-
Notifications
You must be signed in to change notification settings - Fork 945
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebAuthn failing in Chrome for incompatible versions & on modal fail/cancellation #6050
Comments
This version of chrome is fairly out of date. Would it be possible to try with a more recent release of Chrome @webknjaz? |
It'll take some time for me to get it, but from what I see it should be a bug on JS side unrelated to a browser. |
specifically this log line makes it appear that it's not an issue with JS served by warehouse, but rather on the browser side, as the attestation never completed. WebAuthn requires browser implementations to "play nicely", and in this case it appears the browser did not ever respond. Was there a pop over requesting access to the token? |
Right. No pop-up. I've just tried on a PixelBook (Chrome 75, /me navigates to the Google Chrome changelog for more details |
This suggests that they've added some webauthn support in Chrome 67: https://developers.google.com/web/updates/2018/05/webauthn |
So it seems like the better support for Webauthn was introduced around January. It probably makes sense to put a big red warning next to the 2FA setting if the browser is old... |
So what's the minimum Chrome version that properly supports WebAuthn, including |
https://webauthn.guide/ states this:
So probably matching release dates should give proper versions. |
There was a stable release of Chrome 72 in Jan 2019. If some wants to, they can investigate to see if this information is available on Google's Chrome Releases blog: |
I think this may hit non-Chrome users as well. |
They might have changed it since I last checked, but I believe GitHub doesn't actually use WebAuthn for security keys yet -- I believe they're still on U2F via Chrome 74 on macOS works for me, as does FF latest on macOS. At the risk of speculating idly, maybe it's a CTAP issue with Linux + Chrome? I vaguely remember having to add |
Nah, that's def on the browser side ;) |
Google Accounts uses webauthn for login, but not registration. |
Just confirmed that it works on Chrom(e|ium) 75 (Ubuntu 18.04). Chrome 67 was released in May 2018 and WebAuthn Level 1 wasn't formally released until March of this year, so it's entirely possible that we're seeing either the effects of a spec change or just a buggy early implementation. Perusing through the chromium issue tracker, I think the latter is a safe bet. Either way, it'd be interesting to see what exactly is failing. @webknjaz, would you be able to run a local deployment and insert some |
Do you mean that I'd need to run it with a front-end build in dev mode with src-maps? |
Hey, sorry for the late response. You shouldn't need the source maps, it should be sufficient to just pepper some |
Can I just stick some breakpoints in DevTools then? |
Yep, that should also work. |
I mean, I should be able to do this in the prod PyPI, right? |
Ah, yes. Nothing should be different in prod. |
That's better! Because I cannot find time to spin up everything locally right now :) I thought that maybe it's minimized there. |
Hm... It's minified and my browser doesn't pick up srcmaps for some reason. |
This should be resolved, there was a misconfiguration on test.pypi.org that was not present on pypi.org. Can you attempt to reproduce and update us if it is still not working? |
Hm... Setting breakpoints in https://github.com/pypa/warehouse/blob/0d9c726/warehouse/static/js/warehouse/utils/bind-modal-keys.js#L43 doesn't work for me. |
I was able to set some breakpoints but no success figuring out where the exception happens. Only that it's in some promise... |
So I set up a local instance. I commented out the whole I think that maybe srcmaps aren't generated properly... |
I have a feeling that some promise hasn't been |
I believe that one of the problems is that |
After doing some debugging with @webknjaz, I noticed that I can reproduce this exception in modern Chrome as well by simply clicking "Provision key" and then canceling the in-browser modal that appears, so it seems like there's two issues here:
|
After further debugging, I've found out that https://github.com/pypa/warehouse/blob/1d8e0fa/warehouse/static/js/warehouse/utils/webauthn.js#L163 |
So I've tried https://demo.yubico.com/u2f and https://demo.yubico.com/webauthn . So does Warehouse only implement this internal authenticator type support? |
I've noticed there's > u2f.getApiVersion(console.log)
{js_api_version: 1.1} If modern browsers have a different one — maybe that's it? |
Also, this article https://www.ubisecure.com/api/fido-webauthn-api/ suggests using
Here's the output for me: > PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().then(console.log)
Promise {<pending>}
false |
I probably nailed it. Needs testing tho. On the platforms, I don't have. #6264. |
Wrong guess... |
@woodruffw So I've tried it out locally. Nothing happens on the first click. But when I click |
Contractors on the OTF-funded work need to stop work on the security features in order to ensure we complete the accessibility and internationalization work by the end of the month. Therefore, while this is necessary to get us out of beta for this feature #5661 (comment) , I'm removing it from the milestone. |
@woodruffw did you mean to also close this? |
Yes! Thanks @webknjaz. |
@webknjaz reported:
@brainwane I've tried that on Test PyPI.
So I have a TOTP set up. I clicked on
Add 2FA with security key
.It prompted me to enter a
Key name
which I did (Yubikey Neo
).STR
After that, clicking
Provision key
does nothing visually. So I've opened DevTools.I can see a successful GET request to https://test.pypi.org/manage/account/webauthn-provision/options with some JSON payload in the response. It looks legit, contains my user data and a challenge.
After clicking more times on that button, each of them produces an exception being logged to the JS console.
The same happenes on prod PyPI, in incognito mode, with browser extensions disabled.
Runtime
Google Chrome
Version 69.0.3497.81 (Official Build) (64-bit)
running Gentoo Linux
Trace
Originally posted by @webknjaz in #5661 (comment)
The text was updated successfully, but these errors were encountered: