Skip to content

docs(auth): clarify login chain sequencing and security ordering requirements#58789

Open
joshtrichards wants to merge 3 commits intomasterfrom
jtr/docs-auth-login-chain
Open

docs(auth): clarify login chain sequencing and security ordering requirements#58789
joshtrichards wants to merge 3 commits intomasterfrom
jtr/docs-auth-login-chain

Conversation

@joshtrichards
Copy link
Member

@joshtrichards joshtrichards commented Mar 8, 2026

  • Resolves: #

Summary

  • Refines Chain documentation to better describe its role in interactive authentication.
  • Documents phase-based sequencing in process() for readability and reviewability.
  • Clarifies command behavior (shared mutable LoginData, possible early return).
  • Adds concise inline notes for critical ordering constraints:
    • Flow v2 ephemeral session handling before standard token creation.
    • 2FA before remembered-login finalization.
  • No functional behavior changes; documentation/readability only.

TODO

Checklist

AI (if applicable)

  • The content of this PR was partly or fully generated using AI

@joshtrichards
docs(auth): clarify login chain sequencing and security ordering reqs
9cbdf62 
Signed-off-by: Josh <josh.t.richards@gmail.com>
@joshtrichards joshtrichards added this to the Nextcloud 34 milestone Mar 8, 2026
@joshtrichards
docs(auth): clarify WebAuthn login chain sequencing and security ord…
3dd0b36 
…ering reqs

Signed-off-by: Josh <josh.t.richards@gmail.com>
@joshtrichards
chore(WebAuthnChain.php): make php-cs happy
674bf10 
Signed-off-by: Josh <josh.t.richards@gmail.com>
@joshtrichards joshtrichards marked this pull request as ready for review March 8, 2026 16:55
@joshtrichards joshtrichards requested a review from a team as a code owner March 8, 2026 16:55
@joshtrichards joshtrichards requested review from CarlSchwan, come-nc, leftybournes and salmart-dev and removed request for a team March 8, 2026 16:55
artonge
artonge reviewed Mar 9, 2026
View reviewed changes
lib/private/Authentication/Login/Chain.php
namespace OC\Authentication\Login;

/**
* Orchestrates the login command chain in a security-sensitive order for interactive authentication.
Copy link
Contributor

@artonge artonge Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interactive authentication.

What does it mean?

lib/private/Authentication/Login/Chain.php
->setNext($this->completeLoginCommand)
->setNext($this->flowV2EphemeralSessionsCommand)

// Phase 3: session strategy and token materialization
Copy link
Contributor

@artonge artonge Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

token materialization

What does it mean? Token creation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artonge artonge artonge left review comments

@come-nc come-nc come-nc approved these changes

@salmart-dev salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan CarlSchwan is a code owner automatically assigned from nextcloud/server-backend

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

3. to review Waiting for reviews feature: authentication

Projects

None yet

Milestone

Nextcloud 34

Development

Successfully merging this pull request may close these issues.

3 participants

@joshtrichards @artonge @come-nc