Log file Viewer

[15:08:16] <sumanah> woodruffw: https://github.com/pypa/warehouse/issues/6011 - I have a question about what is allowed in a key name (ASCII? Unicode? Emoji? Spaces?).

[15:11:43] <sumanah> hey if anyone loves making Warehouse CI tests pass, I'd love help getting https://github.com/DavidBord/warehouse/tree/fix-5790-send-invitations finished up so that we can close "Send invitations when adding owner/maintainer roles" https://github.com/pypa/warehouse/issues/5790 which is blocking several other features

[15:28:27] <woodruffw> sumanah: followed up on that issue

[15:28:35] <sumanah> Thanks!

[17:18:27] <sumanah> EWDurbin: woodruffw: am off for lunch and a nap

[17:18:34] <sumanah> I will be back online in a few hours

[18:53:43] <sumanah> ok! today we at PyPI are soft-launching U2F security key support for 2FA login (e.g., Yubikeys and other devices that support WebAuthn) -- it's a beta feature and I am looking forward to getting bug reports before we really widely announce it. https://pypi.org/manage/account/ I'd appreciate if any of you could help test it a bit https://wiki.python.org/psf/WarehousePackageMaintainerTesting#Workflows

[18:54:54] <sumanah> In particular I think we need testers who use Windows, usually visit PyPI on a mobile device, are an organization where users share an auth token within a group, use an unusual TOTP app or U2F token, have a slow Internet connection, or usually block cookies and JavaScript (note that you can't set up a U2F key without JavaScript)

[19:23:21] <sumanah> cooperlees: steiza: ^ could one of you give it a try?

[19:23:50] <sumanah> I'd like 1 more person to provision a U2F-compatible key before we hit Post on the blog post(s)

[19:25:14] <cooperlees> sumanah: I feel locking API Keys IDs/Names should be ascii to reduce storage size, but UTF-8 should work

[19:26:19] <sumanah> cooperlees: you saw https://github.com/pypa/warehouse/issues/6011 ? woodruffw said "Any and all Unicode should be valid within a key label, up to 64 codepoints. That means that emoji and spaces should both work." ... I do appreciate making it possible for people to label their keys in their preferred language, e.g., Kannada

[19:26:50] <cooperlees> Yeah, I like that too.

[19:26:56] <cooperlees> Haven't read that issue sorry

[19:27:01] <cooperlees> so I'm ill-informed.

[19:27:14] <woodruffw> yeah, we impose a length restriction at the form validation level, although not at the DB level

[19:27:32] <sumanah> cooperlees: no worries :)

[19:28:02] <cooperlees> woodruffw: If that's the only entry point for the data, then that should be fine

[19:28:11] <woodruffw> it is, yep

[19:28:57] <cooperlees> sumanah: I've already got a soft token. It all works for me. I haven't had an issue yet. I'm using Duo App on my iPhone

[19:29:11] <cooperlees> Thought this was API token testing or something I hadn't tried yet

[19:29:28] <cooperlees> Just signed in using a different (safari) browser to test it

[19:29:35] <sumanah> cooperlees: Duo Mobile -- that's for TOTP? or U2F?

[19:29:52] <cooperlees> TOTP

[19:29:55] <sumanah> I was thinking you probably have a U2F device you could use for the new WebAuthn support

[19:30:03] <cooperlees> O, I do have a Yubikey

[19:30:06] <sumanah> cooperlees: that's what we just rolled out today

[19:30:10] <sumanah> right - would you mind?

[19:33:01] <cooperlees> sumanah: Didn't work on Safari

[19:33:04] <cooperlees> WebAuthn successfully provisioned. on Chrome

[19:33:10] <cooperlees> Logging out now to try log in

[19:33:26] <sumanah> woodruffw: ^ you have any suggestions for how to debug the Safari issue? cooperlees what version of Safari?

[19:34:17] <cooperlees> 12.1.1

[19:34:36] <cooperlees> The site just said your browser does not support WebAuthn

[19:34:40] <cooperlees> Didn't on chrome

[19:34:51] <cooperlees> My Yubikey all works now with login on Chrome

[19:35:15] <sumanah> awesome! thanks cooperlees

[19:35:26] <cooperlees> My two tokens. https://usercontent.irccloud-cdn.com/file/Ukb6iJcy/Screen%20Shot%202019-06-17%20at%2012.35.04%20PM.png

[19:36:45] <sumanah> Yay! Thank you cooperlees -- I need to work out which browsers support WebAuthn!

[19:37:28] <cooperlees> https://en.wikipedia.org/wiki/WebAuthn#Support claims Safari can

[19:37:38] <cooperlees> Maybe the Javascript that detects has a bug?

[19:37:45] <cooperlees> I didn't try cause I saw that error

[19:37:48] <cooperlees> Will get a screenshot

[19:38:28] <cooperlees> Here is what I see https://usercontent.irccloud-cdn.com/file/grfXo1ef/Screen%20Shot%202019-06-17%20at%2012.38.11%20PM.png

[19:43:12] <sumanah> cooperlees: huh. https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential says Safari doesn't support PublicKeyCredential

[19:44:02] <sumanah> which is what causes that error https://github.com/pypa/warehouse/blob/master/warehouse/static/js/warehouse/utils/webauthn.js#L42

[19:45:25] <sumanah> potentially worryingly? this is all versions of Safari, plus all versions of IE (and Opera)

[19:45:37] <sumanah> I will open a bug about this

[19:45:40] <sumanah> thank you cooperlees

[19:48:16] <cooperlees> Go me. What a fluke find :D

[20:01:13] <sumanah> I filed https://github.com/pypa/warehouse/issues/6034 to clarify this

[20:03:34] <cooperlees> I feel it should move forward and we just note that this browser is not supported unless the fix isn't to bad

[20:03:36] <sumanah> cooperlees: so that Wikipedia article says that the Safari PREVIEW supports WebAuthn

[20:03:48] <sumanah> or rather its citation says that

[20:04:00] <cooperlees> Ahhh - so does that mean next Mac OS X might support it?

[20:04:04] <sumanah> https://www.w3.org/2019/03/pressrelease-webauthn-rec.html.en

[20:04:15] <cooperlees> If so, that should just be FAQ'd and once it supports it we test :)

[20:04:23] <sumanah> Right -- makes sense to me

[20:04:30] <cooperlees> i.e. On next Mac OS X upgrade that brings it.

[20:04:44] <cooperlees> I'll happily test once it's meant to exist.

[20:04:53] <cooperlees> I usually click upgrade within days of new relesease

[20:05:04] <cooperlees> *releases ... My mac is always backed up

[20:05:17] <cooperlees> sumanah: Cheers for the shout out on the issue :)

[20:13:39] <sumanah> I tried turning the error in webauthn.js into:

[20:13:39] <sumanah> populateWebAuthnErrorList(["Your browser doesn't support WebAuthn. See <a href='https://pypi.org/help/#utfkey'>the FAQ</a>."]);

[20:14:04] <sumanah> woodruffw: that doesn't actually turn into a link; it's just plaintext when it renders:

[20:14:05] <sumanah> Your browser doesn't support WebAuthn. See <a href='https://pypi.org/help/#utfkey'>the FAQ</a>.

[20:14:31] <sumanah> is this being sanitized/escaped in some way?

[20:14:37] <woodruffw> yep, it's being sanitized

[20:15:18] <sumanah> woodruffw: then maybe I should actually edit warehouse/templates/manage/account/webauthn-provision.html

[20:15:30] <sumanah> I'll do that as a quick fix for today

[20:15:40] <woodruffw> yeah, i think that would be the place to put it. there should be a hidden <div> IIRC, you can add the link there

[20:17:22] <woodruffw> sumanah: actually, maybe a better solution: instead of calling populateWebAuthnErrorList, we could have it reveal a hidden <div> (i was wrong about there already being one)

[20:17:44] <sumanah> woodruffw: ah good, I wasn't seeing that hidden div

[20:17:56] <woodruffw> yeah, sorry about that, i was thinking of the <noscript> block

[20:18:51] <sumanah> woodruffw: how about I add some text to the FAQ while you make that HTML change?

[20:19:06] <sumanah> I'll give you access to the branch

[20:19:25] <woodruffw> sounds good :-)

[20:23:42] <sumanah> woodruffw: you are now a Collaborator for my GitHub repo, once you accept the invitation, and https://github.com/brainwane/warehouse/tree/browser-support-webauthn is the branch

[20:45:44] <sumanah> catch y'all later