warehouse: WebAuthn failing in Chrome for incompatible versions & on modal fail/cancellation

@webknjaz reported:

@brainwane I’ve tried that on Test PyPI.

So I have a TOTP set up. I clicked on Add 2FA with security key. It prompted me to enter a Key name which I did (Yubikey Neo).

STR

After that, clicking Provision key does nothing visually. So I’ve opened DevTools. I can see a successful GET request to https://test.pypi.org/manage/account/webauthn-provision/options with some JSON payload in the response. It looks legit, contains my user data and a challenge. After clicking more times on that button, each of them produces an exception being logged to the JS console. The same happenes on prod PyPI, in incognito mode, with browser extensions disabled. test-pypi-webauthn-exc

Runtime

Google Chrome Version 69.0.3497.81 (Official Build) (64-bit) running Gentoo Linux

Trace
[8] bind-modal-keys.js:43 Uncaught (in promise) DOMException: A request is already pending.
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
Promise.then (async)
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
Promise.then (async)
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
Promise.then (async)
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
(anonymous) @ webauthn.js:179
(anonymous) @ webauthn.js:23
r @ runtime.js:55
(anonymous) @ runtime.js:293
t.(anonymous function) @ runtime.js:107
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
d @ raven.js:445
[2] bind-modal-keys.js:43 Uncaught (in promise) DOMException: The operation either timed out or was not allowed. See: https://w3c.github.io/webauthn/#sec-assertion-privacy.
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
Promise.then (async)
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
Promise.then (async)
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
Promise.then (async)
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
(anonymous) @ webauthn.js:179
(anonymous) @ webauthn.js:23
r @ runtime.js:55
(anonymous) @ runtime.js:293
t.(anonymous function) @ runtime.js:107
r @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
(anonymous) @ bind-modal-keys.js:43
d @ raven.js:445

_Originally posted by @webknjaz in https://github.com/pypa/warehouse/issues/5661#issuecomment-503486463_

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 40 (40 by maintainers)

Commits related to this issue

Most upvoted comments

Just confirmed that it works on Chrom(e|ium) 75 (Ubuntu 18.04).

Chrome 67 was released in May 2018 and WebAuthn Level 1 wasn’t formally released until March of this year, so it’s entirely possible that we’re seeing either the effects of a spec change or just a buggy early implementation. Perusing through the chromium issue tracker, I think the latter is a safe bet.

Either way, it’d be interesting to see what exactly is failing. @webknjaz, would you be able to run a local deployment and insert some catches + logging?

+1
woodruffw on Jun 20, 2019

There was a stable release of Chrome 72 in Jan 2019. If some wants to, they can investigate to see if this information is available on Google’s Chrome Releases blog:

https://chromereleases.googleblog.com/2019/01/

+1
pradyunsg on Jun 19, 2019
Read more comments on GitHub
← warehouse: Version of released package missing from `releases` in JSON API
pyproj: CRS comparison no longer equal with pyproj 3.2 →