From df2adb203c423dbcbd8672705027dfd1eb868053 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Sun, 29 Jan 2023 10:01:19 +0000
Subject: [PATCH 01/18] Fix Uncaught DOMException: Failed to execute 'atob' on
 'Window'

There is a missing import within the `uint8-to-base64` javascript
package which assumes that `atob` and `btoa` are present and exported
instead of using the `window.atob` and `window.btoa` functions. This
previously worked but as far as I can see things have become more strict
and this no longer works.

The dependency is small and I do not believe that we gain much from
having this code as an external dependency. I think instead we should
just consume this dependency and bring the code directly into Gitea
itself - the code is itself just some standard incantation for creating
base64 arrays in javascript.

Therefore this PR simply removes the dependency on `uint8-to-base64` and
rewrites the functions used in it.

Fix #22507

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 package-lock.json                         | 11 ----------
 package.json                              |  1 -
 web_src/js/features/user-auth-webauthn.js | 25 ++++++++++++++++-------
 3 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 60f0a0f8e623..50dddde13f89 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -39,7 +39,6 @@
         "swagger-ui-dist": "4.15.5",
         "tippy.js": "6.3.7",
         "tributejs": "5.1.3",
-        "uint8-to-base64": "0.2.0",
         "vue": "3.2.45",
         "vue-bar-graph": "2.0.0",
         "vue-loader": "17.0.1",
@@ -8856,11 +8855,6 @@
       "integrity": "sha512-boAm74ubXHY7KJQZLlXrtMz52qFvpsbOxDcZOnw/Wf+LS4Mmyu7JxmzD4tDLtUQtmZECypJ0FrCz4QIe6dvKRA==",
       "dev": true
     },
-    "node_modules/uint8-to-base64": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/uint8-to-base64/-/uint8-to-base64-0.2.0.tgz",
-      "integrity": "sha512-r13jrghEYZAN99GeYpEjM107DOxqB65enskpwce8rRHVAGEtaWmsF5GqoGdPMf8DIXc9XyAJTdvlvRZi4LsszA=="
-    },
     "node_modules/unbox-primitive": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/unbox-primitive/-/unbox-primitive-1.0.2.tgz",
@@ -16366,11 +16360,6 @@
       "integrity": "sha512-boAm74ubXHY7KJQZLlXrtMz52qFvpsbOxDcZOnw/Wf+LS4Mmyu7JxmzD4tDLtUQtmZECypJ0FrCz4QIe6dvKRA==",
       "dev": true
     },
-    "uint8-to-base64": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/uint8-to-base64/-/uint8-to-base64-0.2.0.tgz",
-      "integrity": "sha512-r13jrghEYZAN99GeYpEjM107DOxqB65enskpwce8rRHVAGEtaWmsF5GqoGdPMf8DIXc9XyAJTdvlvRZi4LsszA=="
-    },
     "unbox-primitive": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/unbox-primitive/-/unbox-primitive-1.0.2.tgz",
diff --git a/package.json b/package.json
index 842804211cf8..7821fbb58005 100644
--- a/package.json
+++ b/package.json
@@ -39,7 +39,6 @@
     "swagger-ui-dist": "4.15.5",
     "tippy.js": "6.3.7",
     "tributejs": "5.1.3",
-    "uint8-to-base64": "0.2.0",
     "vue": "3.2.45",
     "vue-bar-graph": "2.0.0",
     "vue-loader": "17.0.1",
diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index f11a49864ded..c86f6314edf5 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -1,8 +1,19 @@
 import $ from 'jquery';
-import {encode, decode} from 'uint8-to-base64';
 
 const {appSubUrl, csrfToken} = window.config;
 
+function encodeToBase64(toEncode) {
+  const output = [];
+  for (let i = 0; i < toEncode.length; i++) {
+    output.push(String.fromCharCode(toEncode[i]));
+  }
+  return window.btoa(output.join(''));
+}
+
+function decodeFromBase64(toDecode) {
+  return Uint8Array.from(window.atob(toDecode), (c) => c.charCodeAt(0));
+}
+
 export function initUserAuthWebAuthn() {
   if ($('.user.signin.webauthn-prompt').length === 0) {
     return;
@@ -14,9 +25,9 @@ export function initUserAuthWebAuthn() {
 
   $.getJSON(`${appSubUrl}/user/webauthn/assertion`, {})
     .done((makeAssertionOptions) => {
-      makeAssertionOptions.publicKey.challenge = decode(makeAssertionOptions.publicKey.challenge);
+      makeAssertionOptions.publicKey.challenge = decodeFromBase64(makeAssertionOptions.publicKey.challenge);
       for (let i = 0; i < makeAssertionOptions.publicKey.allowCredentials.length; i++) {
-        makeAssertionOptions.publicKey.allowCredentials[i].id = decode(makeAssertionOptions.publicKey.allowCredentials[i].id);
+        makeAssertionOptions.publicKey.allowCredentials[i].id = decodeFromBase64(makeAssertionOptions.publicKey.allowCredentials[i].id);
       }
       navigator.credentials.get({
         publicKey: makeAssertionOptions.publicKey
@@ -87,7 +98,7 @@ function verifyAssertion(assertedCredential) {
 
 // Encode an ArrayBuffer into a base64 string.
 function bufferEncode(value) {
-  return encode(value)
+  return encodeToBase64(value)
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
     .replace(/=/g, '');
@@ -184,11 +195,11 @@ function webAuthnRegisterRequest() {
   }).done((makeCredentialOptions) => {
     $('#nickname').closest('div.field').removeClass('error');
 
-    makeCredentialOptions.publicKey.challenge = decode(makeCredentialOptions.publicKey.challenge);
-    makeCredentialOptions.publicKey.user.id = decode(makeCredentialOptions.publicKey.user.id);
+    makeCredentialOptions.publicKey.challenge = decodeFromBase64(makeCredentialOptions.publicKey.challenge);
+    makeCredentialOptions.publicKey.user.id = decodeFromBase64(makeCredentialOptions.publicKey.user.id);
     if (makeCredentialOptions.publicKey.excludeCredentials) {
       for (let i = 0; i < makeCredentialOptions.publicKey.excludeCredentials.length; i++) {
-        makeCredentialOptions.publicKey.excludeCredentials[i].id = decode(makeCredentialOptions.publicKey.excludeCredentials[i].id);
+        makeCredentialOptions.publicKey.excludeCredentials[i].id = decodeFromBase64(makeCredentialOptions.publicKey.excludeCredentials[i].id);
       }
     }
 

From f40e5161a22fbc6d2822430ad859295eb7e39c5e Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Sun, 29 Jan 2023 12:31:08 +0000
Subject: [PATCH 02/18] Update web_src/js/features/user-auth-webauthn.js

Co-authored-by: delvh <dev.lh@web.de>
---
 web_src/js/features/user-auth-webauthn.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index c86f6314edf5..180309eefb9f 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -2,7 +2,7 @@ import $ from 'jquery';
 
 const {appSubUrl, csrfToken} = window.config;
 
-function encodeToBase64(toEncode) {
+function encodeToBase64(toEncode /* Uint8Array */) {
   const output = [];
   for (let i = 0; i < toEncode.length; i++) {
     output.push(String.fromCharCode(toEncode[i]));

From dcd63076afe9ae81b1ce46ed6b73c89a369e677b Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Sun, 29 Jan 2023 21:21:14 +0000
Subject: [PATCH 03/18] Include findings from #22654

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 web_src/js/features/user-auth-webauthn.js | 37 ++++++++++++++---------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index c86f6314edf5..3b00bf1e9644 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -25,9 +25,9 @@ export function initUserAuthWebAuthn() {
 
