Comments (7)
Earlier, Mike wrote:
I think I prefer option 1, wherein
OTPCredential
is an empty subclass ofCredential
, and the credential's identifier is the OTP code. An emptyid
feels strange. (That said, I grant that accessing anid
attribute to get the code you want is also strange. :) )
I think the weirdness of possibly teaching folks to think of a “one-time code” as an “id” of some kind is a mistake. Imagine how confusing some of the resulting conversations could be.
I think I would prefer OTPCredential
to be a nearly-empty subclass of Credential
, with tacks on a String code
property. The ergonomics and cognitive dissonance in the API is greatly reduced by this. If we did this, presumably the id
of such an OTPCredential
would be undefined
.
from web-otp.
I think I prefer option 1, wherein OTPCredential
is an empty subclass of Credential
, and the credential's identifier is the OTP code. An empty id
feels strange. (That said, I grant that accessing an id
attribute to get the code you want is also strange. :) )
If you wish to provide other identifiers to a developer, you're hopping right out of the realm of OTP and into a broader set of questions and challenges. I'd suggest that keeping this API conceptually scoped to OTP is going to be both simpler to understand for developers, and simpler to reason about for privacy and security reviewers. :)
I'm curious about the value of informing the developer about the transport over which the OTP was delivered. Won't they know how they went about sending the value to the user? Is there additional benefit to encoding that in the OTPCredential
object as well?
from web-otp.
I'm curious about the value of informing the developer about the transport over which the OTP was delivered. Won't they know how they went about sending the value to the user?
I was thinking that, in the future, we want to allow this API to allow multiple transports to be used at once (e.g. "fetch an OTP via either of these transport mechanisms"), and return just one (e.g. via email), so that the client can know where it came from. Something along the lines of:
let {otp, transport} = navigator.credentials.get({otp: {transport: ["sms", "email"]}});
// transport == "email"
WDYT?
Is there additional benefit to encoding that in the OTPCredential object as well?
I was thinking feature detection. Can you help me understand how else it could be done otherwise?
if (window.OTPCredential) {
// ah, i can call navigator.credentials.get({otp: ...})
} else {
// ah, nevermind, i can't.
}
from web-otp.
I was thinking that, in the future, we want to allow this API to allow multiple transports to be used at once (e.g. "fetch an OTP via either of these transport mechanisms"), and return just one (e.g. via email), so that the client can know where it came from
Why does knowing where it came from matter? This might be obvious, but I'm missing it. :) If I send an OTP to you via 18 mechanisms, and you return whichever of those shows up first to me correctly, do I need to know which one you're giving me? It seems like the developer only cares that the OTP showed up, not that it showed up via mechanism 17 vs 13.
let {otp, transport} = navigator.credentials.get({otp: {transport: ["sms", "email"]}});
For this destructuring usage, otp
makes more sense than id
. But I still don't think an empty ID makes sense. Perhaps we can have both, and simply alias one to the other?
I was thinking feature detection. Can you help me understand how else it could be done otherwise?
I think we're talking past each other. :) I absolutely think you want to have an OTPCredential
interface. As you note (and as the spec notes in https://w3c.github.io/webappsec-credential-management/#implementation-authors), checking for the presence of that interface is a great way to feature-detect capabiilty.
I was questioning the value of the transport
member on OTPCredential
, as discussed briefly above.
from web-otp.
Hey, Ricky, thanks for the feedback.
I think the weirdness of possibly teaching folks to think of a “one-time code” as an “id” of some kind is a mistake. Imagine how confusing some of the resulting conversations could be.
I imagine most conversations would go something like this:
A: Hey, B. Do you know what I need to do to verify a user via SMS?
B: Yeah, copy/paste this snippet from StackOverflow.
A: Thanks! I'll do that! Hooray!
:)
I think I would prefer OTPCredential to be a nearly-empty subclass of Credential, with tacks on a String code property.
If I'm the only one who thinks that reusing id
is sane, so be it. It feels pretty reasonable to me to consider the code delivered from the server as an identifier, but if y'all would prefer to call it a "code" instead, I'm totally fine with something like:
interface OTPCredential : Credential {
readonly attribute DOMString code;
}
In this case, leaving id
as undefined
is probably reasonable (though I'd reiterate my claim from earlier that I'm not terribly excited about potentially filling the id
with some other user identifier in the future).
from web-otp.
That works for me too and I think was along the same lines others have suggested when I brought this up outside of this thread.
I'm going to mark this as closed and resolve with the resolution to make OTPCredential use a string code
and leave id
undefined.
interface OTPCredential : Credential {
readonly attribute DOMString code;
}
I'll move the transport
discussion here, and leave this issue to discuss specifically between id
vs code
to contain the OTP value.
from web-otp.
Just FYI, but tracking implementation on chrome here.
from web-otp.
Related Issues (20)
- Typos and other editorial issues
- Ordering of transports in OTPCredentialRequestOptions not clear
- Editorial: [[DiscoverFromExternalSource]] uses same |options| name for two different variables
- Requirements for OTPCredentialRequestOptions.transport are incompatible with WebIDL HOT 2
- security checks in [[DiscoverFromExternalSource]] don't match those described in the security section
- Explanation for not using "trustworthy urls" is confusing
- Inaccuracies in framing of "comparable APIs" in explainer
- The specification draft link in the README is a dead link
- Repo got renamed HOT 2
- Repo is fork
- Why stop working if I add sender to my contacts? HOT 1
- Email OTP HOT 2
- Support WebOTP in cross-origin iframe
- Supported browser for WebOTP
- Support for web push notification as a transport mechanism
- web opt API not working in react.js HOT 1
- Software-based OTP Applications
- Add AbortSignal's abort reason to WebOTP
- Message access pop-up appears even after aborting. HOT 2
- Broken references in WebOTP API
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from web-otp.