CUNY Academic Commons

Hi Jeremy,

I added the new WebAuthn plugin to CDEV. Can you see if you are able to login now?

Also if you are able to login successfully on CDEV, can you test removing and adding the WebAuthn security key when on your profile's "My Settings > Security" page? I had to modify our BuddyPress frontend integration so the new WebAuthn fields will show up on that page, but I'm not sure if it is possible to register a new key or not.

If you encounter any problems, let me know.

Hey Ray - It seems like there may be a PHP error when I try to login. I enter my username/password on wp-login.php, and then it reloads with only the CUNY header.

The last bit of the source HTML is this before it stops:

<form name="validate_2fa_form" id="loginform" action="https://commons.gc.cuny.edu/wp-login.php?action=validate_2fa" method="post" autocomplete="off">
    <input type="hidden" name="provider"      id="provider"      value="TwoFactor_Provider_WebAuthn" />
    <input type="hidden" name="wp-auth-id"    id="wp-auth-id"    value="8174" />
    <input type="hidden" name="wp-auth-nonce" id="wp-auth-nonce" value="67d82ec9ad59330118fe2c56a579819816929b92492bb79cba328c1cf79369c2" />
    <input type="hidden" name="redirect_to" value="https://commons.gc.cuny.edu/wp-admin/" />
    <input type="hidden" name="rememberme"    id="rememberme"    value="0" />

Thanks Jeremy. Can you test again? I think there was an issue with installing the WebAuthn DB tables.

If that doesn't work, let me know.

Thanks for testing, Jeremy!

Yeah, I noticed the dual Security Keys sections and was surprised that the WebAuthn plugin did not attempt to disable the existing Fido U2F method from the 2FA options.

I added an issue to the author's Github repo over here: https://github.com/sjinks/wp-two-factor-provider-webauthn/issues/93

Jeremy, what do you think about disabling the FIDO U2F provider ourselves and also perhaps removing the existing FIDO U2F keys after the migration to WebAuthn is done as I mentioned in the Github issue?

Edit - Actually, let's keep the existing FIDO U2F keys. If the core Two Factor plugin includes their own WebAuthn plugin in the future, they will probably reference those keys. So only disabling the FIDO U2F provider should be okay.

I encountered a bug for the WebAuthn plugin with the DB tables being installed per-site instead of globally. I've opened a pull request here: https://github.com/sjinks/wp-two-factor-provider-webauthn/pull/106.

For now, I've temporarily applied the fix to the Commons: https://github.com/cuny-academic-commons/cac/commit/3228b0a663a8f84a2c1a2e3be1317dde488fd551

Ray, when I pushed this change to the production site, I had to deal with some uncommitted changes to wp-content/mu-plugins/cac-login-template.php. They appear to be connected to #15516 (?) and I manually merged them, but if you could take a moment to check, that'd be great.

They appear to be connected to #15516 (?) and I manually merged them, but if you could take a moment to check, that'd be great.

Yeah, that was from an attempt to debug #15516 (I still need to return to that!). I've removed those changes for now.