Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: passkey login not working anymore #32623

Merged
merged 19 commits into from
Nov 26, 2024
Merged

Fix: passkey login not working anymore #32623

merged 19 commits into from
Nov 26, 2024

Conversation

hiifong
Copy link
Member

@hiifong hiifong commented Nov 23, 2024
edited by wxiaoguang
Loading

Quick fix #32595, use authenticator auth flags to login

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 23, 2024
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 23, 2024
@hiifong hiifong changed the title Fix #32595 Fix: passkey login not working anymore Nov 23, 2024
@hiifong hiifong marked this pull request as draft November 23, 2024 15:18
@github-actions github-actions bot added modifies/go Pull requests that update Go code and removed modifies/dependencies labels Nov 23, 2024
@hiifong hiifong marked this pull request as ready for review November 23, 2024 16:38
@james-d-elliott
Copy link

james-d-elliott commented Nov 23, 2024
edited
Loading

Yes, you will need to store the flags. This will break for everyone who doesn't have backup eligible authenticators.

See here for more info: https://www.w3.org/TR/webauthn-3/#sctn-credential-backup

@hiifong hiifong marked this pull request as draft November 24, 2024 02:52
@pull-request-size pull-request-size bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 24, 2024
@hiifong hiifong marked this pull request as ready for review November 24, 2024 05:00
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 24, 2024
@james-d-elliott
Copy link

james-d-elliott commented Nov 24, 2024
edited
Loading

Looking at the way you're using this we can probably simplify this with tooling from the go-webauthn side, the binary value of the flags is already available so you don't need to convert it, but we can add a convenience method to derive the flags when reconstructing the credential. Let me know if this is preferable?

@wxiaoguang
Copy link
Contributor

we can probably simplify this with tooling from the go-webauthn side, the binary value of the flags is already available so you don't need to convert it, but we can add a convenience method to derive the flags when reconstructing the credential. Let me know if this is preferable?

If there could be a simple and compatible (backward&forward) solution, it definitely helps a lot. Indeed as a library downstream, I think the fewer details the downstream knows, the more robust the system is. Thank you very much!

@james-d-elliott
Copy link

james-d-elliott commented Nov 25, 2024
edited
Loading

Inspect the change in go-webauthn/webauthn#337 and see what you think. I still need to update the docs and will do that time permitting. It's worthwhile to note that I plan on releasing soon but have one other fix I'd like to merge first. It adds an additional field which you should just backup Flags.Raw which can restore the whole of the Flags field with webauthn.NewCredentialFlags()

Also it's worth noting I personally recommend storing the credential attestation (field named Attestation), using json encoding to a TEXT/BYTEA column. I personally also encrypt it in all of my implementations as well as the pub key to avoid database tampering, but depends on your tooling if this is practical.

You don't need to restore it each time, but it will allow you to validate the attestation at a later date if you decide to leverage metadata. I can also provide some fairly decent recommendations on how to handle this, though you can also expect that the recommendations will make their way into the library as well.

@wxiaoguang wxiaoguang mentioned this pull request Nov 25, 2024
Closed
@james-d-elliott
Copy link

Hmm, get it from protocol.ParseCredentialRequestResponse => parsedResponse.Response.AuthenticatorData.Flags, is it right?

That's correct.

@pull-request-size pull-request-size bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 26, 2024
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 26, 2024
edited
Loading

Thank you for your help, finally I think I somewhat could understand the details now.

Now we have 2 commits:

  • c5a32f4 revert unnecessary changes and make some necessary preparations, not that important
  • 5eeac46 !!the key change!! use the default authenticator flags when login, also added some comments there

I think we could resolve the problem now (the same behavior as webauthn 0.10), and leave the database migration to another PR (or if it doesn't really cause security problem, maybe we could just keep using the authenticator auth flags without really storing them?)

@wxiaoguang wxiaoguang assigned wxiaoguang and unassigned wxiaoguang Nov 26, 2024
@wxiaoguang wxiaoguang marked this pull request as ready for review November 26, 2024 01:21
@wxiaoguang wxiaoguang mentioned this pull request Nov 26, 2024
Merged
@hiifong
Copy link
Member Author

hiifong commented Nov 26, 2024
edited
Loading

@wxiaoguang Still can't use passkey to login to Gitea.

