Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Pair Programming - Frontend / 23 Jul 2020
GitLab / Pair Programming - Frontend / 23 Jul 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Pair Programming - Testing WebAuthn MR

Description

There's an awesome community contribution MR which introduces WebAuthn support. In this video we hop on and test some interesting cases of this MR together :) https://gitlab.com/gitlab-org/gitlab/-/merge_requests/26692

- 17:40 interesting bug found when user has U2F device but the webauthn feature flag is on, the user is locked out 😱

A

At support so we're walking through this community my request, which is awesome and sets up this Web, often devices which I don't understand a whole lot about, but I know and has something to do with you be keys and how exert as one of those so he was able to successfully set it up, looks like things are happening, but now we're gonna log out and try to sign back in, and hopefully everything works.

B

Easy so yeah what we had to do up until now is we had to enable tooth two-factor authentication using the Authenticator app on my phone, create, pin and do all that stuff. Once we did that we basically just were able to click in it register a web often device. We did it for one and we just try it again with the stuff with the same unique e, and we got an invalid state because it was already registered. Is this string right here at issue I? Don't.

A

Know a minor, my guy yeah, it's behind feature flag. It's fine, okay, cool yeah! That's a bit system! We could do the nitpicks yeah, but I'm curious now about signing out and signing back in and double checking that that works. Okay,.

B

So now I'm signed signing out do I just sign in as normal okay. So now it's making me communicate. I am pushing my fingers in the UV key.

A

Court wow that was really nice so but I did see. It said something like sign in with your to FA app or something right.

B

Right, let me go back actually a lot of times, I'll see like an octa that I can log in two different ways: I can log in with my ue key, which is a form of two-factor authentication, but also I can log in with my entire care app, which is another form of to factor out that decay.

A

So if you do the sign in via T.

B

Of a code it should switch to this I should be able to go here and I see that the pin is four seven, eight zero one five, and this should also work cool.

A

That's that's still, let's see, let's double check if we delete the ruv key thing and then we sign back on and sign back again.

A

Yeah.

B

Managed.

A

To factor authentication.

B

Actually I mean I thought I copy. This URL.

A

Okay, so then what happens when we try to signed out sign out inside Mecca I would expect it's not gonna show the hey push button thing.

A

Yeah yeah.

B

Yeah yeah, it's you're correct. It doesn't even give us that option this time and Authenticator.

B

Hey.

A

Super that's a weird cursor thing: you got going on there yeah.

B

It makes updating Doc's, really obnoxious, cuz, sometimes I'll get a screenshot with a cursor and they're like.

A

So this seems to be working now we want to check. Can we manage the feature flag like if it's off under some interesting states, so what I? What I really want to check? There's two states one I've set all this up for a new user with the feature flag off. We turn it on is that new users still able to log in I would I would write this down. Yeah.

B

I was just starting to type.

A

Thanks the other, the other case is.

A

We I set this up with it on then I turned the feature flag off, am I still able to log in so right now we have the feature flag on: let's set up the new device, but then let's turn the feature flag off sign off and see if I can still sign in that's my that's the thing I'm curious about now.

B

Okay, so I will so I will set the new device again.

A

What happens if you don't have a name, can you can we try that out.

A

Cool all right, we got it had setup new device again all that okay.

C

The.

A

Form has the big alert stays there. Yeah.

B

That must be, this must be a Hamel file. It.

A

Is it's it's a really funky, like Hamel template to ping.

A

Okay, that worked great so now, let's turn the feature flag off I.

B

Know I searched for rails, see.

A

No yeah you're gonna run yeah, you get a run rail, see no.

B

Yeah but I did a reverse search instead of just typing rails, see it's that, like laziness, that comes with knowing one too many shortcuts. How do you um have you looked into T MUX.

A

No, you should sincerely seriously consider using tea mugs, so you're using like terminal tabs. hmm I love, tea, mugs I just have one terminal, but you can like split your windows up and you're already using them. So it's very similar like window management to like them has um and it's pretty it's pretty sweet I enjoy it a lot. Nice.

B

I uh was it feature disabled yeah,.

A

It'll be feature disabled web, often speeds and.

B

Then we need to restart right, no.

A

No, you don't need to restart. Oh.

B

Do.

A

It right away cuz, it's just a database flag back in set enough. Okay! Yes, yes, yes, yes, so this is the old kind of device. Is this UTF device thing so web off and device is the new way? mmm This is the old way we just set up a web. Often right, nothingness,.

C

Yeah.

A

Now we turn the flag off I want to see if we sign out and sign back in what happens. I.

B

See so it's good that it says this device, a device in the set up, cuz, web off and and UTF are two different things.

A

Mm-Hmm, yes,.

A

And so then we're just at two-factor authentication code, land, yeah.

A

So what I'm encouraged to see all of this is still dependent on that 2fa code. So it sounds like to me and I- wasn't I wasn't aware of this, but it sounds like the Yubikey is kind of just a convenience layer. On top of that, where I thought it was like, gonna be a totally separate thing, so I wouldn't have a fallback, as my concern is. If we will, if we do this, the worst-case scenario is user or locked out of their accounts.

