Two factor authentication needs to be implemented

[peppy]

Is currently skipped in lazer. This was fine back when lazer was read-only, but should be considered a priority now that things have evolved. Was kind of forgotten about.

Discussed in #20589

^{Originally posted by htmlpaws October 6, 2022}
Hello there!

I recently got a new laptop, and after logging in, I realized there is currently no account verification feature like there is on osu!stable. I feel it should be added because without it, random people are able to log into an account that might not be theirs and engage in social functions (chat, score upload, etc.) without any proof it's actually said user, which can be used to target users.

I think additionally in the future there should be a built in GUI for the code which could allow for input to be easier on mobile for example, where sometimes opening another app can fully close out the game, along with not having to open a popup browser which is annoying in general. Another security thing that I wana put in an as idea if support for 2fa apps, as having to use email can be kinda annoying if you get the code lost in a pile of emails or shoved in a random folder.

Thanks again,
@htmlpaws (Ethacc on osu.)

[gustarmartins]

Duplicate of #9655.

[BlestLace]

Didn't peppy open this issue xD

[peppy]

Will keep this one open as metadata is more up-to-date.

[LiquidPL]

I've looked into this a little, and there's one thing concerning me, mainly that the password grant we're using for auth on osu-web side appears to be disallowed/deprecated in the most recent versions of oauth. With that in mind I have a few questions:

• Would it be acceptable to implement a separate auth flow in web for lazer? It might be difficult to graft 2FA in a sane way onto password grant auth, especially since we might have limited library support going forward.
• Does lazer use any of the oauth scopes, or does it have full acccess to the API?

[peppy]

I discussed this with @nanaya in recent times, and his opinion was that we should be using a standard oauth flow. A lot of other apps seem to do that these days (requiring visiting a browser to login) but I'm not sure that's the UX we want to go for.

Either way, I think @nanaya would be able to give you better answers here than I can.

In terms of UX:

• I'd hope we can keep the current login flow intact.
• For the 2FA part, the game would show a message while waiting for email 2FA, and poll for completion, similar to web.

There's also consideration of ppy/osu-web#5163, which I think would also have an in-game entry for the code to keep the UX in line with expectations. Not sure if that should come first (probably not since we just want to get things working first).

[LiquidPL]

I agree that we should first aim for stable parity (login -> type in code in osu-web that is), so that's what I'm gonna focus on now, before doing full on TOTP auth for ppy/osu-web#5163.

That said, I might have worded myself poorly in regards to "login flow". I meant to ask specifically about the endpoints that lazer uses to authenticate. If we want to keep the current login UX as is, would it be okay for me to implement a separate login endpoint for lazer in osu-web that's not using oauth, if implementing 2FA with password grant turns out to be too much of a pain?

Speaking of using a standard oauth flow, I think we're probably fine with not using since we're effectively the only consumer of the lazer oauth client, since everybody else who's integrating with the API is already using other flows that do auth via browser anyway.

[peppy]

I think that sound fine, see how it goes. We'll probably want to be securing the lazer auth endpoint with extra checks in the future, so this may be the better path.

[peppy]

As an update, osu-web pieces are now in place for this. I hope to revisit this week to implement the API part at our end.

ppy/osu-web#10800

[peppy]

Moving out of project. This will happen early next year.