U2F doesn&#39;t work on Chrome 74 #3246

@arren-ru commented on GitHub (Apr 26, 2019):

@techknowlogick

@arren-ru are you using HTTPS?

Sure, otherwise U2F registration shouldn't work either

@arren-ru commented on GitHub (Apr 26, 2019): @techknowlogick > @arren-ru are you using HTTPS? Sure, otherwise U2F registration shouldn't work either

GiteaMirror commented

@nougad commented on GitHub (Apr 28, 2019):

I get the same now - worked before. Strange thing is when I try to register a new key I get:

Could not read your security key.
Please make sure to use the correct, encrypted (https://) URL.

But my page is correctly served from https. The TLS connection is terminated in nginx in front of gogs. nginx config:

  proxy_set_header Host            $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP       $remote_addr;
  proxy_set_header X-Scheme        $scheme;

@nougad commented on GitHub (Apr 28, 2019): I get the same now - worked before. Strange thing is when I try to register a new key I get: > Could not read your security key. > Please make sure to use the correct, encrypted (https://) URL. But my page is correctly served from https. The TLS connection is terminated in nginx in front of gogs. nginx config: ``` proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; ```

GiteaMirror commented

@arren-ru commented on GitHub (Apr 29, 2019):

I get the same now - worked before. Strange thing is when I try to register a new key I get:

Could not read your security key.
Please make sure to use the correct, encrypted (https://) URL.

But my page is correctly served from https. The TLS connection is terminated in nginx in front of gogs. nginx config:
  proxy_set_header Host            $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP       $remote_addr;
  proxy_set_header X-Scheme        $scheme;

Same config in my front nginx

@arren-ru commented on GitHub (Apr 29, 2019): > I get the same now - worked before. Strange thing is when I try to register a new key I get: > > > Could not read your security key. > > Please make sure to use the correct, encrypted (https://) URL. > > But my page is correctly served from https. The TLS connection is terminated in nginx in front of gogs. nginx config: > > ``` > proxy_set_header Host $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Scheme $scheme; > ``` Same config in my front nginx

GiteaMirror commented

@ashimokawa commented on GitHub (Apr 30, 2019):

Indeed strange, it does work on codeberg.org running gitea 1.8.0 - using haproxy as TLS terminator.

@ashimokawa commented on GitHub (Apr 30, 2019): Indeed strange, it does work on codeberg.org running gitea 1.8.0 - using haproxy as TLS terminator.

GiteaMirror commented

@tombrk commented on GitHub (May 1, 2019):

For me it broke when I updated Chrome to version 74. Downgrading to 73 solves the problem. I can reproduce this on both Linux (Ubuntu 18.04, Chromium) and OSX (Mojave, Chrome).
Firefox works on both platforms

@tombrk commented on GitHub (May 1, 2019): For me it broke when I updated Chrome to version 74. Downgrading to 73 solves the problem. I can reproduce this on both Linux (Ubuntu 18.04, Chromium) and OSX (Mojave, Chrome). Firefox works on both platforms

GiteaMirror commented

@nougad commented on GitHub (May 1, 2019):

I can confirm. Chromium 74 does not work (ArchLinux). Firefox 66 (ArchLinux) works.

Chrome 73 (Fedora) works, Chrome 74 (Fedora) does not work

@nougad commented on GitHub (May 1, 2019): I can confirm. Chromium 74 does not work (ArchLinux). Firefox 66 (ArchLinux) works. Chrome 73 (Fedora) works, Chrome 74 (Fedora) does not work

GiteaMirror commented

@nephatrine commented on GitHub (May 1, 2019):

Looks like I'm in the same boat. I updated to 74 and can no longer log in with my key in Gitea but can seemingly everywhere else. Anyone figured out what might have changed in that update that broke things?

@nephatrine commented on GitHub (May 1, 2019): Looks like I'm in the same boat. I updated to 74 and can no longer log in with my key in Gitea but can seemingly everywhere else. Anyone figured out what might have changed in that update that broke things?

GiteaMirror commented

@tombrk commented on GitHub (May 1, 2019):

Looks like I'm in the same boat. I updated to 74 and can no longer log in with my key in Gitea but can seemingly everywhere else. Anyone figured out what might have changed in that update that broke things?

According to the changelog of Chromium, they did not touch u2f, although I am not totally sure as I did not review every single commit.
But as literally every other application I use still works, maybe we should look into the specifics of gitea's u2f implementation? Are we doing any uncommon things?

@tombrk commented on GitHub (May 1, 2019): > Looks like I'm in the same boat. I updated to 74 and can no longer log in with my key in Gitea but can seemingly everywhere else. Anyone figured out what might have changed in that update that broke things? According to the changelog of Chromium, they did not touch u2f, although I am not totally sure as I did not review every single commit. But as literally every other application I use still works, maybe we should look into the specifics of gitea's u2f implementation? Are we doing any uncommon things?

