nune/gitea
nune/gitea
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Prevent security failure due to bad APP_ID (#18678) (#18682)

Browse source 
Backport #18678

WebAuthn may cause a security exception if the provided APP_ID is not allowed for the
current origin. Therefore we should reattempt authentication without the appid
extension.

Also we should allow [u2f] as-well as [U2F] sections.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
zeripath 2022-02-10 15:17:44 +00:00 committed by GitHub
parent ce69882180
commit 2e317d3f6e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
web_src/js/features/user-auth-webauthn.js
View file

@ -24,6 +24,19 @@ export function initUserAuthWebAuthn() {
.then((credential) => {
verifyAssertion(credential);
}).catch((err) => {
// Try again... without the appid
if (makeAssertionOptions.publicKey.extensions && makeAssertionOptions.publicKey.extensions.appid) {
delete makeAssertionOptions.publicKey.extensions['appid'];
navigator.credentials.get({
publicKey: makeAssertionOptions.publicKey
})
.then((credential) => {
verifyAssertion(credential);
}).catch((err) => {
webAuthnError('general', err.message);
});
return;
}
webAuthnError('general', err.message);
});
}).fail(() => {