New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't add/use device with Django-U2F #23

Closed
justinmayer opened this Issue Aug 31, 2017 · 12 comments

Comments

Projects
None yet
2 participants
@justinmayer

justinmayer commented Aug 31, 2017

I am trying to use Safari-FIDO-U2F 1.1b3 on macOS 10.12.6 and Safari 10.1.2 in conjunction with a Django web application that utilizes Django-U2F for two-factor authentication. Adding U2F devices and using them to log into the web application functions as expected on Chromium and Firefox 57+, but I cannot neither add nor use U2F devices with the current version of this Safari extension.

When prompted to insert (or tap on an already-inserted) U2F device on Safari with the extension installed, doing so produces no change in or response from the web app in Safari (whereas normally the key would be added, or the user would be logged in, respectively). On the U2F device, tapping it causes the light to come on persistently, and tapping it again turns the light off.

I'm not well-versed enough with the U2F API to know whether anything needs to be done in Django-U2F in order to support this Safari extension, whether the above-described behavior is indicative of a bug in this extension that should be addressed, or whether changes are needed on both ends. Any thoughts?

@justinmayer

This comment has been minimized.

Show comment
Hide comment
@justinmayer

justinmayer Aug 31, 2017

@samdeane: As a side note, I wanted to add how much I appreciate you stepping forward and doing what you can to improve the U2F situation for Safari. It's a terrific browser, and it would be grand to avoid having to switch to another in order to take advantage of the improved web app security that U2F provides. Truly, thank you! 😸

justinmayer commented Aug 31, 2017

@samdeane: As a side note, I wanted to add how much I appreciate you stepping forward and doing what you can to improve the U2F situation for Safari. It's a terrific browser, and it would be grand to avoid having to switch to another in order to take advantage of the improved web app security that U2F provides. Truly, thank you! 😸

@justinmayer

This comment has been minimized.

Show comment
Hide comment
@justinmayer

justinmayer Sep 1, 2017

Would it be useful if I provided a concise but detailed list of steps to reproduce? e.g., perhaps a quick Bash script that creates a virtual environment with everything needed to visit https://localhost:8000 and test locally?

justinmayer commented Sep 1, 2017

Would it be useful if I provided a concise but detailed list of steps to reproduce? e.g., perhaps a quick Bash script that creates a virtual environment with everything needed to visit https://localhost:8000 and test locally?

@samdeane

This comment has been minimized.

Show comment
Hide comment
@samdeane

samdeane Dec 16, 2017

Contributor

Would it be useful if I provided a concise but detailed list of steps to reproduce? e.g., perhaps a quick Bash script that creates a virtual environment with everything needed to visit https://localhost:8000 and test locally?

Yeah, that would be awesome. I've just uploaded a 1.1b4 too, which might help.

Contributor

samdeane commented Dec 16, 2017

Would it be useful if I provided a concise but detailed list of steps to reproduce? e.g., perhaps a quick Bash script that creates a virtual environment with everything needed to visit https://localhost:8000 and test locally?

Yeah, that would be awesome. I've just uploaded a 1.1b4 too, which might help.

@justinmayer

This comment has been minimized.

Show comment
Hide comment
@justinmayer

justinmayer Dec 16, 2017

I just tested 1.1b4 with Django-U2F, but it exhibits the same problem.

justinmayer commented Dec 16, 2017

I just tested 1.1b4 with Django-U2F, but it exhibits the same problem.

@justinmayer

This comment has been minimized.

Show comment
Hide comment
@justinmayer

justinmayer Dec 16, 2017

Tried with 1.1b5, but sadly no change here.

justinmayer commented Dec 16, 2017

Tried with 1.1b5, but sadly no change here.

@samdeane

This comment has been minimized.

Show comment
Hide comment
@samdeane

samdeane Jan 11, 2018

Contributor

It's possible that you might fare better with 1.1b7, since it now implements another api function (getApiVersion) which the Django code might be relying on.

Contributor

samdeane commented Jan 11, 2018

It's possible that you might fare better with 1.1b7, since it now implements another api function (getApiVersion) which the Django code might be relying on.

@samdeane

This comment has been minimized.

Show comment
Hide comment
@samdeane

samdeane Feb 9, 2018

Contributor

Another new release to test: 2.0b1. :)

A lot has changed in this one, and it seems to be working for me with Github, so I have some hope...

Contributor

samdeane commented Feb 9, 2018

Another new release to test: 2.0b1. :)

A lot has changed in this one, and it seems to be working for me with Github, so I have some hope...

@samdeane samdeane added the bug label Feb 9, 2018

@justinmayer

This comment has been minimized.

Show comment
Hide comment
@justinmayer

justinmayer Feb 9, 2018

Many thanks for your work on this, Sam. I tested 2.0b1 on two different environments, but the behavior is unfortunately the same as in the original description above. Those environments are:

  • macOS 10.12.6, Safari 10.1.2, Yubikey 4 Nano USB-C
  • macOS 10.13.2, Safari 11.0.2, Yubikey U2F USB-A

As a side note, in the latter environment, the Safari FIDO U2F extension does not appear in Safari > Preferences > Extensions — but the status shows up as Enabled within the Safari FIDO U2F application. In the former environment, the extension appears in the list as expected.

justinmayer commented Feb 9, 2018

Many thanks for your work on this, Sam. I tested 2.0b1 on two different environments, but the behavior is unfortunately the same as in the original description above. Those environments are:

  • macOS 10.12.6, Safari 10.1.2, Yubikey 4 Nano USB-C
  • macOS 10.13.2, Safari 11.0.2, Yubikey U2F USB-A

As a side note, in the latter environment, the Safari FIDO U2F extension does not appear in Safari > Preferences > Extensions — but the status shows up as Enabled within the Safari FIDO U2F application. In the former environment, the extension appears in the list as expected.

@samdeane

This comment has been minimized.

Show comment
Hide comment
@samdeane

samdeane Feb 10, 2018

Contributor

No problem. I will eventually get my arse in gear and set up a test environment - I found the instructions on the Django-U2F page. Compatibility is getting better, slowly...

Contributor

samdeane commented Feb 10, 2018

No problem. I will eventually get my arse in gear and set up a test environment - I found the instructions on the Django-U2F page. Compatibility is getting better, slowly...

@justinmayer

This comment has been minimized.

Show comment
Hide comment
@justinmayer

justinmayer Feb 10, 2018

Perhaps I can help. Assuming you already have Python, Pip, and Virtualenv installed, following is a quick way to get set up... Start by saving this script somewhere as django-u2f-test.sh and giving it executable permissions via chmod +x django-u2f-test.sh:

#!/usr/bin/env bash

# Exit immediately if a command exits with a non-zero status
set -e

VIRTUALENVS_HOME=$HOME/virtualenvs
VENV=$VIRTUALENVS_HOME/django-u2f

mkdir -p $VIRTUALENVS_HOME
virtualenv -p python3 $VENV
source $VENV/bin/activate
pip install Django==1.11.10 django-u2f
git clone https://github.com/gavinwahl/django-u2f $VENV/src
cd $VENV/src/testproj
pip install -r requirements.txt
python manage.py migrate
./mkcert.sh
python manage.py createsuperuser
python manage.py runserver_plus --cert localhost

Ignore the deprecation warnings and create a user account when prompted. Once created, load the following URL in Safari: https://127.0.0.1:8000/u2f/two-factor-settings/

You will probably see a "This Connection Is Not Private" warning. Bypass it by tapping the "Show Details" button and then the "visit this website" link. Log in via the credentials you supplied when creating your user account. Choose "Manage U2F keys" from the settings list. Tap the "Add another key link" and follow the instructions there.

Hopefully this is helpful. If you have any questions or run into any trouble, please don't hesitate to let me know!

justinmayer commented Feb 10, 2018

Perhaps I can help. Assuming you already have Python, Pip, and Virtualenv installed, following is a quick way to get set up... Start by saving this script somewhere as django-u2f-test.sh and giving it executable permissions via chmod +x django-u2f-test.sh:

#!/usr/bin/env bash

# Exit immediately if a command exits with a non-zero status
set -e

VIRTUALENVS_HOME=$HOME/virtualenvs
VENV=$VIRTUALENVS_HOME/django-u2f

mkdir -p $VIRTUALENVS_HOME
virtualenv -p python3 $VENV
source $VENV/bin/activate
pip install Django==1.11.10 django-u2f
git clone https://github.com/gavinwahl/django-u2f $VENV/src
cd $VENV/src/testproj
pip install -r requirements.txt
python manage.py migrate
./mkcert.sh
python manage.py createsuperuser
python manage.py runserver_plus --cert localhost

Ignore the deprecation warnings and create a user account when prompted. Once created, load the following URL in Safari: https://127.0.0.1:8000/u2f/two-factor-settings/

You will probably see a "This Connection Is Not Private" warning. Bypass it by tapping the "Show Details" button and then the "visit this website" link. Log in via the credentials you supplied when creating your user account. Choose "Manage U2F keys" from the settings list. Tap the "Add another key link" and follow the instructions there.

Hopefully this is helpful. If you have any questions or run into any trouble, please don't hesitate to let me know!

@samdeane

This comment has been minimized.

Show comment
Hide comment
@samdeane

samdeane Feb 12, 2018

Contributor

I think it's fixed in #49. The Django test code seems to be working for me locally.

I've uploaded a build as 2.0b3. Give it a whirl.

Contributor

samdeane commented Feb 12, 2018

I think it's fixed in #49. The Django test code seems to be working for me locally.

I've uploaded a build as 2.0b3. Give it a whirl.

@samdeane

This comment has been minimized.

Show comment
Hide comment
@samdeane

samdeane Feb 12, 2018

Contributor

Thanks for the instructions btw - simplified my life a lot!

Contributor

samdeane commented Feb 12, 2018

Thanks for the instructions btw - simplified my life a lot!

@samdeane samdeane closed this in #49 Feb 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment