New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for FIDO U2F #3971

Merged
merged 19 commits into from May 19, 2018

Conversation

@jonasfranz
Copy link
Member

jonasfranz commented May 15, 2018

Fixes #1024

Adds support for FIDO U2F as an addition to Two-Factor Authentication by Phone. Currently it is only works with Chrome but I am trying to support Firefox and Android too.

Requirements

  • FIDO U2F certified key
  • Access via https

Video example

gitea fido u2f demo

TODO

  • Improve error handling
  • Android (Chrome) support
  • iOS support (Hardware required) (no software support by iOS currently)
  • Firefox support auth
  • Firefox support register
  • Expiration timer
  • Redirect / Check for https
  • Add tests (lots of tests)

iOS

I cannot test iOS at the moment because my security key does not support Bluetooth LE. If you want to provide me a BLE key, please contact me via Discord. Thanks to @techknowlogick for sponsoring a Bluetooth LE key.

jonasfranz added some commits May 15, 2018

Add support for U2F
Signed-off-by: Jonas Franz <info@jonasfranz.software>
Add vendor library
Add missing translations

Signed-off-by: Jonas Franz <info@jonasfranz.software>
Minor improvements
Signed-off-by: Jonas Franz <info@jonasfranz.software>
@codecov-io

This comment has been minimized.

Copy link

codecov-io commented May 15, 2018

Codecov Report

Merging #3971 into master will decrease coverage by 0.01%.
The diff coverage is 15.81%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3971      +/-   ##
==========================================
- Coverage   20.08%   20.06%   -0.02%     
==========================================
  Files         151      153       +2     
  Lines       29874    30122     +248     
==========================================
+ Hits         6000     6044      +44     
- Misses      22968    23168     +200     
- Partials      906      910       +4
Impacted Files Coverage Δ
routers/user/auth.go 0% <0%> (ø) ⬆️
routers/user/setting/security.go 0% <0%> (ø) ⬆️
routers/user/setting/security_u2f.go 0% <0%> (ø)
models/models.go 29.18% <100%> (+0.3%) ⬆️
models/error.go 20.22% <60%> (+0.56%) ⬆️
models/u2f.go 63.15% <63.15%> (ø)
models/unit_tests.go 72.56% <0%> (+3.53%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f933bcd...378b921. Read the comment docs.

@bkcsoft bkcsoft added the lgtm/need 2 label May 15, 2018

@jonasfranz

This comment has been minimized.

Copy link
Member

jonasfranz commented May 16, 2018

jonasfranz added some commits May 16, 2018

Add U2F support for Firefox, Chrome (Android) by introducing a custom…
… JS library

Add U2F error handling

Signed-off-by: Jonas Franz <info@jonasfranz.software>

@lunny lunny added this to the 1.x.x milestone May 16, 2018

jonasfranz added some commits May 16, 2018

Add U2F login page to OAuth
Signed-off-by: Jonas Franz <info@jonasfranz.software>
Merge branch 'master' into u2f
# Conflicts:
#	routers/user/setting.go
Move U2F user settings to a separate file
Signed-off-by: Jonas Franz <info@jonasfranz.software>

jonasfranz added some commits May 17, 2018

Add unit tests for u2f model
Renamed u2f table name

Signed-off-by: Jonas Franz <info@jonasfranz.software>
Fix problems caused by refactoring
Signed-off-by: Jonas Franz <info@jonasfranz.software>

@lafriks lafriks modified the milestones: 1.x.x, 1.5.0 May 17, 2018

@lafriks lafriks added the changelog label May 17, 2018

@techknowlogick

This comment has been minimized.

Copy link
Member

techknowlogick commented May 18, 2018

Firefox support above is checked off however I'm using FF 60.0 (64-bit), on MacOS 10.13.4, and I receive the following message:
screen shot 2018-05-17 at 9 21 06 pm

The key I'm using is: https://www.yubico.com/product/yubikey-neo/

Is FF support just FF Mobile?

(I see a similar message when trying to add this key to GitHub, so it is likely my browser just has issues with U2F)

@@ -570,6 +570,14 @@ MAX_RESPONSE_ITEMS = 50
LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR
NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,français,Nederlands,latviešu,русский,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어

[U2F]

This comment has been minimized.

@techknowlogick

techknowlogick May 18, 2018

Member

Could you add a U2F section to the "Config Cheatsheet" page in the docs?

This comment has been minimized.

@jonasfranz
@jonasfranz

This comment has been minimized.

Copy link
Member

jonasfranz commented May 18, 2018

@techknowlogick Do you enabled u2f via about:config ?
Firefox Mobile for Android does not work at the moment because Google Authenticator only supports Chrome Mobile and not Firefox. U2F is handled by Google Authenticator at the moment. If you enable U2F via about:config on Firefox Mobile it does not work too.

Add U2F documentation
Signed-off-by: Jonas Franz <info@jonasfranz.software>
@techknowlogick

This comment has been minimized.

Copy link
Member

techknowlogick commented May 18, 2018

@JonasFranzDEV Ah yes. Thank you for pointing me in that direction. Seems FF has it disabled by default. Enabled it and it works flawlessly.

LGTM

@bkcsoft bkcsoft added lgtm/need 1 and removed lgtm/need 2 labels May 18, 2018

[U2F]
; Two Factor authentication with security keys
; https://developers.yubico.com/U2F/App_ID.html
APP_ID = https://example.com

This comment has been minimized.

@lafriks

lafriks May 18, 2018

Member

app.ini.sample should contain values that are same as default

@genofire
Copy link

genofire left a comment

Nice work - thank you
(Have some commants during reading)

u2fApi.ensureSupport()
.then(function () {
$.getJSON('/user/u2f/challenge').success(function(req) {
console.log(req);

This comment has been minimized.

