Closed mw10013 closed 11 months ago
Hello @mw10013, thanks for reporting this.
I recently released remix-auth-totp
, an evolution of the earlier remix-auth-otp
. The key upgrade in this library is the shift to using @epic-web/totp
for generating and managing One-Time Passwords (OTPs), enhancing the encryption and decryption processes.
Previously, with remix-auth-otp
, an issue related to Cloudflare and authentication was reported. This issue was linked to the use of node-crypto
. However, since @epic-web/totp
does not utilize node-crypto
— as far as I'm aware — the same issues should not occur.
Despite this, I must admit I haven't had the chance to get deeper into the specifics of Cloudflare's systems, which makes it challenging to understand what could be happening (the library works as expected outside of it).
I'm considering reaching out to Sergio Xalambrí, the creator of remix-auth
. He might have some insights into what could be causing these Cloudflare issues.
Let me know if you have more information or a specific error that could lead us to a solution!
Update: I had a talk with Sergio, who pointed out a possible case that could be causing the Cloudflare issues.
remix-auth
is compatible with Cloudflare, but some dependencies, such as jsonwebtoken
, might not be. This could be one of the potential issues since this library uses jsonwebtoken
as an extra security layer for data reaching the client. Although it's not necessary and it could be stripped off.
The thirty-two
package may also have issues with Cloudflare. It's important to note this because it's used in dependencies like @epic-web/totp
. In this case, Kent C. Dodds should be informed, as he is involved with the pointed library.
Replacing jsonwebtoken
might resolve some of the issues. Also considering using node-crypto
or crypto-es
as alternatives to deprecated packages like crypto-js
. Another option is to utilize the Web Crypto API globally, which is supported in Cloudflare, Deno, Bun, Node (since v20), and browsers.
I'll check this out @mw10013. I'll definitely find some time to look into it and come up with a solution.
I'll leave the issue open and update you on any changes. Thanks again for bringing this up!
@epic-web/totp
, which has thirty-two
as dependency seems to work in Cloudflare with tweak to remix.config.js.
serverNodeBuiltinsPolyfill: {
modules: { buffer: true, crypto: true },
globals: {
Buffer: true,
},
},
https://github.com/mw10013/remix-auth-totp-sandbox/blob/epic-totp/app/routes/_index.tsx
export function loader() {
const { otp, secret, digits, period, algorithm } = generateTOTP({
algorithm: "SHA256",
period: 10 * 60,
});
const isValid = verifyTOTP({ otp, secret, digits, period, algorithm });
return { otp, secret, period, digits, algorithm, isValid };
}
Cloudflare definitely supports the Web Crypto API.
https://github.com/mw10013/remix-auth-totp-sandbox/tree/jsonwebtoken
"The Workers runtime implements the full surface of this API, but with some differences in the supported algorithms compared to those implemented in most browsers."
I'm unable to get jsonwebtoken
working. This branch (https://github.com/mw10013/remix-auth-totp-sandbox/tree/jsonwebtoken) contains only jsonwebtoken
and compiles with tweak to remix.config.js
serverNodeBuiltinsPolyfill: {
modules: { crypto: true, stream: true },
globals: {
process: true,
}
},
Runtime error starting up.
Alright, so we can mostly confirm that the issue could be the implementation of jsonwebtoken
.
I'll need to review the source-code from the Strategy to confirm if jsonwebtoken
can be stripped out or replaced. If I recall correctly, it was added as an extra security layer, but it wasn't necessary or required at the time.
I'll look into it, @mw10013. If you have any other information or want to report something else, feel free to do so!
Jose may be another option, https://github.com/panva/jose
"jose
is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. The module is designed to work across various Web-interoperable runtimes including Node.js, browsers, Cloudflare Workers, Deno, Bun, and others."
I'm currently integrating jose
into a dev repository for remix-auth-totp
. However, I still need someone to test jose
on Cloudflare, as my experience with Cloudflare is practically non-existent. I haven't had the opportunity to get deeper or find a use case for it yet.
Could you please give it a try to jose
the same way you did with jsonwebtoken
@mw10013? If it works, could be a replacement for jsonwebtoken
.
All right @mw10013, could you try this implementation of jose
on a new development package called remix-auth-totp-dev
? Here's the package: remix-auth-totp-dev
Feel free to give it a try and let me know if it works as expected or if you encounter any new errors that we can address.
The tests passes successfully, although I will have to fix some minor incompatibilities with expiration periods, between strings and numbers, due to the new jose
implementation."
Thanks for turning this around so quickly!
I'm now able to get my non-functional skeletal sandbox to compile and load with tweak to remix.config.js.
serverNodeBuiltinsPolyfill: {
modules: { buffer: true, crypto: true },
globals: {
Buffer: true,
},
},
I'll be working on a functional version and will report back here.
With the remix-auth-totp-dev package, I'm getting a "Code is no longer active" error when I submit the code in a verify form.
As a sanity check, I forked https://github.com/dev-xo/totp-starter-example, created a branch named remix-auth-totp-dev
, and replaced the remix-auth-totp
package with remix-auth-totp-dev
. I get the same error, "Code is no longer active", when I submit it in the verify form. I also tried the case of clicking on the magic link in the email and get redirected to login.
For reference, the branch is https://github.com/mw10013/totp-starter-example/tree/remix-auth-totp-dev
Hello @mw10013.
Could you please give it another try with the updated remix-auth-totp-dev
@v1.3.3
?
I have recently made some changes that could potentially fix it.
Also, here's my Discord username (developerxo
) in case we can have a more direct conversation.
totp-starter-example
and my example program work with remix-auth-totp-dev
@ v1.3.3
. Thanks for the timely fixes!
Does that mean we have support for Cloudflare, @mw10013?
In that case, would you like to create a totp-starter-cloudflare
template based on the original totp-starter-example
? It could help some folks to get started with it easily. It will be included in the Examples section with your nickname.
Also, tomorrow I will publish these changes to the official remix-auth-totp
package.
Yes, I can confirm the basics work in Cloudflare local dev with wrangler/miniflare. Need to get further along in the example program I'm working on to cover more cases and then get it running in Cloudflare production. I would like the example program to help folks get started and will circle back with you for review and inclusion when it's further along.
All code has been moved to the main repository @mw10013. Feel free to try out the v1.4.0
Release and let me know if it works as expected!
Again, thank you for reporting this.
It would be great to see a remix-cloudflare-example
template from you!
Closing this for now, but we can keep the talk on here.
Cloudflare wrangler reports an error when an Authenticator uses TOTPStrategy. The error seems to be reported during load time so the authenticator does not execute.
https://github.com/mw10013/remix-auth-totp-sandbox demonstrates the error.
pnpm create remix@latest --template remix-run/remix/templates/cloudflare-page
node:process
"start": "wrangler pages dev ./public --compatibility-date=2023-12-13 --compatibility-flags=\"nodejs_compat\""