Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for FIDO U2F #3971

Merged
merged 19 commits into from
May 19, 2018
Merged

Add support for FIDO U2F #3971

merged 19 commits into from
May 19, 2018

Conversation

jonasfranz
Copy link
Member

@jonasfranz jonasfranz commented May 15, 2018

Fixes #1024

Adds support for FIDO U2F as an addition to Two-Factor Authentication by Phone. Currently it is only works with Chrome but I am trying to support Firefox and Android too.

Requirements

  • FIDO U2F certified key
  • Access via https

Video example

gitea fido u2f demo

TODO

  • Improve error handling
  • Android (Chrome) support
  • iOS support (Hardware required) (no software support by iOS currently)
  • Firefox support auth
  • Firefox support register
  • Expiration timer
  • Redirect / Check for https
  • Add tests (lots of tests)

iOS

I cannot test iOS at the moment because my security key does not support Bluetooth LE. If you want to provide me a BLE key, please contact me via Discord. Thanks to @techknowlogick for sponsoring a Bluetooth LE key.

Signed-off-by: Jonas Franz <info@jonasfranz.software>
Add missing translations

Signed-off-by: Jonas Franz <info@jonasfranz.software>
@techknowlogick techknowlogick added the type/feature Completely new functionality. Can only be merged if feature freeze is not active. label May 15, 2018
Signed-off-by: Jonas Franz <info@jonasfranz.software>
@codecov-io
Copy link

codecov-io commented May 15, 2018

Codecov Report

Merging #3971 into master will decrease coverage by 0.01%.
The diff coverage is 15.81%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3971      +/-   ##
==========================================
- Coverage   20.08%   20.06%   -0.02%     
==========================================
  Files         151      153       +2     
  Lines       29874    30122     +248     
==========================================
+ Hits         6000     6044      +44     
- Misses      22968    23168     +200     
- Partials      906      910       +4
Impacted Files Coverage Δ
routers/user/auth.go 0% <0%> (ø) ⬆️
routers/user/setting/security.go 0% <0%> (ø) ⬆️
routers/user/setting/security_u2f.go 0% <0%> (ø)
models/models.go 29.18% <100%> (+0.3%) ⬆️
models/error.go 20.22% <60%> (+0.56%) ⬆️
models/u2f.go 63.15% <63.15%> (ø)
models/unit_tests.go 72.56% <0%> (+3.53%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f933bcd...378b921. Read the comment docs.

@bkcsoft bkcsoft added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 15, 2018
@jonasfranz
Copy link
Member Author

Test instance: https://try.h.jonasfranz.software/

… JS library

Add U2F error handling

Signed-off-by: Jonas Franz <info@jonasfranz.software>
@lunny lunny added this to the 1.x.x milestone May 16, 2018
Signed-off-by: Jonas Franz <info@jonasfranz.software>
# Conflicts:
#	routers/user/setting.go
Signed-off-by: Jonas Franz <info@jonasfranz.software>
Renamed u2f table name

Signed-off-by: Jonas Franz <info@jonasfranz.software>
Signed-off-by: Jonas Franz <info@jonasfranz.software>
@lafriks lafriks modified the milestones: 1.x.x, 1.5.0 May 17, 2018
@lafriks lafriks added the type/changelog Adds the changelog for a new Gitea version label May 17, 2018
@techknowlogick
Copy link
Member

Firefox support above is checked off however I'm using FF 60.0 (64-bit), on MacOS 10.13.4, and I receive the following message:
screen shot 2018-05-17 at 9 21 06 pm

The key I'm using is: https://www.yubico.com/product/yubikey-neo/

Is FF support just FF Mobile?

(I see a similar message when trying to add this key to GitHub, so it is likely my browser just has issues with U2F)

@@ -570,6 +570,14 @@ MAX_RESPONSE_ITEMS = 50
LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR
NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,français,Nederlands,latviešu,русский,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어

[U2F]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a U2F section to the "Config Cheatsheet" page in the docs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jonasfranz
Copy link
Member Author

jonasfranz commented May 18, 2018

@techknowlogick Do you enabled u2f via about:config ?
Firefox Mobile for Android does not work at the moment because Google Authenticator only supports Chrome Mobile and not Firefox. U2F is handled by Google Authenticator at the moment. If you enable U2F via about:config on Firefox Mobile it does not work too.

Signed-off-by: Jonas Franz <info@jonasfranz.software>
@techknowlogick
Copy link
Member

@JonasFranzDEV Ah yes. Thank you for pointing me in that direction. Seems FF has it disabled by default. Enabled it and it works flawlessly.

LGTM

@bkcsoft bkcsoft added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 18, 2018
[U2F]
; Two Factor authentication with security keys
; https://developers.yubico.com/U2F/App_ID.html
APP_ID = https://example.com
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

app.ini.sample should contain values that are same as default

Copy link

@genofire genofire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work - thank you
(Have some commants during reading)

u2fApi.ensureSupport()
.then(function () {
$.getJSON('/user/u2f/challenge').success(function(req) {
console.log(req);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still needed?

if(req.registeredKeys === null) {
req.registeredKeys = []
}
console.log(req);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still needed?

$.ajax({
url:'/user/u2f/sign',
type:"POST",
headers: {"X-Csrf-Token": csrf},

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like X-CSRF-Token correct camelCase.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use this at many other places at index.js so I would propose to use the current solution.

if (checkError(resp)) {
return;
}
console.log(resp);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still needed?

$.ajax({
url:'/user/settings/security/u2f/register',
type:"POST",
headers: {"X-Csrf-Token": csrf},

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CamelCase

Signed-off-by: Jonas Franz <info@jonasfranz.software>
Add FIDO U2F to comparison

Signed-off-by: Jonas Franz <info@jonasfranz.software>
@lafriks
Copy link
Member

lafriks commented May 19, 2018

I can not really test this but otherwise LGTM

@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 19, 2018
@lafriks lafriks merged commit 951309f into go-gitea:master May 19, 2018
@jonasfranz jonasfranz deleted the u2f branch May 19, 2018 14:24
@webjoel
Copy link
Contributor

webjoel commented May 21, 2018

The default locale (english) for text (settings:u2f_desc): "Security keys are hardware devices containing cryptograhic keys. They could be used for two factor authentication. The security key must support the FIDO U2F standard." is incorrect in word "cryptograhic", correct is "cryptographic".

@jonasfranz
Copy link
Member Author

jonasfranz commented May 21, 2018 via email

@lafriks
Copy link
Member

lafriks commented May 21, 2018

Somebody already fixed it

@TheAssassin
Copy link

Can you tell when this feature will be released?

@jonasfranz
Copy link
Member Author

We're trying to release 1.5 in the next days since we have only ~1-2 PRs which must be merged.

aswild added a commit to aswild/gitea that referenced this pull request Jul 6, 2018
* SECURITY
  * Limit uploaded avatar image-size to 4096x3072 by default (go-gitea#4353)
  * Do not allow to reuse TOTP passcode (go-gitea#3878)
* FEATURE
  * Add cli commands to regen hooks & keys (go-gitea#3979)
  * Add support for FIDO U2F (go-gitea#3971)
  * Added user language setting (go-gitea#3875)
  * LDAP Public SSH Keys synchronization (go-gitea#1844)
  * Add topic support (go-gitea#3711)
  * Multiple assignees (go-gitea#3705)
  * Add protected branch whitelists for merging (go-gitea#3689)
  * Global code search support (go-gitea#3664)
  * Add label descriptions (go-gitea#3662)
  * Add issue search via API (go-gitea#3612)
  * Add repository setting to enable/disable health checks (go-gitea#3607)
  * Emoji Autocomplete (go-gitea#3433)
  * Implements generator cli for secrets (go-gitea#3531)
* ENHANCEMENT
  * Add more webhooks support and refactor webhook templates directory (go-gitea#3929)
  * Add new option to allow only OAuth2/OpenID user registration (go-gitea#3910)
  * Add option to use paged LDAP search when synchronizing users (go-gitea#3895)
  * Symlink icons (go-gitea#1416)
  * Improve release page UI (go-gitea#3693)
  * Add admin dashboard option to run health checks (go-gitea#3606)
  * Add branch link in branch list (go-gitea#3576)
  * Reduce sql query times in retrieveFeeds (go-gitea#3547)
  * Option to enable or disable swagger endpoints (go-gitea#3502)
  * Add missing licenses (go-gitea#3497)
  * Reduce repo indexer disk usage (go-gitea#3452)
  * Enable caching on assets and avatars (go-gitea#3376)
  * Add repository search ordered by stars/forks. Forks column in admin repo list (go-gitea#3969)
  * Add Environment Variables to Docker template (go-gitea#4012)
  * LFS: make HTTP auth period configurable (go-gitea#4035)
  * Add config path as an optionial flag when changing pass via CLI (go-gitea#4184)
  * Refactor User Settings sections (go-gitea#3900)
  * Allow square brackets in external issue patterns (go-gitea#3408)
  * Add Attachment API (go-gitea#3478)
  * Add EnableTimetracking option to app settings (go-gitea#3719)
  * Add config option to enable or disable log executed SQL (go-gitea#3726)
  * Shows total tracked time in issue and milestone list (go-gitea#3341)
* TRANSLATION
  * Improve English grammar and consistency (go-gitea#3614)
* DEPLOYMENT
  * Allow Gitea to run as different USER in Docker (go-gitea#3961)
  * Provide compressed release binaries (go-gitea#3991)
  * Sign release binaries (go-gitea#4188)
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
@delvh delvh removed the type/changelog Adds the changelog for a new Gitea version label Oct 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/feature Completely new functionality. Can only be merged if feature freeze is not active.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support FIDO U2F over USB and NFC.
10 participants