   $.getJSON(`${appSubUrl}/user/webauthn/assertion`, {})
     .done((makeAssertionOptions) => {
-      makeAssertionOptions.publicKey.challenge = decodeFromBase64(makeAssertionOptions.publicKey.challenge);
+      makeAssertionOptions.publicKey.challenge = decodeURLEncodedBase64(makeAssertionOptions.publicKey.challenge);
       for (let i = 0; i < makeAssertionOptions.publicKey.allowCredentials.length; i++) {
-        makeAssertionOptions.publicKey.allowCredentials[i].id = decodeFromBase64(makeAssertionOptions.publicKey.allowCredentials[i].id);
+        makeAssertionOptions.publicKey.allowCredentials[i].id = decodeURLEncodedBase64(makeAssertionOptions.publicKey.allowCredentials[i].id);
       }
       navigator.credentials.get({
         publicKey: makeAssertionOptions.publicKey
@@ -67,14 +67,14 @@ function verifyAssertion(assertedCredential) {
     type: 'POST',
     data: JSON.stringify({
       id: assertedCredential.id,
-      rawId: bufferEncode(rawId),
+      rawId: bufferURLEncodedBase64(rawId),
       type: assertedCredential.type,
       clientExtensionResults: assertedCredential.getClientExtensionResults(),
       response: {
-        authenticatorData: bufferEncode(authData),
-        clientDataJSON: bufferEncode(clientDataJSON),
-        signature: bufferEncode(sig),
-        userHandle: bufferEncode(userHandle),
+        authenticatorData: bufferURLEncodedBase64(authData),
+        clientDataJSON: bufferURLEncodedBase64(clientDataJSON),
+        signature: bufferURLEncodedBase64(sig),
+        userHandle: bufferURLEncodedBase64(userHandle),
       },
     }),
     contentType: 'application/json; charset=utf-8',
@@ -96,14 +96,21 @@ function verifyAssertion(assertedCredential) {
   });
 }
 
-// Encode an ArrayBuffer into a base64 string.
-function bufferEncode(value) {
+// Encode an ArrayBuffer into a URLEncoded base64 string.
+function bufferURLEncodedBase64(value) {
   return encodeToBase64(value)
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
     .replace(/=/g, '');
 }
 
+// Dccode a URLEncoded base64 to an ArrayBuffer string.
+function decodeURLEncodedBase64(value) {
+  return decodeFromBase64(value
+    .replace(/_/g, '/')
+    .replace(/-/g, '+'));
+}
+
 function webauthnRegistered(newCredential) {
   const attestationObject = new Uint8Array(newCredential.response.attestationObject);
   const clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON);
@@ -115,11 +122,11 @@ function webauthnRegistered(newCredential) {
     headers: {'X-Csrf-Token': csrfToken},
     data: JSON.stringify({
       id: newCredential.id,
-      rawId: bufferEncode(rawId),
+      rawId: bufferURLEncodedBase64(rawId),
       type: newCredential.type,
       response: {
-        attestationObject: bufferEncode(attestationObject),
-        clientDataJSON: bufferEncode(clientDataJSON),
+        attestationObject: bufferURLEncodedBase64(attestationObject),
+        clientDataJSON: bufferURLEncodedBase64(clientDataJSON),
       },
     }),
     dataType: 'json',
@@ -195,11 +202,11 @@ function webAuthnRegisterRequest() {
   }).done((makeCredentialOptions) => {
     $('#nickname').closest('div.field').removeClass('error');
 
-    makeCredentialOptions.publicKey.challenge = decodeFromBase64(makeCredentialOptions.publicKey.challenge);
-    makeCredentialOptions.publicKey.user.id = decodeFromBase64(makeCredentialOptions.publicKey.user.id);
+    makeCredentialOptions.publicKey.challenge = decodeURLEncodedBase64(makeCredentialOptions.publicKey.challenge);
+    makeCredentialOptions.publicKey.user.id = decodeURLEncodedBase64(makeCredentialOptions.publicKey.user.id);
     if (makeCredentialOptions.publicKey.excludeCredentials) {
       for (let i = 0; i < makeCredentialOptions.publicKey.excludeCredentials.length; i++) {
-        makeCredentialOptions.publicKey.excludeCredentials[i].id = decodeFromBase64(makeCredentialOptions.publicKey.excludeCredentials[i].id);
+        makeCredentialOptions.publicKey.excludeCredentials[i].id = decodeURLEncodedBase64(makeCredentialOptions.publicKey.excludeCredentials[i].id);
       }
     }
 

From f03824463e3993d1ab7fa845cf369daaf98e1516 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Mon, 30 Jan 2023 21:08:27 +0000
Subject: [PATCH 04/18] As per wxiaoguang

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/auth/webauthn/webauthn.go         |  2 +-
 package-lock.json                         | 11 +++++++
 package.json                              |  1 +
 web_src/js/features/user-auth-webauthn.js | 35 ++++++++---------------
 4 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/modules/auth/webauthn/webauthn.go b/modules/auth/webauthn/webauthn.go
index d08f7bf7cc71..937da872ca1a 100644
--- a/modules/auth/webauthn/webauthn.go
+++ b/modules/auth/webauthn/webauthn.go
@@ -28,7 +28,7 @@ func Init() {
 		Config: &webauthn.Config{
 			RPDisplayName: setting.AppName,
 			RPID:          setting.Domain,
-			RPOrigin:      appURL,
+			RPOrigins:     []string{appURL},
 			AuthenticatorSelection: protocol.AuthenticatorSelection{
 				UserVerification: "discouraged",
 			},
diff --git a/package-lock.json b/package-lock.json
index 50dddde13f89..60f0a0f8e623 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -39,6 +39,7 @@
         "swagger-ui-dist": "4.15.5",
         "tippy.js": "6.3.7",
         "tributejs": "5.1.3",
+        "uint8-to-base64": "0.2.0",
         "vue": "3.2.45",
         "vue-bar-graph": "2.0.0",
         "vue-loader": "17.0.1",
@@ -8855,6 +8856,11 @@
       "integrity": "sha512-boAm74ubXHY7KJQZLlXrtMz52qFvpsbOxDcZOnw/Wf+LS4Mmyu7JxmzD4tDLtUQtmZECypJ0FrCz4QIe6dvKRA==",
       "dev": true
     },
+    "node_modules/uint8-to-base64": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/uint8-to-base64/-/uint8-to-base64-0.2.0.tgz",
+      "integrity": "sha512-r13jrghEYZAN99GeYpEjM107DOxqB65enskpwce8rRHVAGEtaWmsF5GqoGdPMf8DIXc9XyAJTdvlvRZi4LsszA=="
+    },
     "node_modules/unbox-primitive": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/unbox-primitive/-/unbox-primitive-1.0.2.tgz",
@@ -16360,6 +16366,11 @@
       "integrity": "sha512-boAm74ubXHY7KJQZLlXrtMz52qFvpsbOxDcZOnw/Wf+LS4Mmyu7JxmzD4tDLtUQtmZECypJ0FrCz4QIe6dvKRA==",
       "dev": true
     },
+    "uint8-to-base64": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/uint8-to-base64/-/uint8-to-base64-0.2.0.tgz",
+      "integrity": "sha512-r13jrghEYZAN99GeYpEjM107DOxqB65enskpwce8rRHVAGEtaWmsF5GqoGdPMf8DIXc9XyAJTdvlvRZi4LsszA=="
+    },
     "unbox-primitive": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/unbox-primitive/-/unbox-primitive-1.0.2.tgz",
diff --git a/package.json b/package.json
index 7821fbb58005..842804211cf8 100644
--- a/package.json
+++ b/package.json
@@ -39,6 +39,7 @@
     "swagger-ui-dist": "4.15.5",
     "tippy.js": "6.3.7",
     "tributejs": "5.1.3",
+    "uint8-to-base64": "0.2.0",
     "vue": "3.2.45",
     "vue-bar-graph": "2.0.0",
     "vue-loader": "17.0.1",
diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index e7116210768a..9c9fffd99527 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -1,19 +1,8 @@
 import $ from 'jquery';
+import {encode, decode} from 'uint8-to-base64';
 
 const {appSubUrl, csrfToken} = window.config;
 
