Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Overview
It provides a login function using WebAuthn.
Base module features:
* Register/Delete authentication information for WebAuthn
* Logging in to Drupal using WebAuthn
Project page
https://www.drupal.org/project/webauthn_authenticator
Git instructions
git clone --branch 8.x-1.x https://git.drupalcode.org/project/webauthn_authenticator.git
Pareview checklist
https://pareview.sh/pareview/https-git.drupal.org-project-webauthn_authe...
Comments
Comment #2
ankushgautam76@gmail.comHi otofu,
Thanks for your contribution.
No issue found in pareview report.
Below are my findings :
1. In js files you have mention doc comments in other language, is there any reason
// 認証キーを登録する為の情報をサーバより取得.
2. I didn't find any configure link on module installation page for webauthn credentials.
Comment #3
apadernoComment #4
shaktikHi otofu,
Kindly solve these errors/warnings also.
Comment #5
otofu CreditAttribution: otofu commentedComment #6
otofu CreditAttribution: otofu commentedThank you all for your reviews.
I was writing in my native language due to an omission to change my comment. It was Changed.
This module creates WebAuthn credentials tab on user profile pages(/user/{uid}/webauthn-authenticator), but doesn’t create general configuration page.
I guess the reason of the unknown class errors happening here is that third party libraries are not read by PHPStan. Does anyone know how to solve this?
(ex: PHPDoc tag @var for variable $credential_options contains unknown class Webauthn\PublicKeyCredentialCreationOptions.)
Comment #7
apadernoComment #8
sharma.amitt16 CreditAttribution: sharma.amitt16 as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedThanks for your contribution. Please find my review below.
Coding standard and drupal check for drupal 9
AuthenticationController.php
It will be better if you will use loadByProperties() function of entityTypeManager() to load the user instead of user_load_by_name
RegistrationController.php
You should log the exception or throw the exception instead of keeping it empty.
WebAuthncontroller.php
Instead, you can use
$build = $rows = [];
Rest you did a great job.
Comment #9
otofu CreditAttribution: otofu commentedThanks for the review.
The drupal-check is a 3rd party library error, so I don't know how to fix it.
I've fixed everything else, so please check back.
Comment #10
apadernoThe internal errors aren't errors in the project code, but in the tool used to check the project code, so they don't need any change in the project used for this application.
Comment #11
klausiThanks for your contribution!
And please don't remove the security tag, we keep that for statistics and to show examples of security problems.
Comment #12
otofu CreditAttribution: otofu commentedThanks for the review.
I have responded to the comments you made and I would ask you to check again.
No changes have been made to this routing because it is not possible to check the CSRF Token because an anonymous user will access it.
https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout...
Comment #13
klausiThanks, good point about anonymous user CSRF - so that should be fine!
Not really familiar with webauthn and the user authentication security implications, but I don't see any obvious security problems. Looks good to me!
Thanks for your contribution, Motoki!
I updated your account so you can opt into security advisory coverage now.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.