seems likely that there'll be more dependencies introduced for WebAuthn #427 that would benefit from installation through dependencies. |
|
I pushed a few commits that are needed for WordPress/wporg-two-factor#30:
|
|
895a5c2 adds an It's off by default because the wp-admin UI has a separate fields for enabling the provider, and those are set when the user clicks Custom UIs might want to automatically enable it, though, rather than having to submit a 2nd request. |
This is explicitly needed now because of a recent change in the upstream pull request. See WordPress/two-factor#504 (comment)
There was a problem hiding this comment.
I've been testing this with wporg-two-factor's custom UI and it's working well. I also tested the native wp-admin UI and it worked too.
I think it'd still be good to get @kasparsd's feedback before merging, though, in case he has any thoughts from the perspective of maintaining this plugin.
| public function register_rest_routes() { | ||
| register_rest_route( | ||
| Two_Factor_Core::REST_NAMESPACE, | ||
| '/totp', |
There was a problem hiding this comment.
I think it'd be ideal to have more explicit route names, rather than distinguishing them by the method. e.g., two-factor/1.0/totp/enable and two-factor/1.0/totp/disable.
Not a blocker though, just a preference.
|
I'm going go go ahead and merge this since it's been sitting for awhile, but we can definitely iterate if there's any more feedback. |
New tests were added for `rest_delete_totp` in #504 which cover the same functionality. `generate_qr_code_url` was also refactored there, but a test wasn't included.
|
If anyone comes here looking for commits 3aa9c84 (TOTP) or 8baec51 (Backup Codes), I changed their hashes to be5c0a9 and 4d3cb4f, respectively. Before merging I |
In two-factor v0.8, a bunch of class methods and constants were removed as part of the overhaul to use the REST API instead of AJAX. See WordPress/two-factor#504. This broke our custom, frontend implementation handler. More to come. See #1.
This draft PR is some work at extending the plugin to allow for alternate UI interfaces to the plugin.
It does this by using a REST API endpoint for the primary actions in TOTP and Backup Codes.
This is still tightly-coupled to the rest of the provider class, as it still expects the HTML returned by
::user_two_factor_options()is intended on being displayed.Due to the nature of this change, there appears to be a lot of churn, but that's mostly wholesale replacement of code.
This PR does not yet have unit test coverage, failures are to be expected.This is intended to make WordPress/wporg-two-factor#18 / WordPress/wporg-two-factor#22 easier.