-function encodeToBase64(toEncode /* Uint8Array */) {
-  const output = [];
-  for (let i = 0; i < toEncode.length; i++) {
-    output.push(String.fromCharCode(toEncode[i]));
-  }
-  return window.btoa(output.join(''));
-}
-
-function decodeFromBase64(toDecode) {
-  return Uint8Array.from(window.atob(toDecode), (c) => c.charCodeAt(0));
-}
-
 export function initUserAuthWebAuthn() {
   if ($('.user.signin.webauthn-prompt').length === 0) {
     return;
@@ -67,14 +56,14 @@ function verifyAssertion(assertedCredential) {
     type: 'POST',
     data: JSON.stringify({
       id: assertedCredential.id,
-      rawId: bufferURLEncodedBase64(rawId),
+      rawId: encodeURLEncodedBase64(rawId),
       type: assertedCredential.type,
       clientExtensionResults: assertedCredential.getClientExtensionResults(),
       response: {
-        authenticatorData: bufferURLEncodedBase64(authData),
-        clientDataJSON: bufferURLEncodedBase64(clientDataJSON),
-        signature: bufferURLEncodedBase64(sig),
-        userHandle: bufferURLEncodedBase64(userHandle),
+        authenticatorData: encodeURLEncodedBase64(authData),
+        clientDataJSON: encodeURLEncodedBase64(clientDataJSON),
+        signature: encodeURLEncodedBase64(sig),
+        userHandle: encodeURLEncodedBase64(userHandle),
       },
     }),
     contentType: 'application/json; charset=utf-8',
@@ -97,8 +86,8 @@ function verifyAssertion(assertedCredential) {
 }
 
 // Encode an ArrayBuffer into a URLEncoded base64 string.
-function bufferURLEncodedBase64(value) {
-  return encodeToBase64(value)
+function encodeURLEncodedBase64(value) {
+  return encode(value)
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
     .replace(/=/g, '');
@@ -106,7 +95,7 @@ function bufferURLEncodedBase64(value) {
 
 // Dccode a URLEncoded base64 to an ArrayBuffer string.
 function decodeURLEncodedBase64(value) {
-  return decodeFromBase64(value
+  return decode(value
     .replace(/_/g, '/')
     .replace(/-/g, '+'));
 }
@@ -122,11 +111,11 @@ function webauthnRegistered(newCredential) {
     headers: {'X-Csrf-Token': csrfToken},
     data: JSON.stringify({
       id: newCredential.id,
-      rawId: bufferURLEncodedBase64(rawId),
+      rawId: encodeURLEncodedBase64(rawId),
       type: newCredential.type,
       response: {
-        attestationObject: bufferURLEncodedBase64(attestationObject),
-        clientDataJSON: bufferURLEncodedBase64(clientDataJSON),
+        attestationObject: encodeURLEncodedBase64(attestationObject),
+        clientDataJSON: encodeURLEncodedBase64(clientDataJSON),
       },
     }),
     dataType: 'json',

From b37e6a1aa16c57bab6852f8f0495721b34551b3e Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Tue, 31 Jan 2023 20:17:49 +0000
Subject: [PATCH 05/18] fix test

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/auth/webauthn/webauthn_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auth/webauthn/webauthn_test.go b/modules/auth/webauthn/webauthn_test.go
index 1beeb64cd6ca..15a8d7182833 100644
--- a/modules/auth/webauthn/webauthn_test.go
+++ b/modules/auth/webauthn/webauthn_test.go
@@ -15,11 +15,11 @@ func TestInit(t *testing.T) {
 	setting.Domain = "domain"
 	setting.AppName = "AppName"
 	setting.AppURL = "https://domain/"
-	rpOrigin := "https://domain"
+	rpOrigin := []string{"https://domain"}
 
 	Init()
 
 	assert.Equal(t, setting.Domain, WebAuthn.Config.RPID)
 	assert.Equal(t, setting.AppName, WebAuthn.Config.RPDisplayName)
-	assert.Equal(t, rpOrigin, WebAuthn.Config.RPOrigin)
+	assert.Equal(t, rpOrigin, WebAuthn.Config.RPOrigins)
 }

From 104a864965e14c44406d4d7d2bfa8177b5b6262e Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Tue, 31 Jan 2023 20:15:37 +0000
Subject: [PATCH 06/18] Clean up WebAuthn javascript code and remove JQuery
 code

There were several issues with the WebAuthn registration and testing code and the style
was very old javascript with jquery callbacks.

This PR uses async and fetch to replace the JQuery code.

Ref #22651

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 routers/web/user/setting/security/webauthn.go |   6 +-
 templates/user/auth/webauthn.tmpl             |   2 +-
 templates/user/auth/webauthn_error.tmpl       |  30 +-
 .../user/settings/security/webauthn.tmpl      |   2 +-
 web_src/js/features/user-auth-webauthn.js     | 289 ++++++++++--------
 5 files changed, 178 insertions(+), 151 deletions(-)

diff --git a/routers/web/user/setting/security/webauthn.go b/routers/web/user/setting/security/webauthn.go
index 005431886746..826562f15748 100644
--- a/routers/web/user/setting/security/webauthn.go
+++ b/routers/web/user/setting/security/webauthn.go
@@ -6,6 +6,8 @@ package security
 import (
 	"errors"
 	"net/http"
+	"strconv"
+	"time"
 
 	"code.gitea.io/gitea/models/auth"
 	wa "code.gitea.io/gitea/modules/auth/webauthn"
@@ -23,8 +25,8 @@ import (
 func WebAuthnRegister(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.WebauthnRegistrationForm)
 	if form.Name == "" {
-		ctx.Error(http.StatusConflict)
-		return
+		// Set name to the hexadecimal of the current time
+		form.Name = strconv.FormatInt(time.Now().UnixNano(), 16)
 	}
 
 	cred, err := auth.GetWebAuthnCredentialByName(ctx.Doer.ID, form.Name)
diff --git a/templates/user/auth/webauthn.tmpl b/templates/user/auth/webauthn.tmpl
index 304d199da21a..e580b4d13ab0 100644
--- a/templates/user/auth/webauthn.tmpl
+++ b/templates/user/auth/webauthn.tmpl
@@ -5,6 +5,7 @@
 				<h3 class="ui top attached header">
 				{{.locale.Tr "twofa"}}
 				</h3>
+				{{template "user/auth/webauthn_error" .}}
 				<div class="ui attached segment">
 					<i class="huge key icon"></i>
 					<h3>{{.locale.Tr "webauthn_insert_key"}}</h3>
@@ -18,5 +19,4 @@
 		</div>
 	</div>
 </div>
-{{template "user/auth/webauthn_error" .}}
 {{template "base/footer" .}}
diff --git a/templates/user/auth/webauthn_error.tmpl b/templates/user/auth/webauthn_error.tmpl
index c3cae710f1ef..d309a1a036ae 100644
--- a/templates/user/auth/webauthn_error.tmpl
+++ b/templates/user/auth/webauthn_error.tmpl
@@ -1,22 +1,16 @@
-<div class="ui small modal" id="webauthn-error">
-	<div class="header">{{.locale.Tr "webauthn_error"}}</div>
-	<div class="content">
-		<div class="ui negative message">
-			<div class="header">
+<div id="webauthn-error" class="ui small hide">
+	<div class="content ui negative message">
+		<div class="header">
 			{{.locale.Tr "webauthn_error"}}
-			</div>
-			<div class="hide" data-webauthn-error-msg="browser"><p>{{.locale.Tr "webauthn_unsupported_browser"}}</div>
-			<div class="hide" data-webauthn-error-msg="unknown"><p>{{.locale.Tr "webauthn_error_unknown"}}</div>
-			<div class="hide" data-webauthn-error-msg="insecure"><p>{{.locale.Tr "webauthn_error_insecure"}}</div>
-			<div class="hide" data-webauthn-error-msg="unable-to-process"><p>{{.locale.Tr "webauthn_error_unable_to_process"}}</div>
-			<div class="hide" data-webauthn-error-msg="duplicated"><p>{{.locale.Tr "webauthn_error_duplicated"}}</div>
-			<div class="hide" data-webauthn-error-msg="empty"><p>{{.locale.Tr "webauthn_error_empty"}}</div>
-			<div class="hide" data-webauthn-error-msg="timeout"><p>{{.locale.Tr "webauthn_error_timeout"}}</div>
-			<div class="hide" data-webauthn-error-msg="general"></div>
 		</div>
-	</div>
-	<div class="actions">
-		<button onclick="window.location.reload()" class="success ui button hide webauthn_error_timeout">{{.locale.Tr "webauthn_reload"}}</button>
-		<div class="ui cancel button">{{.locale.Tr "cancel"}}</div>
+		<div id="webauthn-error-msg" class="">
+		</div>
+		<div class="hide" data-webauthn-error-msg="browser"><p>{{.locale.Tr "webauthn_unsupported_browser"}}</div>
+		<div class="hide" data-webauthn-error-msg="unknown"><p>{{.locale.Tr "webauthn_error_unknown"}}</div>
+		<div class="hide" data-webauthn-error-msg="insecure"><p>{{.locale.Tr "webauthn_error_insecure"}}</div>
+		<div class="hide" data-webauthn-error-msg="unable-to-process"><p>{{.locale.Tr "webauthn_error_unable_to_process"}}</div>
+		<div class="hide" data-webauthn-error-msg="duplicated"><p>{{.locale.Tr "webauthn_error_duplicated"}}</div>
+		<div class="hide" data-webauthn-error-msg="empty"><p>{{.locale.Tr "webauthn_error_empty"}}</div>
+		<div class="hide" data-webauthn-error-msg="timeout"><p>{{.locale.Tr "webauthn_error_timeout"}}</div>
 	</div>
 </div>
diff --git a/templates/user/settings/security/webauthn.tmpl b/templates/user/settings/security/webauthn.tmpl
index 2fea2843f6e0..26c2d07239ce 100644
--- a/templates/user/settings/security/webauthn.tmpl
+++ b/templates/user/settings/security/webauthn.tmpl
@@ -3,6 +3,7 @@
 </h4>
 <div class="ui attached segment">
 	<p>{{.locale.Tr "settings.webauthn_desc" | Str2html}}</p>
+	{{template "user/auth/webauthn_error" .}}
 	<div class="ui key list">
 		{{range .WebAuthnCredentials}}
 			<div class="item">
@@ -28,7 +29,6 @@
 	</div>
 </div>
 
-{{template "user/auth/webauthn_error" .}}
 
 <div class="ui small basic delete modal" id="delete-registration">
 	<div class="ui icon header">
diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index 9c9fffd99527..10f00845ae2d 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -1,10 +1,27 @@
-import $ from 'jquery';
 import {encode, decode} from 'uint8-to-base64';
 
 const {appSubUrl, csrfToken} = window.config;
 
-export function initUserAuthWebAuthn() {
-  if ($('.user.signin.webauthn-prompt').length === 0) {
+// Encode an ArrayBuffer into a URLEncoded base64 string.
+function encodeURLEncodedBase64(value) {
+  return encode(value)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+}
+
+// Dccode a URLEncoded base64 to an ArrayBuffer string.
+function decodeURLEncodedBase64(value) {
+  return decode(value
+    .replace(/_/g, '/')
+    .replace(/-/g, '+'));
+}
+
+export async function initUserAuthWebAuthn() {
+  document.getElementById('webauthn-error')?.classList.add('hide');
+
+  const elPrompt = document.querySelector('.user.signin.webauthn-prompt');
+  if (!elPrompt) {
     return;
   }
 
@@ -12,49 +29,53 @@ export function initUserAuthWebAuthn() {
     return;
   }
 
-  $.getJSON(`${appSubUrl}/user/webauthn/assertion`, {})
-    .done((makeAssertionOptions) => {
-      makeAssertionOptions.publicKey.challenge = decodeURLEncodedBase64(makeAssertionOptions.publicKey.challenge);
-      for (let i = 0; i < makeAssertionOptions.publicKey.allowCredentials.length; i++) {
-        makeAssertionOptions.publicKey.allowCredentials[i].id = decodeURLEncodedBase64(makeAssertionOptions.publicKey.allowCredentials[i].id);
-      }
-      navigator.credentials.get({
-        publicKey: makeAssertionOptions.publicKey
-      })
-        .then((credential) => {
-          verifyAssertion(credential);
-        }).catch((err) => {
-          // Try again... without the appid
-          if (makeAssertionOptions.publicKey.extensions && makeAssertionOptions.publicKey.extensions.appid) {
-            delete makeAssertionOptions.publicKey.extensions['appid'];
-            navigator.credentials.get({
-              publicKey: makeAssertionOptions.publicKey
-            })
-              .then((credential) => {
-                verifyAssertion(credential);
-              }).catch((err) => {
-                webAuthnError('general', err.message);
-              });
-            return;
-          }
-          webAuthnError('general', err.message);
-        });
-    }).fail(() => {
-      webAuthnError('unknown');
+  const resp = await fetch(`${appSubUrl}/user/webauthn/assertion`);
+  if (resp.status !== 200) {
+    console.error(`Unexpected status from /user/webauthn/assertion ${resp.status}`);
+    webAuthnError('unknown');
+    return;
+  }
+  const options = await resp.json();
+  options.publicKey.challenge = decodeURLEncodedBase64(options.publicKey.challenge);
+  for (let i = 0; i < options.publicKey.allowCredentials.length; i++) {
+    options.publicKey.allowCredentials[i].id = decodeURLEncodedBase64(options.publicKey.allowCredentials[i].id);
+  }
+  const credential = await navigator.credentials.get({
+    publicKey: options.publicKey
+  });
+  try {
+    await verifyAssertion(credential);
+  } catch (err) {
+    if (!(options.publicKey.extensions) || !(options.publicKey.extensions.appid)) {
+      webAuthnError('general', err.message);
+      return;
+    }
+    delete options.publicKey.extensions['appid'];
+    const credential = await navigator.credentials.get({
+      publicKey: options.publicKey
     });
+    try {
+      await verifyAssertion(credential);
+    } catch (err) {
+      webAuthnError('general', err.message);
+    }
+  }
 }
 
-function verifyAssertion(assertedCredential) {
+async function verifyAssertion(assertedCredential) {
   // Move data into Arrays incase it is super long
   const authData = new Uint8Array(assertedCredential.response.authenticatorData);
   const clientDataJSON = new Uint8Array(assertedCredential.response.clientDataJSON);
   const rawId = new Uint8Array(assertedCredential.rawId);
   const sig = new Uint8Array(assertedCredential.response.signature);
   const userHandle = new Uint8Array(assertedCredential.response.userHandle);
-  $.ajax({
-    url: `${appSubUrl}/user/webauthn/assertion`,
-    type: 'POST',
-    data: JSON.stringify({
+
+  const resp = await fetch(`${appSubUrl}/user/webauthn/assertion`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json; charset=utf-8'
+    },
+    body: JSON.stringify({
       id: assertedCredential.id,
       rawId: encodeURLEncodedBase64(rawId),
       type: assertedCredential.type,
@@ -66,50 +87,35 @@ function verifyAssertion(assertedCredential) {
         userHandle: encodeURLEncodedBase64(userHandle),
       },
     }),
-    contentType: 'application/json; charset=utf-8',
-    dataType: 'json',
-    success: (resp) => {
-      if (resp && resp['redirect']) {
-        window.location.href = resp['redirect'];
-      } else {
-        window.location.href = '/';
-      }
-    },
-    error: (xhr) => {
-      if (xhr.status === 500) {
-        webAuthnError('unknown');
-        return;
-      }
-      webAuthnError('unable-to-process');
-    }
   });
-}
-
-// Encode an ArrayBuffer into a URLEncoded base64 string.
-function encodeURLEncodedBase64(value) {
-  return encode(value)
-    .replace(/\+/g, '-')
-    .replace(/\//g, '_')
-    .replace(/=/g, '');
-}
+  if (resp.status === 500) {
+    webAuthnError('unknown');
+    return;
+  } else if (resp.status !== 200) {
+    webAuthnError('unable-to-process');
+    return;
+  }
+  const reply = await resp.json();
 
-// Dccode a URLEncoded base64 to an ArrayBuffer string.
-function decodeURLEncodedBase64(value) {
-  return decode(value
-    .replace(/_/g, '/')
-    .replace(/-/g, '+'));
+  if (reply && reply['redirect']) {
+    window.location.href = reply['redirect'];
+  } else {
+    window.location.href = '/';
+  }
 }
 
-function webauthnRegistered(newCredential) {
+async function webauthnRegistered(newCredential) {
   const attestationObject = new Uint8Array(newCredential.response.attestationObject);
   const clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON);
   const rawId = new Uint8Array(newCredential.rawId);
 
-  return $.ajax({
-    url: `${appSubUrl}/user/settings/security/webauthn/register`,
-    type: 'POST',
-    headers: {'X-Csrf-Token': csrfToken},
-    data: JSON.stringify({
+  const resp = await fetch(`${appSubUrl}/user/settings/security/webauthn/register`, {
+    method: 'POST',
+    headers: {
+      'X-Csrf-Token': csrfToken,
+      'Content-Type': 'application/json; charset=utf-8',
+    },
+    body: JSON.stringify({
       id: newCredential.id,
       rawId: encodeURLEncodedBase64(rawId),
       type: newCredential.type,
@@ -118,46 +124,55 @@ function webauthnRegistered(newCredential) {
         clientDataJSON: encodeURLEncodedBase64(clientDataJSON),
       },
     }),
-    dataType: 'json',
-    contentType: 'application/json; charset=utf-8',
-  }).then(() => {
-    window.location.reload();
-  }).fail((xhr) => {
-    if (xhr.status === 409) {
-      webAuthnError('duplicated');
-      return;
-    }
-    webAuthnError('unknown');
   });
+
+  if (resp.status === 409) {
+    webAuthnError('duplicated');
+    return;
+  } else if (resp.status !== 201) {
+    webAuthnError('unknown');
+    return;
+  }
+
+  window.location.reload();
 }
 
 function webAuthnError(errorType, message) {
-  $('#webauthn-error [data-webauthn-error-msg]').hide();
-  const $errorGeneral = $(`#webauthn-error [data-webauthn-error-msg=general]`);
+  const elErrorMsg = document.querySelector(`#webauthn-error-msg`);
+
   if (errorType === 'general') {
-    $errorGeneral.show().text(message || 'unknown error');
+    elErrorMsg.textContent = message || 'unknown error';
   } else {
-    const $errorTyped = $(`#webauthn-error [data-webauthn-error-msg=${errorType}]`);
-    if ($errorTyped.length) {
-      $errorTyped.show();
+    const elTypedError = document.querySelector(`#webauthn-error [data-webauthn-error-msg=${errorType}]`);
+    if (elTypedError) {
+      if (message) {
+        elErrorMsg.textContent = `${elTypedError.textContent} ${message}`;
+      } else {
+        elErrorMsg.textContent = `${elTypedError.textContent}`;
+      }
     } else {
-      $errorGeneral.show().text(`unknown error type: ${errorType}`);
+      elErrorMsg.textContent = `unknown error type: ${errorType}`;
+      if (message) {
+        elErrorMsg.textContent += ` ${message}`;
+      }
     }
   }
-  $('#webauthn-error').modal('show');
+
+  const elWebauthnError = document.getElementById('webauthn-error');
+  elWebauthnError.classList.remove('hide');
 }
 
 function detectWebAuthnSupport() {
   if (!window.isSecureContext) {
-    $('#register-button').prop('disabled', true);
-    $('#login-button').prop('disabled', true);
+    document.getElementById('register-button').setAttribute('disabled', 'true');
+    document.getElementById('login-button').setAttribute('disabled', 'true');
     webAuthnError('insecure');
     return false;
   }
 
   if (typeof window.PublicKeyCredential !== 'function') {
-    $('#register-button').prop('disabled', true);
-    $('#login-button').prop('disabled', true);
+    document.getElementById('register-button').setAttribute('disabled', 'true');
+    document.getElementById('login-button').setAttribute('disabled', 'true');
     webAuthnError('browser');
     return false;
   }
@@ -166,12 +181,16 @@ function detectWebAuthnSupport() {
 }
 
 export function initUserAuthWebAuthnRegister() {
-  if ($('#register-webauthn').length === 0) {
+  document.getElementById('webauthn-error')?.classList.add('hide');
+
+  const elRegister = document.getElementById('register-webauthn');
+  if (!elRegister) {
     return;
   }
 
-  $('#webauthn-error').modal({allowMultiple: false});
-  $('#register-webauthn').on('click', (e) => {
+  document.getElementById('webauthn-error')?.classList.add('hide');
+
+  elRegister.addEventListener('click', (e) => {
     e.preventDefault();
     if (!detectWebAuthnSupport()) {
       return;
@@ -180,40 +199,52 @@ export function initUserAuthWebAuthnRegister() {
   });
 }
 
-function webAuthnRegisterRequest() {
-  if ($('#nickname').val() === '') {
-    webAuthnError('empty');
+async function webAuthnRegisterRequest() {
+  const elNickname = document.getElementById('nickname');
+
+  const body = new FormData();
+  body.append('name', elNickname.value);
+
+  const resp = await fetch(`${appSubUrl}/user/settings/security/webauthn/request_register`, {
+    method: 'POST',
+    headers: {
+      'X-Csrf-Token': csrfToken,
+    },
+    body,
+  });
+
+  if (resp.status === 409) {
+    webAuthnError('duplicated');
+    return;
+  } else if (resp.status !== 200) {
+    webAuthnError('unknown');
     return;
   }
-  $.post(`${appSubUrl}/user/settings/security/webauthn/request_register`, {
-    _csrf: csrfToken,
-    name: $('#nickname').val(),
-  }).done((makeCredentialOptions) => {
-    $('#nickname').closest('div.field').removeClass('error');
-
-    makeCredentialOptions.publicKey.challenge = decodeURLEncodedBase64(makeCredentialOptions.publicKey.challenge);
-    makeCredentialOptions.publicKey.user.id = decodeURLEncodedBase64(makeCredentialOptions.publicKey.user.id);
-    if (makeCredentialOptions.publicKey.excludeCredentials) {
-      for (let i = 0; i < makeCredentialOptions.publicKey.excludeCredentials.length; i++) {
-        makeCredentialOptions.publicKey.excludeCredentials[i].id = decodeURLEncodedBase64(makeCredentialOptions.publicKey.excludeCredentials[i].id);
-      }
+
+  const options = await resp.json();
+  elNickname.closest('div.field').classList.remove('error');
+
+  options.publicKey.challenge = decodeURLEncodedBase64(options.publicKey.challenge);
+  options.publicKey.user.id = decodeURLEncodedBase64(options.publicKey.user.id);
+  if (options.publicKey.excludeCredentials) {
+    for (let i = 0; i < options.publicKey.excludeCredentials.length; i++) {
+      options.publicKey.excludeCredentials[i].id = decodeURLEncodedBase64(options.publicKey.excludeCredentials[i].id);
     }
+  }
 
-    navigator.credentials.create({
-      publicKey: makeCredentialOptions.publicKey
-    }).then(webauthnRegistered)
-      .catch((err) => {
-        if (!err) {
-          webAuthnError('unknown');
-          return;
-        }
-        webAuthnError('general', err.message);
-      });
-  }).fail((xhr) => {
-    if (xhr.status === 409) {
-      webAuthnError('duplicated');
-      return;
+  let credential;
+  try {
+    credential = await navigator.credentials.create({
+      publicKey: options.publicKey
+    });
+  } catch (err) {
+    if (err && err.message) {
+      webAuthnError('general', err.message);
+    } else {
+      webAuthnError('unknown', err);
     }
-    webAuthnError('unknown');
-  });
+    return;
+  }
+
+  webauthnRegistered(credential);
 }

From 834c30fe6f1396c90369d91cab853c85cfebdd85 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Thu, 2 Feb 2023 11:43:48 +0000
Subject: [PATCH 07/18] as per silverwind

Co-authored-by: silverwind <me@silverwind.io>
---
 web_src/js/features/user-auth-webauthn.js | 62 +++++++++--------------
 1 file changed, 25 insertions(+), 37 deletions(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index 10f00845ae2d..288b2dffbbc6 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -29,16 +29,16 @@ export async function initUserAuthWebAuthn() {
     return;
   }
 
-  const resp = await fetch(`${appSubUrl}/user/webauthn/assertion`);
-  if (resp.status !== 200) {
-    console.error(`Unexpected status from /user/webauthn/assertion ${resp.status}`);
+  const res = await fetch(`${appSubUrl}/user/webauthn/assertion`);
+  if (res.status !== 200) {
+    console.error(`Unexpected status from /user/webauthn/assertion ${res.status}`);
     webAuthnError('unknown');
     return;
   }
-  const options = await resp.json();
+  const options = await res.json();
   options.publicKey.challenge = decodeURLEncodedBase64(options.publicKey.challenge);
-  for (let i = 0; i < options.publicKey.allowCredentials.length; i++) {
-    options.publicKey.allowCredentials[i].id = decodeURLEncodedBase64(options.publicKey.allowCredentials[i].id);
+  for (const cred of options.publicKey.allowCredentials) {
+    cred.id = decodeURLEncodedBase64(cred.id);
   }
   const credential = await navigator.credentials.get({
     publicKey: options.publicKey
@@ -46,11 +46,11 @@ export async function initUserAuthWebAuthn() {
   try {
     await verifyAssertion(credential);
   } catch (err) {
-    if (!(options.publicKey.extensions) || !(options.publicKey.extensions.appid)) {
+    if (!options.publicKey.extensions?.appid) {
       webAuthnError('general', err.message);
       return;
     }
-    delete options.publicKey.extensions['appid'];
+    delete options.publicKey.extensions.appid;
     const credential = await navigator.credentials.get({
       publicKey: options.publicKey
     });
@@ -70,7 +70,7 @@ async function verifyAssertion(assertedCredential) {
   const sig = new Uint8Array(assertedCredential.response.signature);
   const userHandle = new Uint8Array(assertedCredential.response.userHandle);
 
-  const resp = await fetch(`${appSubUrl}/user/webauthn/assertion`, {
+  const res = await fetch(`${appSubUrl}/user/webauthn/assertion`, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json; charset=utf-8'
@@ -88,28 +88,23 @@ async function verifyAssertion(assertedCredential) {
       },
     }),
   });
-  if (resp.status === 500) {
+  if (res.status === 500) {
     webAuthnError('unknown');
     return;
-  } else if (resp.status !== 200) {
+  } else if (res.status !== 200) {
     webAuthnError('unable-to-process');
     return;
   }
-  const reply = await resp.json();
+  const reply = await res.json();
 
-  if (reply && reply['redirect']) {
-    window.location.href = reply['redirect'];
-  } else {
-    window.location.href = '/';
-  }
-}
+  window.location.href = reply?.redirect ?? '/';
 
 async function webauthnRegistered(newCredential) {
   const attestationObject = new Uint8Array(newCredential.response.attestationObject);
   const clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON);
   const rawId = new Uint8Array(newCredential.rawId);
 
-  const resp = await fetch(`${appSubUrl}/user/settings/security/webauthn/register`, {
+  const res = await fetch(`${appSubUrl}/user/settings/security/webauthn/register`, {
     method: 'POST',
     headers: {
       'X-Csrf-Token': csrfToken,
@@ -126,10 +121,10 @@ async function webauthnRegistered(newCredential) {
     }),
   });
 
-  if (resp.status === 409) {
+  if (res.status === 409) {
     webAuthnError('duplicated');
     return;
-  } else if (resp.status !== 201) {
+  } else if (res.status !== 201) {
     webAuthnError('unknown');
     return;
   }
@@ -145,16 +140,9 @@ function webAuthnError(errorType, message) {
   } else {
     const elTypedError = document.querySelector(`#webauthn-error [data-webauthn-error-msg=${errorType}]`);
     if (elTypedError) {
-      if (message) {
-        elErrorMsg.textContent = `${elTypedError.textContent} ${message}`;
-      } else {
-        elErrorMsg.textContent = `${elTypedError.textContent}`;
-      }
+      elErrorMsg.textContent = `${elTypedError.textContent}${message ? ` ${message}` : ''}`;
     } else {
-      elErrorMsg.textContent = `unknown error type: ${errorType}`;
-      if (message) {
-        elErrorMsg.textContent += ` ${message}`;
-      }
+      elErrorMsg.textContent = `unknown error type: ${errorType}${message ? ` ${message}` : ''}`;
     }
   }
 
@@ -205,7 +193,7 @@ async function webAuthnRegisterRequest() {
   const body = new FormData();
   body.append('name', elNickname.value);
 
-  const resp = await fetch(`${appSubUrl}/user/settings/security/webauthn/request_register`, {
+  const res = await fetch(`${appSubUrl}/user/settings/security/webauthn/request_register`, {
     method: 'POST',
     headers: {
       'X-Csrf-Token': csrfToken,
@@ -213,22 +201,22 @@ async function webAuthnRegisterRequest() {
     body,
   });
 
-  if (resp.status === 409) {
+  if (res.status === 409) {
     webAuthnError('duplicated');
     return;
-  } else if (resp.status !== 200) {
+  } else if (res.status !== 200) {
     webAuthnError('unknown');
     return;
   }
 
-  const options = await resp.json();
+  const options = await res.json();
   elNickname.closest('div.field').classList.remove('error');
 
   options.publicKey.challenge = decodeURLEncodedBase64(options.publicKey.challenge);
   options.publicKey.user.id = decodeURLEncodedBase64(options.publicKey.user.id);
   if (options.publicKey.excludeCredentials) {
-    for (let i = 0; i < options.publicKey.excludeCredentials.length; i++) {
-      options.publicKey.excludeCredentials[i].id = decodeURLEncodedBase64(options.publicKey.excludeCredentials[i].id);
+    for (const cred of options.publicKey.excludeCredentials) {
+      cred.id = decodeURLEncodedBase64(cred.id);
     }
   }
 
@@ -238,7 +226,7 @@ async function webAuthnRegisterRequest() {
       publicKey: options.publicKey
     });
   } catch (err) {
-    if (err && err.message) {
+    if (err?.message) {
       webAuthnError('general', err.message);
     } else {
       webAuthnError('unknown', err);

From dbfdea9c0cd5ed825df98e496828e03ee101f4f1 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Thu, 2 Feb 2023 11:56:57 +0000
Subject: [PATCH 08/18] Update user-auth-webauthn.js

---
 web_src/js/features/user-auth-webauthn.js | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index 288b2dffbbc6..3dc8d8263466 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -226,11 +226,7 @@ async function webAuthnRegisterRequest() {
       publicKey: options.publicKey
     });
   } catch (err) {
-    if (err?.message) {
-      webAuthnError('general', err.message);
-    } else {
-      webAuthnError('unknown', err);
-    }
+    webAuthnError('unknown', err);
     return;
   }
 

From 983c6d36682bf7726eda93e2e184e9b1c6f73c47 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Thu, 2 Feb 2023 18:40:30 +0000
Subject: [PATCH 09/18] fix-broken-suggestion

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 web_src/js/features/user-auth-webauthn.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index 3dc8d8263466..baba15f97190 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -98,6 +98,7 @@ async function verifyAssertion(assertedCredential) {
   const reply = await res.json();
 
   window.location.href = reply?.redirect ?? '/';
+}
 
 async function webauthnRegistered(newCredential) {
   const attestationObject = new Uint8Array(newCredential.response.attestationObject);

From b8c6827ac41133c003473688ad97175bf3ee5d72 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Thu, 4 May 2023 22:58:50 +0200
Subject: [PATCH 10/18] move base64 functions, add test

---
 web_src/js/features/user-auth-webauthn.js | 17 +----------------
 web_src/js/utils.js                       | 17 +++++++++++++++++
 web_src/js/utils.test.js                  |  6 +++++-
 3 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index baba15f97190..f494f9e773fa 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -1,22 +1,7 @@
-import {encode, decode} from 'uint8-to-base64';
+import {encodeURLEncodedBase64, decodeURLEncodedBase64} from '../utils.js';
 
 const {appSubUrl, csrfToken} = window.config;
 
-// Encode an ArrayBuffer into a URLEncoded base64 string.
-function encodeURLEncodedBase64(value) {
-  return encode(value)
-    .replace(/\+/g, '-')
-    .replace(/\//g, '_')
-    .replace(/=/g, '');
-}
-
-// Dccode a URLEncoded base64 to an ArrayBuffer string.
-function decodeURLEncodedBase64(value) {
-  return decode(value
-    .replace(/_/g, '/')
-    .replace(/-/g, '+'));
-}
-
 export async function initUserAuthWebAuthn() {
   document.getElementById('webauthn-error')?.classList.add('hide');
 
diff --git a/web_src/js/utils.js b/web_src/js/utils.js
index 25094deea226..337a8f2ce387 100644
--- a/web_src/js/utils.js
+++ b/web_src/js/utils.js
@@ -1,3 +1,5 @@
+import {encode, decode} from 'uint8-to-base64';
+
 // transform /path/to/file.ext to file.ext
 export function basename(path = '') {
   return path ? path.replace(/^.*\//, '') : '';
@@ -149,3 +151,18 @@ export function useLightTextOnBackground(backgroundColor) {
   const brightness = (0.299 * r + 0.587 * g + 0.114 * b) / 255;
   return brightness < 0.35;
 }
+
+// Encode an ArrayBuffer into a URLEncoded base64 string.
+export function encodeURLEncodedBase64(arrayBuffer) {
+  return encode(arrayBuffer)
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=/g, '');
+}
+
+// Decode a URLEncoded base64 to an ArrayBuffer string.
+export function decodeURLEncodedBase64(base64url) {
+  return decode(base64url
+    .replace(/_/g, '/')
+    .replace(/-/g, '+'));
+}
diff --git a/web_src/js/utils.test.js b/web_src/js/utils.test.js
index 2f9e5fb47d5e..bd1129674a20 100644
--- a/web_src/js/utils.test.js
+++ b/web_src/js/utils.test.js
@@ -2,7 +2,7 @@ import {expect, test} from 'vitest';
 import {
   basename, extname, isObject, stripTags, joinPaths, parseIssueHref,
   parseUrl, translateMonth, translateDay, blobToDataURI,
-  toAbsoluteUrl,
+  toAbsoluteUrl, encodeURLEncodedBase64, decodeURLEncodedBase64,
 } from './utils.js';
 
 test('basename', () => {
@@ -132,3 +132,7 @@ test('toAbsoluteUrl', () => {
 
   expect(() => toAbsoluteUrl('path')).toThrowError('unsupported');
 });
+
+test('encodeURLEncodedBase64, decodeURLEncodedBase64', () => {
+  expect(encodeURLEncodedBase64(decodeURLEncodedBase64('foo'))).toEqual('foo');
+});

From 296133337026dc78d115ba8e51d85552549f613a Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Wed, 10 May 2023 17:19:17 +0100
Subject: [PATCH 11/18] as per reviews

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 web_src/js/features/user-auth-webauthn.js | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index 49d4e10057f2..6cb334773d63 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -16,7 +16,6 @@ export async function initUserAuthWebAuthn() {
 
   const res = await fetch(`${appSubUrl}/user/webauthn/assertion`);
   if (res.status !== 200) {
-    console.error(`Unexpected status from /user/webauthn/assertion ${res.status}`);
     webAuthnError('unknown');
     return;
   }
@@ -138,15 +137,15 @@ function webAuthnError(errorType, message) {
 
 function detectWebAuthnSupport() {
   if (!window.isSecureContext) {
-    document.getElementById('register-button').setAttribute('disabled', 'true');
-    document.getElementById('login-button').setAttribute('disabled', 'true');
+    document.getElementById('register-button').disabled = true;
+    document.getElementById('login-button').disabled = true;
     webAuthnError('insecure');
     return false;
   }
 
   if (typeof window.PublicKeyCredential !== 'function') {
-    document.getElementById('register-button').setAttribute('disabled', 'true');
-    document.getElementById('login-button').setAttribute('disabled', 'true');
+    document.getElementById('register-button').disabled = true;
+    document.getElementById('login-button').disabled = true;
     webAuthnError('browser');
     return false;
   }
@@ -162,7 +161,7 @@ export function initUserAuthWebAuthnRegister() {
     return;
   }
 
-  document.getElementById('webauthn-error')?.classList.add('hide');
+  document.getElementById('webauthn-error')?.classList.add('gt-hidden');
 
   elRegister.addEventListener('click', (e) => {
     e.preventDefault();

From e4020206cbca0e64d4ee8baa64ef59b60212d9d0 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Wed, 10 May 2023 17:23:42 +0100
Subject: [PATCH 12/18] more reviews

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 web_src/js/features/user-auth-webauthn.js |  2 --
 web_src/js/utils.js                       | 15 ---------------
 2 files changed, 17 deletions(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index 6cb334773d63..ac1d434a2131 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -154,8 +154,6 @@ function detectWebAuthnSupport() {
 }
 
 export function initUserAuthWebAuthnRegister() {
-  document.getElementById('webauthn-error')?.classList.add('gt-hidden');
-
   const elRegister = document.getElementById('register-webauthn');
   if (!elRegister) {
     return;
diff --git a/web_src/js/utils.js b/web_src/js/utils.js
index 337a8f2ce387..a0698911c383 100644
--- a/web_src/js/utils.js
+++ b/web_src/js/utils.js
@@ -137,21 +137,6 @@ export function toAbsoluteUrl(url) {
   return `${window.location.origin}${url}`;
 }
 
-// determine if light or dark text color should be used on a given background color
-// NOTE: see models/issue_label.go for similar implementation
-export function useLightTextOnBackground(backgroundColor) {
-  if (backgroundColor[0] === '#') {
-    backgroundColor = backgroundColor.substring(1);
-  }
-  // Perceived brightness from: https://www.w3.org/TR/AERT/#color-contrast
-  // In the future WCAG 3 APCA may be a better solution.
-  const r = parseInt(backgroundColor.substring(0, 2), 16);
-  const g = parseInt(backgroundColor.substring(2, 4), 16);
-  const b = parseInt(backgroundColor.substring(4, 6), 16);
-  const brightness = (0.299 * r + 0.587 * g + 0.114 * b) / 255;
-  return brightness < 0.35;
-}
-
 // Encode an ArrayBuffer into a URLEncoded base64 string.
 export function encodeURLEncodedBase64(arrayBuffer) {
   return encode(arrayBuffer)

From c4fd5bbd972cdaa89dc5cdc30ea9718502c2acec Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Wed, 10 May 2023 18:02:39 +0100
Subject: [PATCH 13/18] add more testcases

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 web_src/js/utils.test.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/web_src/js/utils.test.js b/web_src/js/utils.test.js
index bd1129674a20..cf73b63b9901 100644
--- a/web_src/js/utils.test.js
+++ b/web_src/js/utils.test.js
@@ -134,5 +134,7 @@ test('toAbsoluteUrl', () => {
 });
 
 test('encodeURLEncodedBase64, decodeURLEncodedBase64', () => {
-  expect(encodeURLEncodedBase64(decodeURLEncodedBase64('foo'))).toEqual('foo');
+  expect(encodeURLEncodedBase64(decodeURLEncodedBase64('foo'))).toEqual('foo'); // No = padding
+  expect(encodeURLEncodedBase64(decodeURLEncodedBase64('a-minus'))).toEqual('a-minus');
+  expect(encodeURLEncodedBase64(decodeURLEncodedBase64('_underscorc'))).toEqual('_underscorc');
 });

From d412383351dce40b3d9791cae91635e19fb0b346 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Mon, 5 Jun 2023 18:17:00 +0200
Subject: [PATCH 14/18] Update web_src/js/features/user-auth-webauthn.js

Co-authored-by: delvh <dev.lh@web.de>
---
 web_src/js/features/user-auth-webauthn.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index ac1d434a2131..9440bca7088a 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -118,7 +118,7 @@ async function webauthnRegistered(newCredential) {
 }
 
 function webAuthnError(errorType, message) {
-  const elErrorMsg = document.querySelector(`#webauthn-error-msg`);
+  const elErrorMsg = document.getElementById(`webauthn-error-msg`);
 
   if (errorType === 'general') {
     elErrorMsg.textContent = message || 'unknown error';

From 63e417ea699c60cc00147ededbe288babdcac295 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Mon, 5 Jun 2023 20:35:31 +0200
Subject: [PATCH 15/18] remove p tags, remove stange box-shadow

