-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot register U2F key #10231
Comments
Does gitea is accessible via |
Yes.
Yes. I am using the very same key on a bunch of other sites, for example right here on GH. |
Might be similar to #5143 |
Hmm, with try.gitea.io it seems to work. |
FWIW, with Chrome it also fails directly with "Could not read your security key." (against our custom Gitea instance). |
Can you check the value of ROOT_URL in your config file ? |
Have a look at #10113 (comment) to check it. |
The
Looking at the Firefox Console, I can see successful (i.e. status 200) |
Seems it has something to do with the fact I am running Gitea on a sub-path. Configuring
(both needed) fixes the issue for me. I think the current defaults are not correct. |
We should be able to define a subpath in app_id (https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-appid-and-facets.html).
But that also mean that we could set only the protocol:hostname:port and the same security rules are applied and that could allow device (or browser ?) with some custom implementation to validate. The default values can be updated here: gitea/modules/setting/setting.go Line 1007 in 70aa629
And use |
Also saw this, so maybe it's a bug in the u2f library then? It compares against origin: |
For the record. I'm also hosting Gitea on a sub-path. My Solokey works fine after adding the same kind of config as @thmo |
Can confirm @thmo 's fix also worked for me. Gitea v1.12.0+dev-357-gf4370639b |
@thmo could you send a PR to upstream? |
Seems to say that the answer would be to default the In which case this is would be an extremely easy pr for Gitea. I guess we could add some code to not set it if the appsuburl is empty but I suspect we don't need that. |
gitea/modules/setting/setting.go Line 936 in 3878e98
This likely just needs to become: shellquote.Split(sec.Key("TRUSTED_FACETS").MustString(strings.TrimSuffix(AppURL, AppSubURL + "/"))) Edit: That should be Suffix not Right(!) |
[x]
):Description
Trying to register a Yubikey Touch U2F Security Key (1050:0120) to my account with Firefox 72.0.2. There's a Firefox popup telling me that my Gitea instance "wants to register an account with one of your security keys", and the blue light goes on. Gitea also shows the "Add Security Key" dialog.
However, when touching the key, only the Firefox popup vanishes, but the Gitea dialog stays open (until a timeout occurs later).
The log shows:
The text was updated successfully, but these errors were encountered: