-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent security failure due to bad APP_ID #18678
Conversation
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the current origin. Therefore we should reattempt authentication without the appid extension. Also we should allow [u2f] as-well as [U2F] sections. Signed-off-by: Andrew Thornton <[email protected]>
This PR fixed the first authentication failure problem when setup 2FA. But it still has not resolve the migrated U2F keys invalid problem. Of course I think that could be another PR. |
Codecov Report
@@ Coverage Diff @@
## main #18678 +/- ##
==========================================
- Coverage 46.64% 46.63% -0.01%
==========================================
Files 846 846
Lines 121331 121367 +36
==========================================
+ Hits 56595 56605 +10
- Misses 57859 57888 +29
+ Partials 6877 6874 -3
Continue to review full report at Codecov.
|
Backport go-gitea#18678 WebAuthn may cause a security exception if the provided APP_ID is not allowed for the current origin. Therefore we should reattempt authentication without the appid extension. Also we should allow [u2f] as-well as [U2F] sections. Signed-off-by: Andrew Thornton <[email protected]> Co-authored-by: Lunny Xiao <[email protected]>
* giteaofficial/main: Prevent security failure due to bad APP_ID (go-gitea#18678) [skip ci] Updated translations via Crowdin Let `MinUnitAccessMode` return correct perm (go-gitea#18675) Simplify Boost/Pause logic (go-gitea#18673) update the comparison documents (go-gitea#18669) Restart zero worker if there is still work to do (go-gitea#18658)
verifyAssertion(credential); | ||
}).catch((err) => { | ||
webAuthnError('general', err.message); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This kind of screams to be refactored using await
😉
Backport #18678 WebAuthn may cause a security exception if the provided APP_ID is not allowed for the current origin. Therefore we should reattempt authentication without the appid extension. Also we should allow [u2f] as-well as [U2F] sections. Signed-off-by: Andrew Thornton <[email protected]> Co-authored-by: Lunny Xiao <[email protected]>
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the current origin. Therefore we should reattempt authentication without the appid extension. Also we should allow [u2f] as-well as [U2F] sections. Signed-off-by: Andrew Thornton <[email protected]> Co-authored-by: Lunny Xiao <[email protected]>
WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.
Also we should allow [u2f] as-well as [U2F] sections.
Signed-off-by: Andrew Thornton [email protected]