feat: Add web auth type
#5076
feat: Add web auth type
#5076
Conversation
jumoel
changed the title
webauthn auth type to web
|
found 2 benchmarks with statistically significant performance improvements
timing results
|
|
wouldn’t this be a breaking change? Also there’s tons of kinds of web auth that isn’t webauthn. |
Technically yes, but it’s never been enabled on the registry, except in staging, so it won’t be a problem. We’ve already enabled the new header on the registry (and kept support for the old one).
Which is one of the reasons it’s changing. It’s not only webauthn that’s supported. |
|
What about private registries that may have implemented support in the meantime? |
|
@jumoel @MylesBorins as @ljharb notes, this is a breaking change now so we should probably just keep this as |
|
@darcyclarke what if we just add web as another alias? |
There is 0 chance anyone has implemented this. If they had they likely would have reached out to clarify why the field is called webauthn. The auth flow we are implementing is to "authenticate via website" not specific to WebAuthn. Our enhanced 2FA experience was launched explicitly as a beta. IMHO such beta services do not have to adhere to Semver (similar to the experimental status in Node.js). With that said, I recognize there is ambiguity here and we should be thoughtful about SemVer, but I also want to be pragmatic about committing the CLI to permanent legacy behavior for something that isn't currently supported by any registry. I think we need to introduce It seems like what we do need to decide is "what to do with the
This is the cleanest approach imho, and operates under the assumption that the new 2FA experience and related functionality are beta. It is being a bit cavalier about SemVer and has a non-zero risk of breaking things... but I would bet a steak dinner that nothing breaks and this is a much cleaner solution
In this approach we doc deprecate + warn for webauthn and remove it in 9. Thoughts? |
jumoel
changed the title
webauthn auth type to webweb auth type
|
@jumoel are you going to be updating this PR from the feedback above? Based on internal discussions & this thread, I believe the path forward here is to leave Our team can/will deprecate & remove the |
@darcyclarke I believe that is what this PR does in it's current implementation. We can ignore my comments about updating docs |
|
This is going to collide with #5149 when that one lands. We'll have to rebase and update the copy, since we have switched to being able to deprecate certain config values instead of the entire config option. |
wraithgar
force-pushed
the
jumoel/change-webauthn-to-web
branch
from
d00685b
to
8a24fba
Compare
wraithgar
force-pushed
the
jumoel/change-webauthn-to-web
branch
from
8a24fba
to
0e0310b
Compare
|
|
||
| Pass \`webauthn\` to use a web-based login. | ||
| What authentication strategy to use with \`login\`. |
There was a problem hiding this comment.
| What authentication strategy to use with \`login\`. | |
| Pass \`web\` to use a web-based login. |
There was a problem hiding this comment.
I don't think removing the actual description is what we want here.
What
Add the more generic
webfor the registry to use, instead of the implementation-specificwebauthnauthentication type.Why
It's more generic and sounds better.
References