Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't add/use device with Django-U2F #23

Closed
justinmayer opened this issue Aug 31, 2017 · 12 comments
Closed

Can't add/use device with Django-U2F #23

justinmayer opened this issue Aug 31, 2017 · 12 comments
Labels

Comments

@justinmayer
Copy link

justinmayer commented Aug 31, 2017

I am trying to use Safari-FIDO-U2F 1.1b3 on macOS 10.12.6 and Safari 10.1.2 in conjunction with a Django web application that utilizes Django-U2F for two-factor authentication. Adding U2F devices and using them to log into the web application functions as expected on Chromium and Firefox 57+, but I cannot neither add nor use U2F devices with the current version of this Safari extension.

When prompted to insert (or tap on an already-inserted) U2F device on Safari with the extension installed, doing so produces no change in or response from the web app in Safari (whereas normally the key would be added, or the user would be logged in, respectively). On the U2F device, tapping it causes the light to come on persistently, and tapping it again turns the light off.

I'm not well-versed enough with the U2F API to know whether anything needs to be done in Django-U2F in order to support this Safari extension, whether the above-described behavior is indicative of a bug in this extension that should be addressed, or whether changes are needed on both ends. Any thoughts?

@justinmayer
Copy link
Author

@samdeane: As a side note, I wanted to add how much I appreciate you stepping forward and doing what you can to improve the U2F situation for Safari. It's a terrific browser, and it would be grand to avoid having to switch to another in order to take advantage of the improved web app security that U2F provides. Truly, thank you! 😸

@justinmayer
Copy link
Author

Would it be useful if I provided a concise but detailed list of steps to reproduce? e.g., perhaps a quick Bash script that creates a virtual environment with everything needed to visit https://localhost:8000 and test locally?

@samdeane
Copy link
Contributor

Would it be useful if I provided a concise but detailed list of steps to reproduce? e.g., perhaps a quick Bash script that creates a virtual environment with everything needed to visit https://localhost:8000 and test locally?

Yeah, that would be awesome. I've just uploaded a 1.1b4 too, which might help.

@justinmayer
Copy link
Author

I just tested 1.1b4 with Django-U2F, but it exhibits the same problem.

@justinmayer
Copy link
Author

Tried with 1.1b5, but sadly no change here.

@samdeane
Copy link
Contributor

It's possible that you might fare better with 1.1b7, since it now implements another api function (getApiVersion) which the Django code might be relying on.

@samdeane
Copy link
Contributor

samdeane commented Feb 9, 2018

Another new release to test: 2.0b1. :)

A lot has changed in this one, and it seems to be working for me with Github, so I have some hope...

@samdeane samdeane added the bug label Feb 9, 2018
@justinmayer
Copy link
Author

Many thanks for your work on this, Sam. I tested 2.0b1 on two different environments, but the behavior is unfortunately the same as in the original description above. Those environments are:

  • macOS 10.12.6, Safari 10.1.2, Yubikey 4 Nano USB-C
  • macOS 10.13.2, Safari 11.0.2, Yubikey U2F USB-A

As a side note, in the latter environment, the Safari FIDO U2F extension does not appear in Safari > Preferences > Extensions — but the status shows up as Enabled within the Safari FIDO U2F application. In the former environment, the extension appears in the list as expected.

@samdeane
Copy link
Contributor

No problem. I will eventually get my arse in gear and set up a test environment - I found the instructions on the Django-U2F page. Compatibility is getting better, slowly...

@justinmayer
Copy link
Author

Perhaps I can help. Assuming you already have Python, Pip, and Virtualenv installed, following is a quick way to get set up... Start by saving this script somewhere as django-u2f-test.sh and giving it executable permissions via chmod +x django-u2f-test.sh:

#!/usr/bin/env bash

# Exit immediately if a command exits with a non-zero status
set -e

VIRTUALENVS_HOME=$HOME/virtualenvs
VENV=$VIRTUALENVS_HOME/django-u2f

mkdir -p $VIRTUALENVS_HOME
virtualenv -p python3 $VENV
source $VENV/bin/activate
pip install Django==1.11.10 django-u2f
git clone https://github.com/gavinwahl/django-u2f $VENV/src
cd $VENV/src/testproj
pip install -r requirements.txt
python manage.py migrate
./mkcert.sh
python manage.py createsuperuser
python manage.py runserver_plus --cert localhost

Ignore the deprecation warnings and create a user account when prompted. Once created, load the following URL in Safari: https://127.0.0.1:8000/u2f/two-factor-settings/

You will probably see a "This Connection Is Not Private" warning. Bypass it by tapping the "Show Details" button and then the "visit this website" link. Log in via the credentials you supplied when creating your user account. Choose "Manage U2F keys" from the settings list. Tap the "Add another key link" and follow the instructions there.

Hopefully this is helpful. If you have any questions or run into any trouble, please don't hesitate to let me know!

@samdeane
Copy link
Contributor

I think it's fixed in #49. The Django test code seems to be working for me locally.

I've uploaded a build as 2.0b3. Give it a whirl.

@samdeane
Copy link
Contributor

Thanks for the instructions btw - simplified my life a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants