Automattic / wp-calypso

The JavaScript and API powered WordPress.com
https://developer.wordpress.com
GNU General Public License v2.0
12.43k stars 1.99k forks source link

[WordPress Desktop App] Login issues: 2FA with security key #72754

Open rw-ye opened 1 year ago

rw-ye commented 1 year ago

Update on 2024 June 18

Solution to suer browser authenticaion, like the Studio app, is proposed in this slack thread: p1717704815693689/1717608504.988349-slack-C029GN3KD

Quick summary (of original Google login issue)

When trying to log in with Google on the WordPress.com desktop application, it gets stuck on a loading screen and does not proceed.

Screenshot 2023-01-30 at 11 42 27 am

Steps to reproduce

  1. Download WordPress.com Desktop Application: https://apps.wordpress.com/desktop/
  2. On the login screen, select Continue with Google.
  3. Enter details for your Google account.
  4. The screen will be stuck on One moment please...

What you expected to happen

Expected to be logged into my WordPress.com account by using my Google account.

What actually happened

Stuck on the loading screen

Impact

Some (< 50%)

Available workarounds?

Yes - Use WordPress.com account login instead.

Platform (Simple and/or Atomic)

No response

Logs or notes

Tested on MacOS 13.1 and Windows 10

github-actions[bot] commented 1 year ago

Support References

This comment is automatically generated. Please do not edit it.

youbrokesomething commented 1 year ago

This may be related: The Google Sign-In JavaScript platform library for Web is set to be deprecated after March 31, 2023.

obenland commented 1 year ago

@zaguiini It looks like the Google flow gets stuck on the redirect step back to the desktop app. Would you be able to see if you can find what's wrong with it or pair up with me tomorrow to tackle it together?

obenland commented 1 year ago

@zaguiini and I jumped on a call to discuss this ticket. He suspects that there might be missing pieces from the Google Authentication API migration (pdKhl6-lg-p2) and will take a look soon.

zaguiini commented 1 year ago

Useful resources to note:

They could possibly be related to how it works on desktop/Electron + GSI.

njones0100 commented 1 year ago

Issue persists. Unable to login to WordPress desktop app using Google authentication. The app is useless for those of us who use our Google accounts to login.

autumnfjeld commented 4 months ago

This issue had grown beyond Google login issues. Users who have set up 2FA with a security key with cannot log in. See the disucssion in this slack thread: p1717608504988349-slack-C029GN3KD

In that slack discussion this solution is proposed:

MHO we should just kick the user our of the app to WP.com in a browser to authenticate, then send them back to the electron app on success

Yes, that's exactly what we do on Studio: Remove authWindow in favor of the default browser #94 We call the OAuth page to get a token back to the Electron app, save it, and use it in each API request. Logging out just deletes the token. The login flow will be more complex for each user, though. If users need to log in through the browser, they might abandon using the desktop app. I could help with that solution, but I’m not sure if I can own it right now. In any case, happy to take a quick look tomorrow

@sejas would be a good resource for guidance on this fix for the WordPress App :)

cc: @wongasy @wojtekn

jeroenpf commented 4 months ago

I took a look into this today and another option we may consider to solve the lack of webauthn support in Electron on MacOS is using native node modules to access ASAuthorizationController - this way it is not necessary to leave the app to go through an oauth flow on WordPress.com.

See: https://discord.com/blog/how-discord-modernized-mfa-with-webauthn

I was not able to reproduce any issues with the Google login. The only issue i had was that the security key authentication does not work.

wojtekn commented 4 months ago

thanks for reviewing it @jeroenpf

I took a look into this today and another option we may consider to solve the lack of webauthn support in Electron on MacOS is using native node modules to access ASAuthorizationController - this way it is not necessary to leave the app to go through an oauth flow on WordPress.com.

If we followed that path, how would we plan to support it on Windows and Linux? Would it be safer and easier for future maintenance to follow the path we took for Studio and use browser, instead of writing custom c++ code?

jeroenpf commented 4 months ago

If we followed that path, how would we plan to support it on Windows and Linux? Would it be safer and easier for future maintenance to follow the path we took for Studio and use browser, instead of writing custom c++ code?

For Windows users, there is no problem. The security key authentication works fine there:

Screenshot 2024-06-21 135231

This problem applies to MacOS users and Linux users. The proposed solution would only solve it for MacOS users. However, afaik there are several times you need to present a security key while using Calypso (some actions require that), not just upon login. So just using the oauth flow via the browser would not solve this issue as it does for Studio.

Here is an example of the C++ code needed: https://github.com/Automattic/wp-calypso/blob/try/webauthn-via-native-node-module/desktop/src/NativeModule/native_module.mm - its not 100% functional but it should be something like this.

kozer commented 4 months ago

I investigated it for Linux and see if I could find anything to make this work. I:

Unfortunately, none of what I tried worked. I guess the easiest solution will be to implement what we have in Studio.