---
 templates/user/auth/webauthn_error.tmpl | 18 +++++++++---------
 web_src/css/repo.css                    |  5 -----
 2 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/templates/user/auth/webauthn_error.tmpl b/templates/user/auth/webauthn_error.tmpl
index d4caad0d2db6..0c3fb0ba4abd 100644
--- a/templates/user/auth/webauthn_error.tmpl
+++ b/templates/user/auth/webauthn_error.tmpl
@@ -1,16 +1,16 @@
 <div id="webauthn-error" class="ui small gt-hidden">
-	<div class="content ui negative message">
+	<div class="content ui negative message gt-df gt-fc gt-gap-3">
 		<div class="header">
 			{{.locale.Tr "webauthn_error"}}
 		</div>
-		<div id="webauthn-error-msg" class="">
+		<div id="webauthn-error-msg">
 		</div>
-		<div class="gt-hidden" data-webauthn-error-msg="browser"><p>{{.locale.Tr "webauthn_unsupported_browser"}}</div>
-		<div class="gt-hidden" data-webauthn-error-msg="unknown"><p>{{.locale.Tr "webauthn_error_unknown"}}</div>
-		<div class="gt-hidden" data-webauthn-error-msg="insecure"><p>{{.locale.Tr "webauthn_error_insecure"}}</div>
-		<div class="gt-hidden" data-webauthn-error-msg="unable-to-process"><p>{{.locale.Tr "webauthn_error_unable_to_process"}}</div>
-		<div class="gt-hidden" data-webauthn-error-msg="duplicated"><p>{{.locale.Tr "webauthn_error_duplicated"}}</div>
-		<div class="gt-hidden" data-webauthn-error-msg="empty"><p>{{.locale.Tr "webauthn_error_empty"}}</div>
-		<div class="gt-hidden" data-webauthn-error-msg="timeout"><p>{{.locale.Tr "webauthn_error_timeout"}}</div>
+		<div class="gt-hidden" data-webauthn-error-msg="browser">{{.locale.Tr "webauthn_unsupported_browser"}}</div>
+		<div class="gt-hidden" data-webauthn-error-msg="unknown">{{.locale.Tr "webauthn_error_unknown"}}</div>
+		<div class="gt-hidden" data-webauthn-error-msg="insecure">{{.locale.Tr "webauthn_error_insecure"}}</div>
+		<div class="gt-hidden" data-webauthn-error-msg="unable-to-process">{{.locale.Tr "webauthn_error_unable_to_process"}}</div>
+		<div class="gt-hidden" data-webauthn-error-msg="duplicated">{{.locale.Tr "webauthn_error_duplicated"}}</div>
+		<div class="gt-hidden" data-webauthn-error-msg="empty">{{.locale.Tr "webauthn_error_empty"}}</div>
+		<div class="gt-hidden" data-webauthn-error-msg="timeout">{{.locale.Tr "webauthn_error_timeout"}}</div>
 	</div>
 </div>
diff --git a/web_src/css/repo.css b/web_src/css/repo.css
index b2b544a7ea1a..4e300be87879 100644
--- a/web_src/css/repo.css
+++ b/web_src/css/repo.css
@@ -2405,11 +2405,6 @@
   padding-bottom: 0 !important;
 }
 
-.settings .content > .header,
-.settings .content .segment {
-  box-shadow: 0 1px 2px 0 var(--color-box-header);
-}
-
 .settings.webhooks .list > .item:not(:first-child),
 .settings.githooks .list > .item:not(:first-child),
 .settings.actions .list > .item:not(:first-child) {

From fd08d9e2ac846772773863c38e0569878444b2bd Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Mon, 5 Jun 2023 20:39:17 +0200
Subject: [PATCH 16/18] add message header colors

---
 web_src/css/base.css | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/web_src/css/base.css b/web_src/css/base.css
index 49bdfed1b74d..b352e6d98e18 100644
--- a/web_src/css/base.css
+++ b/web_src/css/base.css
@@ -699,6 +699,11 @@ a.label,
   border: 1px solid var(--color-secondary);
 }
 
+.ui.info.message .header,
+.ui.blue.message .header {
+  color: var(--color-blue);
+}
+
 .ui.info.message,
 .ui.attached.info.message,
 .ui.blue.message,
@@ -708,6 +713,12 @@ a.label,
   border-color: var(--color-info-border);
 }
 
+.ui.success.message .header,
+.ui.positive.message .header,
+.ui.green.message .header {
+  color: var(--color-green);
+}
+
 .ui.success.message,
 .ui.attached.success.message,
 .ui.positive.message,
@@ -717,6 +728,12 @@ a.label,
   border-color: var(--color-success-border);
 }
 
+.ui.error.message .header,
+.ui.negative.message .header,
+.ui.red.message .header {
+  color: var(--color-red);
+}
+
 .ui.error.message,
 .ui.attached.error.message,
 .ui.red.message,
@@ -728,6 +745,11 @@ a.label,
   border-color: var(--color-error-border);
 }
 
+.ui.warning.message .header,
+.ui.yellow.message .header {
+  color: var(--color-yellow);
+}
+
 .ui.warning.message,
 .ui.attached.warning.message,
 .ui.yellow.message,

From 93ba2326687450727181bfae3024e926a0934efb Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Mon, 5 Jun 2023 20:42:59 +0200
Subject: [PATCH 17/18] use showElem, hideElem

---
 web_src/js/features/user-auth-webauthn.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/web_src/js/features/user-auth-webauthn.js b/web_src/js/features/user-auth-webauthn.js
index 9440bca7088a..8085313d223e 100644
--- a/web_src/js/features/user-auth-webauthn.js
+++ b/web_src/js/features/user-auth-webauthn.js
@@ -1,9 +1,10 @@
 import {encodeURLEncodedBase64, decodeURLEncodedBase64} from '../utils.js';
+import {showElem, hideElem} from '../utils/dom.js';
 
 const {appSubUrl, csrfToken} = window.config;
 
 export async function initUserAuthWebAuthn() {
-  document.getElementById('webauthn-error')?.classList.add('gt-hidden');
+  hideElem('#webauthn-error');
 
   const elPrompt = document.querySelector('.user.signin.webauthn-prompt');
   if (!elPrompt) {
@@ -131,8 +132,7 @@ function webAuthnError(errorType, message) {
     }
   }
 
-  const elWebauthnError = document.getElementById('webauthn-error');
-  elWebauthnError.classList.remove('gt-hidden');
+  showElem('#webauthn-error');
 }
 
 function detectWebAuthnSupport() {
@@ -159,7 +159,7 @@ export function initUserAuthWebAuthnRegister() {
     return;
   }
 
-  document.getElementById('webauthn-error')?.classList.add('gt-hidden');
+  hideElem('#webauthn-error');
 
   elRegister.addEventListener('click', (e) => {
     e.preventDefault();

From 41dba0c9a6d08277eff6191579007d69b104883e Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Mon, 5 Jun 2023 20:44:35 +0200
Subject: [PATCH 18/18] reformat html

---
 templates/user/auth/webauthn_error.tmpl | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/templates/user/auth/webauthn_error.tmpl b/templates/user/auth/webauthn_error.tmpl
index 0c3fb0ba4abd..f90882ef121f 100644
--- a/templates/user/auth/webauthn_error.tmpl
+++ b/templates/user/auth/webauthn_error.tmpl
@@ -1,10 +1,7 @@
 <div id="webauthn-error" class="ui small gt-hidden">
 	<div class="content ui negative message gt-df gt-fc gt-gap-3">
-		<div class="header">
-			{{.locale.Tr "webauthn_error"}}
-		</div>
-		<div id="webauthn-error-msg">
-		</div>
+		<div class="header">{{.locale.Tr "webauthn_error"}}</div>
+		<div id="webauthn-error-msg"></div>
 		<div class="gt-hidden" data-webauthn-error-msg="browser">{{.locale.Tr "webauthn_unsupported_browser"}}</div>
 		<div class="gt-hidden" data-webauthn-error-msg="unknown">{{.locale.Tr "webauthn_error_unknown"}}</div>
 		<div class="gt-hidden" data-webauthn-error-msg="insecure">{{.locale.Tr "webauthn_error_insecure"}}</div>