Gutenboarding: Add push 2fa support to auth store

[p-jackson]

Changes proposed in this Pull Request

• Add support for "push" 2nd login factor
• Polls ever 5 seconds to see if push notification has been handed (this is the poll time currently used by /log-in)
• Add downlevelIteration to TS config so we can use yield* in generator functions
• Every time we poll update the nonce that we'll use for the next time we poll

"Push" means when we send a push notification to the WordPress app during login, and you click the button in the app to approve the login. Not the one where you have to end a code for the 2nd factor.

Testing instructions

• Checkout branch locally
• Install WordPress app on phone (I found I needed to enable notifications for the app, can always disable later 😄)
• In console:
  • wp.auth.submitUsernameOrEmail('username') using an account that's logged into the mobile app
  • wp.auth.submitPassword('correctpassword')
  • Console will print that it's now waiting for 2FA
  • Go to your phone and approve the push notifcation
  • After a few seconds the console will update to say you're logged in
  • Also try running wp.auth.reset() while polling is happening, polling should stop

Should probably try a passwordless account with 2fa. I don't actually know if passwordless accounts can have a second factor 🤔 (we might ask them to pick a password)

[matticbot]

Test live: https://calypso.live/?branch=add/auth-store-2fa-app

[matticbot]

Here is how your PR affects size of JS and CSS bundles shipped to the user's browser:

App Entrypoints (~779 bytes added 📈 [gzipped])

name                   parsed_size           gzip_size
entry-gutenboarding        +2427 B  (+0.1%)     +630 B  (+0.1%)
entry-main                  +202 B  (+0.0%)      +49 B  (+0.0%)
entry-login                 +202 B  (+0.0%)      +50 B  (+0.0%)
entry-domains-landing       +202 B  (+0.0%)      +50 B  (+0.0%)

Common code that is always downloaded and parsed every time the app is loaded, no matter which route is used.

Legend

What is parsed and gzip size?

Parsed Size: Uncompressed size of the JS and CSS files. This much code needs to be parsed and stored in memory.
Gzip Size: Compressed size of the JS and CSS files. This much data needs to be downloaded over network.

Generated by performance advisor bot at iscalypsofastyet.com.

[p-jackson]

Should probably try a passwordless account with 2fa. I don't actually know if passwordless accounts can have a second factor 🤔 (we might ask them to pick a password)

Turns out passwordless account can have a second factor! It won't impact gutenboarding though because you enter the 2nd factor after following the email link, so that's done at /log-in

[roo2]

I couldn't test it with the app on my phone (I got no google services 😅). I had a comment on the style of reusing variables and the login response type which I think should be a union type, and also error handling.

[roo2]

I think we should have a timeout here, I'm not sure what length of time it should be. Is this code called as we wait for the user to acknowledge the push notification on their phone?

[p-jackson]

Agree. I don't the current login has a timeout but it really should. It does handle errors by stopping the polling, and we should too.

[roo2]

There should also be error cases which indicate that the push authentication has really failed an will never succeed. I think you should be more specific with this check and then handle any other error's seperately

[p-jackson]

Agree, I reckon this goes hand in hand with timing out too.

[andrewserong]

Nice work so far @p-jackson! Following the steps in the testing instructions worked well for me.

I ran into an issue attempting to test when something doesn't quite work out right, like if a user doesn't have notifications switched on in the app, or accidentally clicks ignore, so we need to submit the password again.

The first time I attempted this, I appeared to get stuck in a situation where there were two lots of the while loop running checking the two-step-authentication-endpoint. So after I tapped Approve in the app, the other loop was still throwing a 403.

The steps to do this were:

1. I had the WordPress app open but notifications weren't enabled
2. I did wp.auth.submitPassword( myPassword );, realised that I didn't have the push notifications enabled so then
3. I switched on notifications
4. Called wp.auth.submitPassword( myPassword ); again
5. Tapped Approve in the app
6. Noticed the additional network requests firing in the Network tab in Chrome

I attempted to recreate these steps, but encountered slightly different behaviour. I tapped "Ignore" after the first password submit, and then after the second password submit, the network requests for checking the two-step-authentication-endpoint threw 400 errors instead of 403. The error response looks like:

{"success":false,"data":{"errors":[{"code":"empty_two_step_nonce","message":"two_step_nonce required."}]}}

Inspecting the network request that generated the 400, the request payload was missing the two_step_nonce param after the second submitPassword.

I've run out of time for today to investigate further, but I'm wondering if in the while loop it'd be worth trying to explore how it can check the loginFlowState as a means of breaking out of the endless loop? I'm not sure it needs a timeout, but would a mechanism for stopping the check / turning the check into kind of a singleton behaviour work?

This behaviour might be a little artificial of course, because we might handle things quite differently in the consuming code. Taking a look at the existing behaviour at /log-in if I get to the push notification screen with the app open, it asks me to verify in the app. If I click back, I get taken to the input field to enter my email address (not the password field). After entering my password, I get redirected to /log-in/sms. So the behaviour of dealing with the push notification appears to be closely tied to dealing with the other 2fa approaches, too 🤔

I'm sure you're well-aware of most of these complexities anyway, so apologies for the info dump! Happy to take a closer look again tomorrow.

[p-jackson]

I've updated polling logic so if there's an API error the polling will stop and return the user to the password state. However if it's a network error (i.e. fetch throws) then it keeps polling. This copies what the current log in does, I think it makes sense that having a shoddy connection doesn't stop the polling.

I decided not to add a timeout for polling. How long is long enough? Does it take a user 5min to find their phone? 10min? Instead I've made sure the reset() action will stop the polling. That way if the user wants to go back and start login again they can.

[ramonjd]

Just tested and works as described for me.

How long is long enough?

I clicked on Ignore in my app, just to see what would happen.

It's hard to guesstimate how long is appropriate. Sometimes I'm fumbling around with my phone and it takes me 20 seconds just to unlock the thing.

Would it make sense to give them, say, 1 min, after which we could offer someway to resend the permission request?

[p-jackson]

Would it make sense to give them, say, 1 min, after which we could offer someway to resend the permission request?

Yeah I was thinking something like this. The current UI has links like "I don't have access to my phone right now". So I think these sorts of things should actually be dealt with at the UI layer not automatically in the store.

[ramonjd]

A question, because I'm not sure...

Does the optional chaining inwindow.wp? makes sense seeing as, in the line above we're assuming that wp is a property of window anyway? (window.wp.auth = {};)

[p-jackson]

Eagle eyes! No they're not needed, just a copy paste bug from when I copied code from inside the callback.

It is needed inside the callback because window.wp could be undefined again by the time the callback is called (according to the type checker). Given it's just devtools it's a case of do-what-you-need-to-do-to-shut-the-type-checker-up

[andrewserong]

This is working great for me now @p-jackson, I really like the elegant approach of handling both the wait and cancelling an existing poll via task ids. From testing in the console, it correctly errors out and stops polling when push authentication has been throttled, too.

Just left a couple of notes of tiny typos, but once they're fixed up, it's looking good to go to me!

Fixed typos

[p-jackson]

Thanks for the reviews. Merging to wrap up this round of the auth store work.

[andrewserong]

Nice work on all this! 🚢