Login with security keys no longer possible #22507
Comments
lunny
added
the
skip-changelog
|
Are there any server logs associated? |
|
I can confirm the same bug on my instance. It could be either a server-side bug or a client-side (JS) bug. |
|
Maybe related #22400 |
|
There is only one As for the reason, I can only guess. I know that BTW shouldn't this error be caught using |
|
Invalid base64 chars all cause The response of |
|
I guess the problem is caused by inconsitent base64 encoding standard.
Then the (ps: just my guess, I am not using the webauthn now, so feel free to continue)
|
|
And you see, I have questioned before:
"Unknown problems" always cause more problems. That's why I always insist to make things consistent and clear. But I doubt seldom people agree with me. |
|
There is https://www.npmjs.com/package/base64url, I guess one solution would be to incorporate https://www.npmjs.com/package/uint8-to-base64 in our code and use that module instead to encode/decode the base64. |
There is a missing import within the `uint8-to-base64` javascript package which assumes that `atob` and `btoa` are present and exported instead of using the `window.atob` and `window.btoa` functions. This previously worked but as far as I can see things have become more strict and this no longer works. The dependency is small and I do not believe that we gain much from having this code as an external dependency. I think instead we should just consume this dependency and bring the code directly into Gitea itself - the code is itself just some standard incantation for creating base64 arrays in javascript. Therefore this PR simply removes the dependency on `uint8-to-base64` and rewrites the functions used in it. Fix go-gitea#22507 Signed-off-by: Andrew Thornton <art27@cantab.net>
delvh
changed the title
|
The problem is not to do with mis-encoding of base64 or otherwise. The issue is that the functions The The @silverwind may know or be able to point to something where things were made more strict. |
|
I've read a bit online, the problem does not seem to come from |
|
I do not think you have understood this problem (update: I didn't mean to be impolite, just to confirm the problem, correct me if I was wrong) The error message is clear: I will make a simple demo to show what the problem is. |
|
Perhaps I was experiencing a different problem - I definitely had some issue whereby the issue was that atob was not present. |
|
OK I've updated #22651 to include these changes. |
I think in a browser environment, those globals are pretty much guaranteed to exist. Node.js situation may differ. They only recently introduced the globals. I recommend using |
|
The refactor to |
|
This is an issue or related to an issue introduced in github.com/go-webauthn/webauthn most likely. Basically when the library was being maintained previously shadowed a method improperly and was not properly marshalling/unmarshalling the []byte values into Base64 Web Encoding. This was technically fixed in 0.6.0 but it had ill effects like this if the browser library also implemented it expecting this input/output. The specification dictates the format of these values be base64 web encoding with the padding omitted. Two potential ways to fix this in the short term would be to revert the mod version temporarily, or potentially upgrade to 0.7.0 where I sured up these changes a bit more accurately. For reference these changes in 0.7.0 have been tested with @simplewebauthn/browser. |
This PR fixes two bugs with Webauthn support: * There was a longstanding bug within webauthn due to the backend using URLEncodedBase64 but the javascript using decoding using plain base64. This causes intermittent issues with users reporting decoding errors. * Following the recent upgrade to webauthn there was a change in the way the library expects RPOrigins to be configured. This leads to the Relying Party Origin not being configured and prevents registration. Fix #22507 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
…#22651) Partial Backport go-gitea#22651 This PR fixes a longstanding bug within webauthn due to the backend using URLEncodedBase64 but the javascript using decoding using plain base64. This causes intermittent issues with users reporting decoding errors. Fix go-gitea#22507 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
…22721) Partial Backport #22651 This PR fixes a longstanding bug within webauthn due to the backend using URLEncodedBase64 but the javascript using decoding using plain base64. This causes intermittent issues with users reporting decoding errors. Fix #22507 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Description
I get Uncaught DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded when doing the FIDO2 authentication and cannot login.
Gitea Version
1.19.0+dev-320-gde484e86b
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
gitea:dev-rootless container
Database
MySQL
The text was updated successfully, but these errors were encountered: