Refactored WebAuthn with Windows Hello support

[nikosdion]

Summary of Changes

• Refactored as a native Joomla 4 plugin, using a service provider and implementing SubscriberInterface
• Removed the ugly Joomla helper class, replacing it with native code
• Now using the (previously undocumented) WebAuthn library's WebAuth\Server object. This adds Windows Hello support without having to update to a new major version of the third party WebAuthn library
• We no longer pass URLs as data arguments; we can figure them out using Joomla.getOptions
• Fixed the breakage introduced in [4.1] webauthn table accessibility #37464

The PR replaces #37673 and #37675

Testing Instructions

Please remember to run npm ci after applying the PR — the JavaScript has changed.

Please remember to use HTTPS with a certificate trusted by your computer; WebAuthn doesn't work on plain HTTP.

Please use a relatively recent (2019 onwards) build of Chrome, Edge, Firefox etc.

Go to your user profile in the backend of the site.

Click on the ‘W3C Web Authentication (WebAuthn)’ tab.

On a Windows computer without any hardware authenticator attached click on Add New Authenticator.

Actual result BEFORE applying this Pull Request

The browser asks you to plug in an authenticator.

Expected result AFTER applying this Pull Request

You can enter your PIN / show your face / use a fingerprint scanner to register Windows Hello as an authenticator.

Further testing

Delete the authenticator and try adding it again in the user profile page in the frontend of the site. It should still work.

Make sure that in the frontend you can delete an authenticator you added in the backend.

Make sure that in the backend you can delete an authenticator you added in the frontend.

Please make sure you can add more than one authenticators. IMPORTANT! You cannot add the same authenticator twice (in the past you could; it was a bug that went unnoticed). You can only test this if you have more than one authenticators, e.g. Windows Hello, a FIDO or FIDO2 hardware authenticator, an Android phone and so on.

Please make sure that you can edit the name of the authenticator. This was broken in #37464 and was still broken at the time I made this PR.

Please make sure you can log into the front- and backend of the site.

Please test on as many platforms as you have: Android (works on Android 9 and later if you have a fingerprint scanner but only on Chrome as far as I know), iOS/iPadOS (both TouchID and FaceID), macOS (TouchID, if you have a MacBook Air/Pro or an iMac/Mac Studio with Apple Silicon and the Apple keyboard with a TouchID sensor) as well as various FIDO and FIDO2 authenticators. I have tested all of these and Linux EXCEPT for Android due to lack of hardware running Android (my Android phone's battery bloated, I had to decommission it before it spontaneously turned into an incendiary grenade). Edit: I now have a Samsung Galaxy A21 device for testing with face recognition and fingerprint scanner which I used to confirm it works with Android.

Translation strings

The following language strings were added:

• PLG_SYSTEM_WEBAUTHN_ERR_XHR_INITCREATE
• PLG_SYSTEM_WEBAUTHN_FIELD_ATTESTATION_SUPPORT_DESC
• PLG_SYSTEM_WEBAUTHN_FIELD_ATTESTATION_SUPPORT_LABEL
• PLG_SYSTEM_WEBAUTHN_LBL_DEFAULT_AUTHENTICATOR

The following language strings were changed:

• PLG_SYSTEM_WEBAUTHN_LBL_DEFAULT_AUTHENTICATOR_LABEL

Documentation Changes Required

As of Joomla! DEPLOY_VERSION the WebAuthn plugin has attestation enabled by default. This means that only authenticators with publicly verifiable cryptographic signatures can be registered with WebAuthn starting with this version of Joomla.

The publicly verifiable certification authorities for authenticators are retrieved from the FIDO Alliance site, namely the URL https://mds.fidoalliance.org/.

This default setting will prevent some cheaper authenticators which are not FIDO-certified from being used with WebAuthn. Moreover, some sites may be unable to download and/or cache the root certificates from FIDO Alliance, or it might take so long that the plugin aborts the operation to prevent your site from timing out. If you encounter any problems with registering authenticators with WebAuthn please edit the plugin settings and disable the Attestation Support option.

The Attestation Support feature requires the following prerequisites to work:

1. Your site must be able to access directly the URL https://mds.fidoalliance.org/.
2. Your cache folder (administrator/cache) must be writeable by PHP.
3. The system temporary directory must be writeable by PHP.
4. The OpenSSL extension must be installed and enabled on your site — this is a requirement for WebAuthn as a whole.

If these prerequisites are not met the WebAuthn plugin will proceed without verifying the cryptographic signatures of the authenticators against the publicly verifiable certification authorities published by the FIDO Alliance. This is still secure — in fact far more secure than using a password and Two Factor Authentication. The only downside is that you may experience a short delay, up to 5 seconds, once a month when the plugin attempts to download the root certification authority information from the FIDO Alliance.

If your site meets all of the prerequisites except the first one you may download the information from https://mds.fidoalliance.org/ and place them in the file administrator/cache/fido.jwt. In this case the WebAuthn plugin can operate with attestation support. This is very useful if your site is behind a firewall or disconnected from the Internet (e.g. on a high security intranet handling sensitive material). You need to remember to update this file once every month to avoid any problems.

Enabling the Attestation Support feature also allows Joomla to identify the maker and model of most FIDO2 certified authenticators. If you register an authenticator after enabling this option you will see an icon of the maker's logo next to the Authenticator Name when viewing the list of authenticators. Furthermore, registering a new authenticator will have a more user-friendly default name, e.g. “Yubikey 5Ci added on 28 April 2022, 18:00” instead of “Authenticator added on 28 April 2022, 18:00”.

If you disable the Attestation Support option the logo and the authenticator type will be hidden.

Finally, do note that authenticators added with previous versions of Joomla or while the Attestation Support feature is disabled or while the Attestation Support feature is enabled but its prerequisites not met will always be displayed as “Generic Authenticator” as the necessary information to determine the make and model of the authenticator will have not been relayed to Joomla when you registered your authenticator.