A

That's the thing we don't want to happen, and but it's cool that the two-factor authentication code is a fallback to this stuff yeah.

A

So now can we register a new user and we're gonna set everything up with the feature flag off and then we'll turn it on and see. If I can sign in.

B

Register so like just create a whole new user yeah.

A

You can just register one like in the yeah if you sign out and then just go through the register form.

A

Yeah, for some reason like okay yeah, it could be me for some reason: I call all of mine, zippy huh I, don't know why I call him zippy, but I just started all my test. Users are all named zippy on my machine.

B

Look at this one password thing is the most obnoxious.

A

Yeah you've got some weird. You have some weird Oh your gears in Firefox nightly, like you're, so edge.

B

It's uh I, don't know it's. Okay,.

A

It's fine I would just call it password or if you really want to generate one.

B

It's a fine.

B

Now one password didn't say that Oh what is going on? Oh my god, took your uh icon. It does yeah.

A

I think it's hates your Gravatar yeah, so big out.

C

So, uh okay.

A

Okay,.

B

So well, I'm gonna do all the things now.

A

Yeah so we're gonna register a new two-factor authentication, I guess.

B

Yeah, okay did the thing now it is I.

B

Know about Gravatar until I came to get lab. You.

A

Didn't know about Gravatar no.

B

Oh.

A

Well, did you ever do like WordPress stuff? No I have not might be why it comes up with WordPress was doing lots of it. I think it I think it might be. Actually the same company I'm not entirely sure, but yeah, some of their.

B

Oh good now.

A

Some of their user account stuff is tied to like a lot of their plugins are Gravatar. You.

B

Okay, so I'm just set up some new device, yeah.

A

Whoa, okay, can it be this? It would be the same name.

A

Okay, it.

B

Is a different user.

A

This is true, oh yeah, so, and that makes sense, so this is a different user. We have this 2fa. This u2f thing great.

A

So now.

B

So now we.

A

Flip the flight.

A

Yeah, so let's double check that this just works, let's sign in just with this and then let's try to sign in with the flag.

B

Oh man, not one password.

A

Hit the button and it works great, but now, let's turn the flag on.

B

Okay, so.

A

If we go to.

A

Yeah you're good.

A

We're.

B

On rounder.

A

I know.

B

Yeah, like 15 minutes, I know this is the last case, though yeah.

A

It is, it was just a few minutes ago we were like we've got a whole hour, I told you isn't.

B

Gonna.

A

Take long I'm, 30 months.

B

Yeah, that's all right. I didn't really believe that anyways that.

A

House, okay, cool. We enabled it awesome.

A

Managing to fax stuff, okay, I, don't so I, don't see my to if a device anymore right so but the question is: am I still able to login with it. Well.

B

We've already set up the already recorded the no I. We have the fallback.

A

Of the app oh, okay, okay, wait! Don't forget a book it can you hit your? Can you hit your thing? Nothing! That's not gonna. Do anything right.

B

Not do anything, oh, this is a great point. I can't remember what the previous all back, who looks like yeah.

A

Previously there wasn't this button, it was just a sign into your your.

A

It just said, enter your goat, so here's the situation, the Yubikey is a layer of convenience, but it's also redundancy and meaning that I don't need my code to sign up. If we flip this on everybody, that's oh I just hit my yubikey and I'm good to go. If we flip this on there, you be keys, not gonna, work anymore, yeah, and that might be a not good.

A

So what we might need to do is somehow detect like what devices do they have available and fall back to the UTF style like treat it like it's off because they don't have a web off. So it's almost like and at this situation only do web often if they have web often and the feature flag is on otherwise always fall back to UTF style and that's how it works, but lists so we'll check you can also you can do the fallback of signing in with the code I.

B

See so it's like, we have to fall outs, you first fall back to UTF and then you fall back to the code. Yeah.

A

My understand view TF and web often, and these are like different protocols, so you can't, like I, can't register a UTF device and then use that same registration, han chaea with web off and or whatever that's my understanding of their relationship.

A

My this is I think this is a blocking issue, because users that are just oh I just hit my key and maybe I've already replaced my phone. So I. Don't even have my security code anymore, like they could be locked out of their account and that's that could be concerning and I think the fix is gonna be we need to treat it like. The flag is off for this user.

A

Somehow yeah and I don't know, though, and here's a scary thing: I don't know if that's actually a security, because if that's a security vulnerability, because technically this user hasn't signed in yet so are we like revealing, like anything.

C

Secret here.

A

Yeah.

C

Questions.

A

Then I'm gonna ask an EMR and hopefully get some feedback hi. So this was. This was all worth it Alexander. This was all worth it. Okay, but let's try it. Let's try to sign in with the the code will fast.

A

Is it working? It's not do anything. Oh, no, the art side. There are locked out. Oh no, oh yeah, okay,.

B

Yeah, let's.

A

Try it just one more time: yeah, let's.

