-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add web
auth type
#5076
feat: Add web
auth type
#5076
Conversation
webauthn
auth type to web
found 2 benchmarks with statistically significant performance improvements
timing results
|
wouldn’t this be a breaking change? Also there’s tons of kinds of web auth that isn’t webauthn. |
Technically yes, but it’s never been enabled on the registry, except in staging, so it won’t be a problem. We’ve already enabled the new header on the registry (and kept support for the old one).
Which is one of the reasons it’s changing. It’s not only webauthn that’s supported. |
What about private registries that may have implemented support in the meantime? |
@jumoel @MylesBorins as @ljharb notes, this is a breaking change now so we should probably just keep this as |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
!Breaking change
@darcyclarke what if we just add web as another alias? |
There is 0 chance anyone has implemented this. If they had they likely would have reached out to clarify why the field is called webauthn. The auth flow we are implementing is to "authenticate via website" not specific to WebAuthn. Our enhanced 2FA experience was launched explicitly as a beta. IMHO such beta services do not have to adhere to Semver (similar to the experimental status in Node.js). With that said, I recognize there is ambiguity here and we should be thoughtful about SemVer, but I also want to be pragmatic about committing the CLI to permanent legacy behavior for something that isn't currently supported by any registry. I think we need to introduce It seems like what we do need to decide is "what to do with the
This is the cleanest approach imho, and operates under the assumption that the new 2FA experience and related functionality are beta. It is being a bit cavalier about SemVer and has a non-zero risk of breaking things... but I would bet a steak dinner that nothing breaks and this is a much cleaner solution
In this approach we doc deprecate + warn for webauthn and remove it in 9. Thoughts? |
webauthn
auth type to web
web
auth type
@jumoel are you going to be updating this PR from the feedback above? Based on internal discussions & this thread, I believe the path forward here is to leave Our team can/will deprecate & remove the |
@darcyclarke I believe that is what this PR does in it's current implementation. We can ignore my comments about updating docs |
This is going to collide with #5149 when that one lands. We'll have to rebase and update the copy, since we have switched to being able to deprecate certain config values instead of the entire config option. |
d00685b
to
8a24fba
Compare
8a24fba
to
0e0310b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with a tiny nit
|
||
Pass \`webauthn\` to use a web-based login. | ||
What authentication strategy to use with \`login\`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What authentication strategy to use with \`login\`. | |
Pass \`web\` to use a web-based login. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think removing the actual description is what we want here.
What
Add the more generic
web
for the registry to use, instead of the implementation-specificwebauthn
authentication type.Why
It's more generic and sounds better.
References