[Koha-bugs] [Bug 39601] Add passkey support to Koha as an authentication mechanism

Mon, 12 Jan 2026 10:18:32 -0800 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39601

Katrin Fischer <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Failed QA

--- Comment #16 from Katrin Fischer <[email protected]> ---
Good news first: the tests are passing now!

1) Failing QA tests:

Result:
[FAIL] Koha/Auth/WebAuthn.pm
   FAIL   forbidden_patterns
                forbidden pattern: Use https:// instead of http:// for URLs
(line 17)
   FAIL   pod_coverage
                sub generate_challenge has no pod coverage.
                sub new has no pod coverage.
                sub verify_assertion has no pod coverage.
                sub verify_registration has no pod coverage.
[PASS] Koha/REST/V1/Auth.pm
[FAIL] Koha/REST/V1/Webauthn.pm
   FAIL   forbidden_patterns
                forbidden pattern: Use https:// instead of http:// for URLs
(line 16)
                forbidden pattern: Use of DateTime->now should certainly be
replaced with dt_from_string (bug 24840) (line 257)
                forbidden pattern: Use of DateTime->now should certainly be
replaced with dt_from_string (bug 24840) (line 378)
   FAIL   pod_coverage
                sub authenticate has no pod coverage.
                sub authenticate_challenge has no pod coverage.
                sub register has no pod coverage.
                sub register_challenge has no pod coverage.
   FAIL   tidiness
                File is not tidy, please run `perl misc/devel/tidy.pl
Koha/REST/V1/Webauthn.pm`
[PASS] Koha/Schema/Result/Borrower.pm
[FAIL] Koha/Schema/Result/WebauthnCredential.pm
   FAIL   forbidden_patterns
                forbidden pattern: The current_timestamp syntax has not been
generated correctly (see bug 25040) (line 108)
   SKIP   pod_coverage
                No POD exists
[SKIP] Koha/WebauthnCredential.pm
   SKIP   pod_coverage
                No POD exists
[FAIL] Koha/WebauthnCredentials.pm
   FAIL   pod_coverage
                sub 'object_class' has no pod coverage.
[PASS] api/v1/swagger/paths/webauthn.yaml
[PASS] api/v1/swagger/swagger.yaml
[FAIL] installer/data/mysql/atomicupdate/bug_39601_add_passkey_support.pl
   FAIL   file_permissions
                File must have the exec flag
[FAIL] koha-tmpl/intranet-tmpl/prog/en/includes/auth-webauthn.inc
   FAIL   valid_template
                : filter not found
[FAIL] koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc
   FAIL   tidiness
                File is not tidy, please run `perl misc/devel/tidy.pl
koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc`
   FAIL   valid_template
                : filter not found
[FAIL] koha-tmpl/intranet-tmpl/prog/en/includes/passkey-register.inc
   FAIL   tidiness
                File is not tidy, please run `perl misc/devel/tidy.pl
koha-tmpl/intranet-tmpl/prog/en/includes/passkey-register.inc`
   FAIL   valid_template
                : filter not found
[PASS] koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
[FAIL] koha-tmpl/intranet-tmpl/prog/js/passkey-register.js
   FAIL   tidiness
                File is not tidy, please run `perl misc/devel/tidy.pl
koha-tmpl/intranet-tmpl/prog/js/passkey-register.js`
[FAIL] koha-tmpl/intranet-tmpl/prog/js/webauthn-login.js
   FAIL   tidiness
                File is not tidy, please run `perl misc/devel/tidy.pl
koha-tmpl/intranet-tmpl/prog/js/webauthn-login.js`
[PASS] members/moremember.pl
[FAIL] t/db_dependent/Koha/WebauthnCredentials.t
   FAIL   file_permissions
                File must have the exec flag
   FAIL   test_no_warnings
                'use Test::NoWarnings' must be present in this test file.
[FAIL] t/db_dependent/api/v1/webauthn.t
   FAIL   file_permissions
                File must have the exec flag
   FAIL   forbidden_patterns
                forbidden pattern: Use https:// instead of http:// for URLs
(line 73)

2) Code review

a) Spelling

We have: 
More > Register Passkey
Create passkey (button)

Probably should be: Register passkey

b) Translatability

Leading spaces usually get lost, better to add this to the i element if
possible:

+        <i class="fa fa-key"></i>
+        <span class="d-none d-sm-inline"> Passkey</span>

c) Using text in JS

+    var userid = usernameText ? usernameText.replace('Username:', '').trim() :
null;

I am wondering about this line: Where is "Username:" coming from and could this
be a translatable strong, so changing?

3) Testing

I should admit that I haven't used passkeys so far, so this is a first and I am
still trying to figure out how this works.

a) Ubuntu, Firefox

When I click on "Register Passkey" I see a note at the top of the browser:
Touch your security key to continue with localhost. 
Don't have a security key to touch here, so got stuck at this step. 
Returning to Koha I gott a non-descriptive error message after hitting the
button: Registration error: {msg}

Maybe related to a timeout?

b) Ubuntu, Chromium

When I click on "Register Passkey" I see a poo-up with a QR code displayed.
I tried to scan it with Google Authenticator, but the app keeps dying.
It will also display the non-descriptive error message: Registration error:
{msg}

4) Questions

a) Is there a way to continue testing here without any hardware? (Yubikey or
similar?)
b) For the test plan, can you explain this step a bit more?
   Call authenticate_challenge for a patron without credentials and verify a
404 response.

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to