Required file cbor.js not included

xi / django-mfa3

multi factor authentication for django

MIT License

20 stars 9 forks source link

Required file cbor.js not included #10

Closed tobiasmboelz closed 2 years ago

tobiasmboelz commented 2 years ago

The required file cbor.js should either be included in the package or information on how to add it to a project should be added to the usage section of README.md.

xi commented 2 years ago

or information on how to add it to a project

My current attempt is the sentence "The example frontend code also uses cbor-js" in the README. I understand that just linking to the npm page is too subtle a hint. I also now realize that you would not expect this information under the heading "related projects".

However, I still think the following guidelines apply:

There should be no third party code in this repo if there are other way to get it (in this case: npm)
I expect that most projects already have a workflow for managing static files. I don't want to interfere with that.
cbor.js is not strictly necessary for this project, it is just used in the example frontend code

Given all that, can you maybe make a proposal?

tobiasmboelz commented 2 years ago

I would have said that cbor.js is required because the included file fido2.js requires it to run. But if fido2.js is considered example code and you aren't supposed to use it in your projects, then cbor.js actually is not strictly necessary. But then I'd suggest that it should be made more clear that the JavaScript code is there as an example. So maybe change the sentence about the templates in the README's Usage section to something like this:

The included templates as well as the fido2.js JavaScript file are just examples, so you should replace them with your own

Or maybe move the JavaScript to the auth_FIDO2.html and create_FIDO2.html templates altogether.

xi commented 2 years ago

You are right, this case is special because, while you should not use the templates, you may use fido2.js. Depending on your HTML code, you may want to replace it, but you have the option to use it as-is.

What do you think about this:

FIDO2 requires client side code. You can either implement it yourself or use the included fido2.js (in which case you will have to provide the third party library cbor-js).

Or more direct:

Run your setup's equivalent of npm install cbor-js to install the javascript dependency that is required for FIDO2.

Neither of these options are perfect yet. The issue really is that there is no standard way to install static files in django projects. (The other issue is that FIDO2 requires some encoding that is not natively available in the browser, see #1.)

But enough of me whining. I feel like we are getting closer. What do you think of these proposals?

tobiasmboelz commented 2 years ago

FIDO2 requires client side code. You can either implement it yourself or use the included fido2.js (in which case you will have to provide the third party library cbor-js).

I think this one is fine.

xi commented 2 years ago

Thanks for the quick feedback. That really made solving this issue a joy!