New feature: passkey authentication for backend #97
Conversation
|
Cool! Checking it out now. |
|
Do you mind if I push a few changes? I'd like to remove the inline JS from |
@justinbeaty feel free! absolutely :-) |
|
Couple of changes, as always all are just suggestions and we can modify / revert any of them. 1. I moved the base64 methods to the already existing Base64 JS object. I'm actually not sure yet how to test this, it seems I'll need a hardware key as I don't have one built into my computer. |
I can use it with my password manager without any problem |
app/code/core/Mage/Adminhtml/Block/System/Account/Edit/Form.php
Outdated
Show resolved
Hide resolved
|
@justinbeaty what do you think about the questions at the end of the PR description? |
Let me look closer, also see if I can figure out how to make it work with bitwarden. |
I use another one but bitwarden should support passkey, when the QR code appears, you should scan it on your phone and it should trigger bitwarden etc... |
app/code/core/Mage/Adminhtml/controllers/System/AccountController.php
Outdated
Show resolved
Hide resolved
app/code/core/Mage/Adminhtml/controllers/System/AccountController.php
Outdated
Show resolved
Hide resolved
|
I figured out the problem with bitwarden, I had my local install URL on the ignore list because I was tired of it asking to update the password when testing the 2fa code. Also just fixed an error where I had used the same field name in my previous commit. |
…ler.php Co-authored-by: Justin Beaty <51970393+justinbeaty@users.noreply.github.com>
|
One thing regarding $this->getResponse()
->setHttpResponseCode(400)
->setBodyJson(['error' => $e->getMessage()]);The But I feel not sending a 200 code is better, so probably better to fix mahoFetch, right? |
|
mmm some things are not clear to me
but it doesn't show the "enable password authentication" because I have to refresh
sorry man, I kinda liked it more as it was before, with the complete submit of the form instead of the ajax call. now I don't know what to do |
|
What I've committed now:
but still doesn't work, the register passkey experience is not good enough because it doesn't refresh the page and the remove passkey doesn't work. |
|
@fballiano The added or deleted passkeys aren't completed until the save button on the whole form is pressed. Before you could register a passkey without the current password, but with the logic consolidated in the saveAction it seemed cleaner to me. It also keeps it consistent with how 2fa is enabled, password changes, etc. I think there's other organizational stuff in the commits I pushed that are worth keeping, but let's get this form layout nailed down. If you push your work so far I can probably fix the few issues. |
And I'm not saying it has to be this way, but we should require the current password, which I know you handled on the delete action, but it might be a bit trickier on the create passkey option. Example:
|
|
Ahhhh then i guess it was only the messages, cause i dee “passkey deleted”
and it’s not deleted but it wasnt clear i had to submit the form.
Then probably simply auto submitting the form (which will trigger field
validation) would solve.
I had to leave home at the moment so i cant rethink it right now
Il giorno sab 25 gen 2025 alle 13:37 Justin Beaty ***@***.***>
ha scritto:
… @fballiano <https://github.com/fballiano> The added or deleted passkeys
aren't completed until the save button on the whole form is pressed. Before
you could register a passkey without the current password, but with the
logic consolidated in the saveAction it seemed cleaner to me. It also keeps
it consistent with how 2fa is enabled, password changes, etc.
I think there's other organizational stuff in the commits I pushed that
are worth keeping, but let's get this form layout nailed down. If you push
your work so far I can probably fix the few issues.
—
Reply to this email directly, view it on GitHub
<#97 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAG6DLYYDYRR2VHHNXDWFND2MOHSHAVCNFSM6AAAAABVII4WPOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJTHE3DQOBTGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I'll try adding the auto submit and other bug fixes. |
|
Okay I think it is better now. 😃 I pressed the delete button, but hadn't entered my password, so it shows this message:
However if the current password was filled, the form would auto submit and reload. |
|
niceeee, I've changed this sentence to make it even clearer 
if you're ok with everything, I'd merge and start spamming 😂 |
|
Yeah, you're much better wording those messages than I am, haha. One quick change I'd do is add a getter $passkeyEnabled = $this->getPasskeyCredentialIdHash() !== null; |
|
will do right away |
|
Added, but I've called it isPasskeyEnabled() since it's not a real "get" of a property/variable |
Great, I'll test one more time then merge button. 😉 |
|
I've broke something cause I can't login anymore 🤦♂️😂 |
|
mmm seems that when the form is re-saved (let's say changing the username) after the passkey way already enabled -> can't login anymore |
|
nothing, I'm allucinating, cause I've re-did everything and it's working perfectly |
I've tested saving, and every combination of passkey +/- password, and 2FA on both types of logins. Checked the DB values at each step and all seemed to work perfect. If you can't reproduce again I'd say it's ready! |
|
retested again and no problem, let's go! |
|
and Maho is the first magento based platform to have passkey support |
This PR adds basic passkey support to the backend.
and in the login page:
Passkeys only work if the website is under SSL, that's also necessary in order to be able to test this PR.