gitea: Cannot register U2F key

  • Gitea version (or commit ref): 1.11.0
  • Git version: 2.20.1
  • Operating system: Debian GNU/Linux 9 (stretch)
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

Trying to register a Yubikey Touch U2F Security Key (1050:0120) to my account with Firefox 72.0.2. There’s a Firefox popup telling me that my Gitea instance “wants to register an account with one of your security keys”, and the blue light goes on. Gitea also shows the “Add Security Key” dialog.

However, when touching the key, only the Firefox popup vanishes, but the Gitea dialog stays open (until a timeout occurs later).

The log shows:

2020/02/11 09:23:12 .../xorm/session_raw.go:78:queryRows() [I] [SQL] SELECT `id`, `lower_name`, `name`, `full_name`, `email`, `keep_email_private`, `email_notifications_preference`, `passwd`, `passwd_hash_algo`, `must_change_password`, `login_type`, `login_source`, `login_name`, `type`, `location`, `website`, `rands`, `salt`, `language`, `description`, `created_unix`, `updated_unix`, `last_login_unix`, `last_repo_visibility`, `max_repo_creation`, `is_active`, `is_admin`, `allow_git_hook`, `allow_import_local`, `allow_create_organization`, `prohibit_login`, `avatar`, `avatar_email`, `use_custom_avatar`, `num_followers`, `num_following`, `num_stars`, `num_repos`, `num_teams`, `num_members`, `visibility`, `repo_admin_change_team_access`, `diff_view_style`, `theme` FROM `user` WHERE `id`=? LIMIT 1 []interface {}{1} - took: 837.2µs
2020/02/11 09:23:12 ...s/context/context.go:330:func1() [D] Session ID: xxxxxxxxxxxxxxxx
2020/02/11 09:23:12 ...s/context/context.go:331:func1() [D] CSRF Token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2020/02/11 09:23:12 .../xorm/session_raw.go:78:queryRows() [I] [SQL] SELECT count(*) FROM `notification` WHERE (user_id = ?) AND (status = ?) []interface {}{1, 0x1} - took: 247.142µs
2020/02/11 09:23:12 ...ting/security_u2f.go:70:U2FRegisterPost() [E] u2f.Register: u2f: untrusted facet id
2020/02/11 09:23:12 ...s/context/context.go:139:HTML() [D] Template: status/500

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 16 (8 by maintainers)

Most upvoted comments

Seems it has something to do with the fact I am running Gitea on a sub-path.

Configuring

[U2F]
APP_ID = https://my.domain.tld
TRUSTED_FACETS = https://my.domain.tld

(both needed) fixes the issue for me.

I think the current defaults are not correct.

+5
thmo on Feb 11, 2020

For the record. I’m also hosting Gitea on a sub-path.

My Solokey works fine after adding the same kind of config as @thmo

+3
lpapier on Feb 13, 2020

We should be able to define a subpath in app_id (https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-appid-and-facets.html).

...
If the caller's FacetID is an https:// Origin sharing the same host as the AppID, (e.g. if an application hosted at https://fido.example.com/myApp set an AppID of https://fido.example.com/myAppId), no additional processing is necessary and the operation may proceed. This algorithm may be continued asynchronously for purposes of caching the Trusted Facet List, if desired.
...

Also saw this, so maybe it’s a bug in the u2f library then? It compares against origin: https://github.com/tstranex/u2f/blob/d21a03e0b1d9fc1df59ff54e7a513655c1748b0c/util.go#L107-L116

+2
thmo on Feb 12, 2020
Read more comments on GitHub
← gitea: Cannot push to repositories
gitea: Cannot run Gitea web on new versions on Raspbian stretch →