@genofire

genofire May 18, 2018

Still needed?

if(req.registeredKeys === null) {
req.registeredKeys = []
}
console.log(req);

This comment has been minimized.

@genofire

genofire May 18, 2018

Still needed?

$.ajax({
url:'/user/u2f/sign',
type:"POST",
headers: {"X-Csrf-Token": csrf},

This comment has been minimized.

@genofire

genofire May 18, 2018

I would like X-CSRF-Token correct camelCase.

This comment has been minimized.

@jonasfranz

jonasfranz May 19, 2018

Member

We use this at many other places at index.js so I would propose to use the current solution.

if (checkError(resp)) {
return;
}
console.log(resp);

This comment has been minimized.

@genofire

genofire May 18, 2018

Still needed?

$.ajax({
url:'/user/settings/security/u2f/register',
type:"POST",
headers: {"X-Csrf-Token": csrf},

This comment has been minimized.

@genofire

jonasfranz added some commits May 19, 2018

Remove not needed console.log-s
Signed-off-by: Jonas Franz <info@jonasfranz.software>
Add default values to app.ini.sample
Add FIDO U2F to comparison

Signed-off-by: Jonas Franz <info@jonasfranz.software>
@lafriks

This comment has been minimized.

Copy link
Member

lafriks commented May 19, 2018

I can not really test this but otherwise LGTM

@bkcsoft bkcsoft added lgtm/done and removed lgtm/need 1 labels May 19, 2018

@lafriks lafriks merged commit 951309f into go-gitea:master May 19, 2018

3 checks passed

Codacy/PR Quality Review Up to standards. A positive pull request.
Details
approvals/lgtm this commit looks good
continuous-integration/drone/pr the build was successful
Details

@jonasfranz jonasfranz deleted the jonasfranz:u2f branch May 19, 2018

@webjoel

This comment has been minimized.

Copy link
Contributor

webjoel commented May 21, 2018

The default locale (english) for text (settings:u2f_desc): "Security keys are hardware devices containing cryptograhic keys. They could be used for two factor authentication. The security key must support the FIDO U2F standard." is incorrect in word "cryptograhic", correct is "cryptographic".

@jonasfranz

This comment has been minimized.

Copy link
Member

jonasfranz commented May 21, 2018

@lafriks

This comment has been minimized.

Copy link
Member

lafriks commented May 21, 2018

Somebody already fixed it

@TheAssassin

This comment has been minimized.

Copy link

TheAssassin commented Jun 25, 2018

Can you tell when this feature will be released?

@jonasfranz

This comment has been minimized.

Copy link
Member

jonasfranz commented Jun 26, 2018

We're trying to release 1.5 in the next days since we have only ~1-2 PRs which must be merged.

aswild added a commit to aswild/gitea that referenced this pull request Jul 6, 2018

Merge tag 'v1.5.0-rc1' into wild/v1.5
* SECURITY
  * Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353)
  * Do not allow to reuse TOTP passcode (go-gitea#3878)
* FEATURE
  * Add cli commands to regen hooks & keys (go-gitea#3979)
  * Add support for FIDO U2F (go-gitea#3971)
  * Added user language setting (go-gitea#3875)
  * LDAP Public SSH Keys synchronization (go-gitea#1844)
  * Add topic support (go-gitea#3711)
  * Multiple assignees (go-gitea#3705)
  * Add protected branch whitelists for merging (go-gitea#3689)
  * Global code search support (go-gitea#3664)
  * Add label descriptions (go-gitea#3662)
  * Add issue search via API (go-gitea#3612)
  * Add repository setting to enable/disable health checks (go-gitea#3607)
  * Emoji Autocomplete (go-gitea#3433)
  * Implements generator cli for secrets (go-gitea#3531)
* ENHANCEMENT
  * Add more webhooks support and refactor webhook templates directory (go-gitea#3929)
  * Add new option to allow only OAuth2/OpenID user registration (go-gitea#3910)
  * Add option to use paged LDAP search when synchronizing users (go-gitea#3895)
  * Symlink icons (go-gitea#1416)
  * Improve release page UI (go-gitea#3693)
  * Add admin dashboard option to run health checks (go-gitea#3606)
  * Add branch link in branch list (go-gitea#3576)
  * Reduce sql query times in retrieveFeeds (go-gitea#3547)
  * Option to enable or disable swagger endpoints (go-gitea#3502)
  * Add missing licenses (go-gitea#3497)
  * Reduce repo indexer disk usage (go-gitea#3452)
  * Enable caching on assets and avatars (go-gitea#3376)
  * Add repository search ordered by stars/forks. Forks column in admin repo list (go-gitea#3969)
  * Add Environment Variables to Docker template (go-gitea#4012)
  * LFS: make HTTP auth period configurable (go-gitea#4035)
  * Add config path as an optionial flag when changing pass via CLI (go-gitea#4184)
  * Refactor User Settings sections (go-gitea#3900)
  * Allow square brackets in external issue patterns (go-gitea#3408)
  * Add Attachment API (go-gitea#3478)
  * Add EnableTimetracking option to app settings (go-gitea#3719)
  * Add config option to enable or disable log executed SQL (go-gitea#3726)
  * Shows total tracked time in issue and milestone list (go-gitea#3341)
* TRANSLATION
  * Improve English grammar and consistency (go-gitea#3614)
* DEPLOYMENT
  * Allow Gitea to run as different USER in Docker (go-gitea#3961)
  * Provide compressed release binaries (go-gitea#3991)
  * Sign release binaries (go-gitea#4188)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment