►
From YouTube: Pair Programming - Testing WebAuthn MR
Description
There's an awesome community contribution MR which introduces WebAuthn support. In this video we hop on and test some interesting cases of this MR together :) https://gitlab.com/gitlab-org/gitlab/-/merge_requests/26692
- 17:40 interesting bug found when user has U2F device but the webauthn feature flag is on, the user is locked out 😱
B
Easy
so
yeah
what
we
had
to
do
up
until
now
is
we
had
to
enable
tooth
two-factor
authentication
using
the
Authenticator
app
on
my
phone,
create,
pin
and
do
all
that
stuff.
Once
we
did
that
we
basically
just
were
able
to
click
in
it
register
a
web
often
device.
We
did
it
for
one
and
we
just
try
it
again
with
the
stuff
with
the
same
unique
e,
and
we
got
an
invalid
state
because
it
was
already
registered.
Is
this
string
right
here
at
issue
I?
Don't.
A
B
A
A
B
B
A
So
this
seems
to
be
working
now
we
want
to
check.
Can
we
manage
the
feature
flag
like
if
it's
off
under
some
interesting
states,
so
what
I?
What
I
really
want
to
check?
There's
two
states
one
I've
set
all
this
up
for
a
new
user
with
the
feature
flag
off.
We
turn
it
on
is
that
new
users
still
able
to
log
in
I
would
I
would
write
this
down.
Yeah.
C
B
A
No,
you
should
sincerely
seriously
consider
using
tea
mugs,
so
you're
using
like
terminal
tabs.
I
love,
tea,
mugs
I
just
have
one
terminal,
but
you
can
like
split
your
windows
up
and
you're
already
using
them.
So
it's
very
similar
like
window
management
to
like
them
has
and
it's
pretty
it's
pretty
sweet
I
enjoy
it
a
lot.
Nice.
B
I
was
it
feature
disabled
yeah,.
B
A
C
A
So
what
I'm
encouraged
to
see
all
of
this
is
still
dependent
on
that
2fa
code.
So
it
sounds
like
to
me
and
I-
wasn't
I
wasn't
aware
of
this,
but
it
sounds
like
the
Yubikey
is
kind
of
just
a
convenience
layer.
On
top
of
that,
where
I
thought
it
was
like,
gonna
be
a
totally
separate
thing,
so
I
wouldn't
have
a
fallback,
as
my
concern
is.
If
we
will,
if
we
do
this,
the
worst-case
scenario
is
user
or
locked
out
of
their
accounts.
A
A
Yeah,
for
some
reason
like
okay
yeah,
it
could
be
me
for
some
reason:
I
call
all
of
mine,
zippy
I,
don't
know
why
I
call
him
zippy,
but
I
just
started
all
my
test.
Users
are
all
named
zippy
on
my
machine.
A
C
So,
okay.
A
B
A
A
A
A
A
B
A
A
B
A
It
just
said,
enter
your
goat,
so
here's
the
situation,
the
Yubikey
is
a
layer
of
convenience,
but
it's
also
redundancy
and
meaning
that
I
don't
need
my
code
to
sign
up.
If
we
flip
this
on
everybody,
that's
oh
I
just
hit
my
yubikey
and
I'm
good
to
go.
If
we
flip
this
on
there,
you
be
keys,
not
gonna,
work
anymore,
yeah,
and
that
might
be
a
not
good.
A
So
what
we
might
need
to
do
is
somehow
detect
like
what
devices
do
they
have
available
and
fall
back
to
the
UTF
style
like
treat
it
like
it's
off
because
they
don't
have
a
web
off.
So
it's
almost
like
and
at
this
situation
only
do
web
often
if
they
have
web
often
and
the
feature
flag
is
on
otherwise
always
fall
back
to
UTF
style
and
that's
how
it
works,
but
lists
so
we'll
check
you
can
also
you
can
do
the
fallback
of
signing
in
with
the
code
I.
B
A
My
this
is
I
think
this
is
a
blocking
issue,
because
users
that
are
just
oh
I
just
hit
my
key
and
maybe
I've
already
replaced
my
phone.
So
I.
Don't
even
have
my
security
code
anymore,
like
they
could
be
locked
out
of
their
account
and
that's
that
could
be
concerning
and
I
think
the
fix
is
gonna
be
we
need
to
treat
it
like.
The
flag
is
off
for
this
user.
A
A
A
B
A
A
That
council,
either
yeah
I,
think
I
think
it's
just
because
this
is
a
we're
in
a
weird
state
right
now
of
because
we
use
like
it's,
we
kind
of
use
like
a
state
machine
to
like
manage.
Don't
like
this
kind
of
single
page,
it's
very
micro,
single
page
app
of
handle,
only
two-factor,
authentication,
I
think
we're
just
in
a
state
that
is
not
expecting,
and
we
really
should
have
a
feature
spec
for
this
case,
but
I
don't
really
know
how
to
write
a
feature
spec
for
some
of
these
off
stuff.
A
A
A
What's
the
next
test
case,
the
next
test
case
is
I'm
signed
in
I,
have
a
UTF
device
and
then
now,
let's
test
out,
we've
turned
the
flag
on,
can
I
register
the
same
device
as
a
web?
Often,
and
then
will
let
me
sign
in
with
that.
So
like
let's
say
we
turned
it
on
and
someone
was
able
to
register
with
the
web
off
that
device.
B
B
Okay,
yeah
yeah,
refresh
it
too
quickly,
I
enabled
it
for
disabled
if
I'm,
able
and
now,
if
I
refresh
now,
oh.
A
A
A
And
so,
when
we
have
this
on,
my
understanding
is
we
want
all
right.
Let
me
check
one
more
thing
out:
if
we
delete
this
and
then
we
flip
it
off
to
where
we're
in
UTF
land,
what
happens
when
we
do
set
up
new
device?
Am
I
setting
up
a
web
off
in
device
or
a
UTI
device,
and
then
then
I'll?
Let
you
get
all
exam
yeah.
B
C
A
B
B
A
C
B
A
Cool
makes
sense
can't
check
one.
One
last
thing:
have
you
ever
seen?
Columbo
I
do
have
a
guitar
lesson
in
four
minutes.
Thank
you
for
stopping
me
and
yeah.
If
you
haven't
seen
Columbo,
you
just
take
them
out
all
right,
hey
Alexander,
you
rock!
This
is
super
helpful.
You
have
a
great
oh
wait.
Did
you
have
that
one
more
test
or
no?
Oh
I,
do
I
didn't
want
to
take
any
of
your
okay?
Let's
try
all
right.
Let's
do
one
more
thing,
all
right
jump
to
the
profile.
This
is
so
valuable.