Screen-2024-11-26-214951.mp4

image

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 26, 2024
@wxiaoguang
Copy link
Contributor

Confirmed that 555577e "fixes" the problem.

@wxiaoguang wxiaoguang enabled auto-merge (squash) November 26, 2024 15:09
@wxiaoguang wxiaoguang added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Nov 26, 2024
@wxiaoguang wxiaoguang merged commit 87bb5ed into go-gitea:main Nov 26, 2024
26 checks passed
@GiteaBot GiteaBot added this to the 1.24.0 milestone Nov 26, 2024
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Nov 26, 2024
@hiifong hiifong deleted the passkey branch November 26, 2024 16:12
zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 27, 2024
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
71463b8 
* giteaofficial/main:
  Introduce OrgList and add LoadTeams, optimaze Load teams for orgs (go-gitea#32543)
  Refactor markup render system (go-gitea#32645)
  Fix: passkey login not working anymore (go-gitea#32623)
  Refactor some frontend problems (go-gitea#32646)
  Bypass vitest bug (go-gitea#32647)
  Fix race condition in mermaid observer (go-gitea#32599)
  Improve oauth2 scope token handling (go-gitea#32633)
  Fixed Issue of Review Menu Shown Behind (go-gitea#32631)
  Add github compatible tarball download API endpoints (go-gitea#32572)
  Fix markup render regression and fix some tests (go-gitea#32640)
  Fix sqlite3 test (go-gitea#32622)
  Strict pagination check (go-gitea#32548)
@lunny lunny modified the milestones: 1.24.0, 1.23.0 Nov 27, 2024
@DorianCoding
Copy link

DorianCoding commented Jan 12, 2025
edited
Loading

On version 1.23.1, Bitwarden does not detect the passkey on first login page but does after logging succesfully as 2FA. Maybe some connection is broken between the two. The website runs on https://

No passkey found when "logging with passkey":
infos
However it works after login as 2FA
key

Thanks.

@wxiaoguang
Copy link
Contributor

On version 1.23.1, Bitwarden does not detect the passkey on first login page but does after logging succesfully as 2FA. Maybe some connection is broken between the two. The website runs on https://

No passkey found when "logging with passkey":
However it works after login as 2FA
Thanks.

The initial passkey support was add by " Add Passkey login support #31504 " (I haven't carefully looked into the details), @anbraten do you have some ideas?

@DorianCoding
Copy link

DorianCoding commented Jan 12, 2025
edited
Loading

On version 1.23.1, Bitwarden does not detect the passkey on first login page but does after logging succesfully as 2FA. Maybe some connection is broken between the two. The website runs on https://
No passkey found when "logging with passkey":
However it works after login as 2FA
Thanks.

The initial passkey support was add by " Add Passkey login support #31504 " (I haven't carefully looked into the details), @anbraten do you have some ideas?

Thanks for your quick answer.

The difference is on logging:

{"publicKey":{"challenge":"4KXVvpzyv7f98AIIWAyYDD6g9M0sBfxpz9Yo5bUDY9c","timeout":120000,"rpId":"xxxxxxx","userVerification":"discouraged"}}

And on 2FA

{"publicKey":{"challenge":"IxjvbxQipwKAIimB-ZRNrUz-iGDNWrK1zDSUSSm__RA","timeout":120000,"rpId":"xxxxxx","allowCredentials":[{"type":"public-key","id":"K2cxLFxKS8ONfdJP5ePZnQ"}],"userVerification":"discouraged"}}

Probably one solution would be to put userVerification to "preferred", at least for one sign-in (which is safer btw). It seems also it might cause some password managers to hide some keys.

NB: changing the code did not work. However removing old passkey and putting new one with "preferred" works so maybe there was a glitch or preferred is needed...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wxiaoguang wxiaoguang wxiaoguang approved these changes

@lafriks lafriks lafriks approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/frontend modifies/go Pull requests that update Go code modifies/migrations size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
1.23.0
Development

Successfully merging this pull request may close these issues.

Passkey login not working anymore
7 participants
@hiifong @james-d-elliott @wxiaoguang @DorianCoding @lafriks @lunny @GiteaBot