-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reauth 2FA UI #115
Comments
I think we should also deny any API |
Thanks for creating this, is it worth creating some screenshots and making some quick wireframes/flows of how/where this will work? |
Here's a quick attempt I made which definitely needs a @WordPress/meta-design opinion and tuning. But I think we can probably do it with a overlay. Thoughts? ScreenshotThis would require that we know that the session has expired when users try to update values. I'm thinking we could write a middleware that handles those updates. |
Modal generally looks good. On a meta note, we are updating the modal in I think my main question here is the larger flow, can you walk me through which things I had to click to get here? This is when you go back to 2fa to change it, correct? |
You can think about this as a session expiry scenario. Here is what we expect to happen:
What this is doing is protecting a scenario where a 2fa session is left open and unattended. |
Sounds good. If the modal is the most basic way to unstick this, sounds good to move forward. This is an interface we'll continue to QA and even visually refresh at some point, if anything sticks out we'll come back to it. |
Note: Extra components that would be helpful.
|
It may makes sense to use that component but be sensitive to loading Gutenberg libraries (or any third party libraries) and its effect on page size. From what I remember the component library used to cost about 1 MB. |
@renintw Can we a draft PR that mimics the behavior ahead of the upstream PR so we can try it? |
yeah, no problem. That's what I had in mind. 👍 |
Added some initial work in #147 for this, as I hadn't seen this issue prior. While the UI's in this issue look good, they're not really viable to be implemented as part of the MVP IMHO. This is in part due to technical limitations around the 2FA providers in use, and the browser security modals we have to work within. There's also very little benefit for us to create a new front-end UI for displaying the re-auth flow for TOTP, as we'd then need to integrate with WebAuthN as well, which would likely require significant JS duplication from the login flow. For now, the best way forward is going to be to redirect them off to the login screen I think, but we can (and should) iterate on the 2FA challenge screen both during login and re-auth, either for WordPress.org specifically or in combination with the Two-Factor plugin. Previously the Two-Factor plugin was not very extensible in this regard, and replacing it's UI was not super straight forward. That being said, it can now be replaced wholesale by adding a
|
Good news, I realised over the weekend that I could indeed make this work. #147 has been updated to use an iframe, and is much more user friendly now. |
Ref: #43 (comment)
Acceptance Criteria
Prompt user when it's been > xx mins since the last 2FA challenge before displaying UI.
Store the timestamp of the last 2FA challenge: When the user successfully completes a 2FA challenge, store the timestamp (e.g., as a Unix timestamp), such as storing in a cookie, local storage or Recat state.
The text was updated successfully, but these errors were encountered: