We still need to take care of:

Added a test for the password validation

phpstan

Now taking the ldap password into account

In D2566#30199, @machniak wrote:

On the other hand, maybe %dms format would be better for query time.

In D2494#30205, @machniak wrote:

To sum up the current state:

1. All tests pass!
2. Tokens refresh request is fast now, but /auth/login is still 0.3-0.4 sec. I didn't investigate how much of that is passport.

• phpstan
• Addressed slow token issuing by customizing the PassportServiceProvider

We're not the first to encounter the crypto slowness:

• https://github.com/thephpleague/oauth2-server/issues/812
• https://github.com/laravel/passport/pull/820/commits/30e175f3876a9838b5d5b4eafe2711221e958883

One culprit is certainly Crypto::decryptWithPassword, which takes ~150ms.

• The bulk of the request is spent in League\OAuth2\Server\AuthorizationServer::respondToAccessTokenRequest: 0.4621s out of 0.4741s total
  • League\OAuth2\Server\Grant\RefreshTokenGrant::respondToAccessTokenRequest: takes up ~300ms out of that
  • League\OAuth2\Server\ResponseTypes\BearerTokenResponse::generateHttpResponse: the remaining ~150ms

There clearly seems to be room for improvement from an overall request execution time of 0.3450s, with < 0.1s used by the sql queries.

From phpunit tests/Browser/Admin I now have only testUserInfo failing, because the user is somehow not imapReady (no idea why), but that seems unrelated.

• I also turned the expires_in comparison into a fuzzy comparison. Because of passport internals it's possible that some time has already passed and the expires_in response is off by a second.

• Lowered timeout
• Removed throttling on token route

Looks reasonable, thanks for the patch.

Ignore exceptions

Included in the passport diff

Included the sql logging patch

Implemented in guam 91f1f2e5c7b2fb2d5c32ac463f37cac3b1ff078d

Addressed comments

I can't reproduce the test failures on my workstation. I'll try running the test on a separate system, to see if I can reproduce there.

In D2494#29305, @machniak wrote:

1. See inline comments

Got most tests to pass

• Custom authentication hook for passport (so we can insert 2fa)
• Added 2fa to user verification
• Rely on second factor authentication in user model (instead of auth controller)
• Disabled unnecessary passport routes
• Fixed password-reset and signup to use the plain-text password for oauth

The same Groups/Distlist mix as the other diff, looks ok otherwise.

I thought we agreed on calling this Distlists instead of Groups (to leave "groups" as a more generic term for another feature), other than that this looks ok to me.

I ran into those with the pst import code.

Just the final fix, you can then ship it.

Correctly ignore the default migrations

Adjusted migrations (merged, foreign key constraint on user id pk, matching types)