A

So this is a user that has the UTF device, but we flipped on the web off end flag and now they are locked out.

C

Mm-Hmm yeah.

B

This.

A

One's not doing anything this. This has been incredibly helpful. Alexander yeah I need to get one of these UV keys and there's.

B

Nothing in.

A

That council, either yeah I, think I think it's just because this is a we're in a weird state right now of because we use like it's, we kind of use like a state machine to like manage. Don't like this kind of single page, it's very micro, single page app of handle, only two-factor, authentication, I think we're just in a state that is not expecting, and we really should have a feature spec for this case, but I don't really know how to write a feature spec for some of these off stuff.

A

Yeah I need some help. Okay, this is this is great I had one other I had one other test case. uh Okay, yes, can we can we flip it off? So we sign in real fast, and can we check out one more test case? Yeah pull it thanks, super helpful and then I'll. Let you go.

A

Yeah.

A

What's the next test case, the next test case is I'm signed in I, have a UTF device and then now, let's test out, we've turned the flag on, can I register the same device as a web? Often, and then will let me sign in with that. So like let's say we turned it on and someone was able to register with the web off that device.

A

If I already have a UTF device.

B

Right.

B

Okay, so as soon as the flag gets flipped, the device works again, as you would expect good.

A

And it's great: this is behind a feature flag.

B

Okay, so now you were saying it's.

A

Now fine yeah, yeah and.

B

Now this should disappear.

A

Wait just a second wait: let it figure itself out a little bit yeah.

B

Okay, yeah yeah, refresh it too quickly, uh I enabled it for disabled if I'm, able and now, if I refresh now, oh.

A

That's another interesting thing so I'm here I have the UTF device already registered I would need to I guess, delete this.

B

Why is still showing UTF here if we flip the fly well.

A

That might be part of the logic here we may have it: oh, you have a UTF device, we're gonna show it, but we don't show the web often unless you have no UTS devices.

A

So this might be another kind of usability issue, because I may be here and be like: oh I'm, ready to you know, move over to web off and cuz. Maybe we got an email from gitlab that you guys only to update your stuff and I, don't see how I can do that here.

A

If we hit delete, let's see what happens, can't be undone now it becomes a web off and that's a little. That might be a little strange to be hit, set up new device right.

B

I would want essentially my yubikey is both a UTF and yeah.

A

That was that was my first like naive, like question was like hey: could we like use the same thing for both but I'm I think they're, just like totally different protocols that it requires the users interaction for both of these things?

A

And so, when we have this on, my understanding is we want all right. Let me check one more thing out: if we delete this and then we flip it off to where we're in UTF land, what happens when we do set up new device? Am I setting up a web off in device or a UTI device, and then then I'll? Let you get all exam yeah.

B

I want I want to reread the the language around UTF to see. Let's give it another second to do this thing to see. If it's a gives a suggestion of that, we need to delete the UTF device enabled to use the web often divide.

C

Disabled.

A

Is it disabled.

C

Yeah so.

A

This might be interesting too, it might be because we technically created a web, often device. It's like left some flag for a user they're like oh, we always like web, often now, which is a little weird yeah. Oh.

B

Okay,.

A

Yeah all right, yeah.

B

There's nothing here about well, maybe maybe that's with the feature: Flygon, okay, so I'm! Sorry, what was your test case? So if we set up new demise.

A

Great and so then, if we enable it so then we're.

B

Enable this yeah.

B

And this, when I refresh this it's it's, can we.

A

Double check that it's enabled yeah.

B

You mean, like double check, just.

A

I.

C

Guess.

A

I don't know Thanks and then yeah. So, okay, okay,.

B

Oh that's interesting, cuz, our prior prior. We thought that though, if we had a UTF device setup, it would only show that, but now we're it's not.

A

True, that's exactly the.

B

Flag, caching.

A

Stuff, it's yeah if we do set up a new device now and it's called the same thing.

A

Okay, great.

A

So I should now be able to sign and I guess.

A

Cool makes sense can't check one. One last thing: have you ever seen? Columbo I do have a guitar lesson in four minutes. Thank you for stopping me and yeah. If you haven't seen Columbo, you just take them out all right, hey Alexander, you rock! This is super helpful. You have a great oh wait. Did you have that one more test or no? Oh I, do I didn't want to take any of your okay? Let's try all right. Let's do one more thing, all right jump to the profile. This is so valuable.

A

I really really appreciate it and then I know you gotta hop off. So this is the very very last thing. If you go to manage to factor and then you disable two-factor authentication without deleting the device.

A

Okay, okay, so we hit enable two-factor on vacation to something is anything happen? Okay, so is gone. Okay, those devices are gone and I should be able to sign out and sign back in without even messing with any to 2fa stuff.

C

No, it.

B

Is get out of here.

B

Okay, I guess, guess: I'll type it the old-school way.

A

um Okay, all right hey this is we we caught a PDF.

C

Regression.

A

Hey this is helpful. Thanks Alexander, you have a great rest of your day and this is super helpful thanks. So much yeah.

B

No problem anytime, my friend.