Summary: In June, to use different people’s time well, we parallelized our work a bit. The multifactor auth task within Milestone 1, Security Feature Development is getting a lot closer to done – we shipped the beta of WebAuthn support and are actively seeking out test subjects and fixing bugs based on their input – but we also started work on API keys and on accessibility.
2FA: Users can now use U2F keys to better secure their accounts! Yay WebAuthn! As the beta proceeds (and thanks to @nlhkabu for the beta badge and FAQ), we’ve been fixing issues – the funded contractors @nlhkabu and @woodruffw, as well as @EWDurbin at the PSF with review help from @dustin and @dstufft, so thanks to them and to the folks who filed issues! Some 2FA improvements from the past month:
- fixing a test.pypi.org misconfiguration
- displaying the TOTP secret as plaintext for people who don’t want to use a QR scanner
- documenting which browsers support WebAuthn, allowed characters in key names, and what 2FA applies to
- requiring login after a successful password reset
- rate limiting TOTP submission
- fixing routing including on the infra side
Testing: @nlhkabu and I have been seeking out users from a variety of backgrounds during the beta. I’ve been asking package maintainers to test the beta and file issues. She’s started a fresh round of user tests with more novice Python users to validate our current 2FA design, and has started collating responses to turn into GitHub issues.
Accessibility: Also last month, @woodruffw audited Warehouse’s accessibility. We’re actually a lot more solid there than I worried we’d be! A lot of credit there is due to @nlhkabu, who committed our current accessibility guidelines for developers three years ago yesterday. But we still found things to fix, and started to address them through both research and implementation (annotating the search form correctly, increasing link visibility, fixing a tabindex).
API keys: We had a chat to make some design decisions on scoped API keys, and Will’s made substantial progress on a work-in-progress PR (not ready for review yet). To quote Will’s summary:
We’re going to work with macaroons from the very beginning, and not go with dumb API keys as I proposed above…
In order to minimize the amount of time spent on implementation, I intend to deliver a [proof of concept] version without constraints or a caveat language. This deliverable will meet the requirements of the [Statement of Work] (allowing users to replace their username/password with a single token for upload only), and will serve as the foundation for future iterations. Upload-only enforcement will be handled by route whitelisting and a version identifier within the macaroon, preventing future iterations from inadvertently creating “god” tokens.
And, as project manager, I led a planning meeting, coordinated volunteers and contractors for testing, code contribution, security design review and code review, reached out to external communities for further testing, planned issues and milestones for upcoming grant-funded work, reviewed pull requests, triaged feature requests that are out of scope, and added documentation.
Thanks to volunteers ppiyakk2, @trishankatdatadog, robindboer, @yeraydiazdiaz, @alex_Gaynor, minho42, @dustin, and @dstufft in particular for writing & reviewing Warehouse code in the past few weeks! (Including fixes to email validation, window scrolling, the 2FA token form field, and Docker image cleaning.)
Next: In July we aim to finish this round of user tests, fix resulting bugs, and declare WebAuthn support out of beta, and thus complete the MFA task within Milestone 1. We also aim in July to make further progress on accessibility, and on API keys, but I don’t know whether either of those will be complete in July.
Please help us out:
- Test WebAuthn support on PyPI, especially on a variety of operating systems and browsers, and with a variety of hardware devices! And spread the word.
- If you’re on a Mac, does this Makefile change work ok for you?
- Implement a “trust this computer for 30 days” feature
Sorry that this was for a month rather than a fortnight; next summary update will be in more like 2 weeks.
Thanks to Open Tech Fund for their support for the PyPI & Warehouse work!