load U2F js only on pages which need it

[kdomanski]

Currently the U2F js will load on every page, as long as the user is enrolled in TOTP. WIth this change, the js will be only loaded on the U2F login screen and in the two-factor auth settings.

[kdomanski]

cc @silverwind

[lafriks]

Why not just set RequireU2F in needed handlers?

[CirnoT]

Yup, we should continue using RequireU2F but it should be removed from loadSecurityData.

It seems that it was added to loadSecurityData in order to populate U2F in window.config however I see no reason why it should be true on every page.

[silverwind]

My comment in #11573 was more aimed at the removal of the RequireU2F variable here which would result in unconditional loading which should be avoided if possible.

I think the current loading mechanism via RequireU2F is generally fine (until we port the script to webpack/npm). The window.config.U2F variable is unused an can be dropped, it was added when I copied other similar variables to window.config in advance preparation.

[kdomanski]

Updated. Please restart the arm64 failing test.

[kdomanski]

ping @lafriks @silverwind

[silverwind]

Not sure I understand the impact of the move of this variable.

Is theU2FRegistrations variable not required in the new context?

[kdomanski]

The impact is that the U2F is set to load only on the security settings page and not wherever the security data is loaded, e.g. oauth endpoints.
It's inspired by your comment #11573 (comment)

I'm pretty sure that the U2FRegistrations variable is orthogonal to this change.

[silverwind]

Maybe @6543 can test this? I don't have a security token, so I can't verify.

[CirnoT]

Works for me.

[6543]

will test soon

[6543]

ok cant test at the moment, it looks like my local test instance has no working U2F at all :/
tested with this branch and master - self cert https

I dont have time to dig into it at the moment - so neither a lgtm nor a block

[kdomanski]

@6543 What do you mean by "has no working U2F at all", what's going wrong? I'd love to help you test this.

[kdomanski]

@CirnoT If you could please suggest another reviewer, merging this PR would make it easier to deal with #11573

[CirnoT]

Not aware of anyone else aside from @6543, sorry.

[silverwind]

Maybe @jonasfranz can test.

[6543]

I'll have some time today - Will hava a try again :)

[6543]

hmm still get Could not read your security key. with and without your patch :/

[kdomanski]

I've been getting a similar error when the base URL in the config was HTTP and not HTTPS.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.

[zeripath]

make lg-tm work