GiteaMirror commented

@nougad commented on GitHub (May 1, 2019):

I had a look at the JS and found u2fApi.register fails with {"type":"TIMEOUT","code":5}

u2f protocol:

{"data":{"type":"u2f_get_api_version_response","requestId":2,"responseData":{"js_api_version":1.1}}} 
 
{ 
    "type": "u2f_register_request", 
    "appId": "https://**MYDOMAIN**", 
    "registerRequests": [ 
        {   
            "version": "U2F_V2", 
            "challenge": "**SCRUBBED**" 
        }   
    ],  
    "registeredKeys": [ 
        {   
            "version": "U2F_V2", 
            "keyHandle": "", 
            "appId": "https://**MYDOMAIN**" 
        },  
        {   
            "version": "U2F_V2", 
            "keyHandle": "**SCRUBBED**", 
            "appId": "https://**MYDOMAIN**" 
        }   
    ],  
    "timeoutSeconds": 30, 
    "requestId": 5 
} 
 
 
{"data":{"type":"u2f_register_response","requestId":5,"responseData":{"errorCode":5}}}

NOTE: I have already a key registered and trying to register a second one.

@nougad commented on GitHub (May 1, 2019): I had a look at the JS and found `u2fApi.register` fails with `{"type":"TIMEOUT","code":5}` u2f protocol: ``` {"data":{"type":"u2f_get_api_version_response","requestId":2,"responseData":{"js_api_version":1.1}}} { "type": "u2f_register_request", "appId": "https://**MYDOMAIN**", "registerRequests": [ { "version": "U2F_V2", "challenge": "**SCRUBBED**" } ], "registeredKeys": [ { "version": "U2F_V2", "keyHandle": "", "appId": "https://**MYDOMAIN**" }, { "version": "U2F_V2", "keyHandle": "**SCRUBBED**", "appId": "https://**MYDOMAIN**" } ], "timeoutSeconds": 30, "requestId": 5 } {"data":{"type":"u2f_register_response","requestId":5,"responseData":{"errorCode":5}}} ``` NOTE: I have already a key registered and trying to register a second one.

GiteaMirror commented

@lunny commented on GitHub (May 6, 2019):

Please confirm you are not visit http://localhost:3000, localhost or http will not work for U2F.

@lunny commented on GitHub (May 6, 2019): Please confirm you are not visit `http://localhost:3000`, `localhost` or `http` will not work for U2F.

GiteaMirror commented

@tombrk commented on GitHub (May 6, 2019):

No, I am visiting https://gitea.fqdn:80. TLS Termination is done by nginx. Works on Chrome 73, Firefox, but not on Chrome 74

@tombrk commented on GitHub (May 6, 2019): No, I am visiting https://gitea.fqdn:80. TLS Termination is done by nginx. Works on Chrome 73, Firefox, but not on Chrome 74

GiteaMirror commented

@epyonavenger commented on GitHub (May 6, 2019):

Also chiming in that it has stopped working for me on Chrome 74, MacOS, Windows, and Linux. Firefox appears to work fine. In my case, I'm running Gitea on a UNIX socket, and then having NGINX do the SSL work.

@epyonavenger commented on GitHub (May 6, 2019): Also chiming in that it has stopped working for me on Chrome 74, MacOS, Windows, and Linux. Firefox appears to work fine. In my case, I'm running Gitea on a UNIX socket, and then having NGINX do the SSL work.

GiteaMirror commented

@lunny commented on GitHub (May 6, 2019):

Oh, I'm in Chrome 73, MacOS. so that's a change between Chrome 73 and 74?

@lunny commented on GitHub (May 6, 2019): Oh, I'm in Chrome 73, MacOS. so that's a change between Chrome 73 and 74?

GiteaMirror commented

@epyonavenger commented on GitHub (May 6, 2019):

Oh, I'm in Chrome 73, MacOS. so that's a change between Chrome 73 and 74?

Seems like it? I upgraded Gitea on the same day, so I was suspicious, but there's enough other people reporting the issue on Chrome 74 that it seems like it must at least be related. >:T

@epyonavenger commented on GitHub (May 6, 2019): > Oh, I'm in Chrome 73, MacOS. so that's a change between Chrome 73 and 74? Seems like it? I upgraded Gitea on the same day, so I was suspicious, but there's enough other people reporting the issue on Chrome 74 that it seems like it must at least be related. >:T

GiteaMirror commented

@tombrk commented on GitHub (May 6, 2019):

No, it depends on the Chrome version. We just do not know why

@tombrk commented on GitHub (May 6, 2019): No, it depends on the Chrome version. We just do not know why

GiteaMirror commented