Cannot register U2F key

[thmo]

• Gitea version (or commit ref): 1.11.0
• Git version: 2.20.1
• Operating system: Debian GNU/Linux 9 (stretch)
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

Trying to register a Yubikey Touch U2F Security Key (1050:0120) to my account with Firefox 72.0.2. There's a Firefox popup telling me that my Gitea instance "wants to register an account with one of your security keys", and the blue light goes on. Gitea also shows the "Add Security Key" dialog.

However, when touching the key, only the Firefox popup vanishes, but the Gitea dialog stays open (until a timeout occurs later).

The log shows:

2020/02/11 09:23:12 .../xorm/session_raw.go:78:queryRows() [I] [SQL] SELECT `id`, `lower_name`, `name`, `full_name`, `email`, `keep_email_private`, `email_notifications_preference`, `passwd`, `passwd_hash_algo`, `must_change_password`, `login_type`, `login_source`, `login_name`, `type`, `location`, `website`, `rands`, `salt`, `language`, `description`, `created_unix`, `updated_unix`, `last_login_unix`, `last_repo_visibility`, `max_repo_creation`, `is_active`, `is_admin`, `allow_git_hook`, `allow_import_local`, `allow_create_organization`, `prohibit_login`, `avatar`, `avatar_email`, `use_custom_avatar`, `num_followers`, `num_following`, `num_stars`, `num_repos`, `num_teams`, `num_members`, `visibility`, `repo_admin_change_team_access`, `diff_view_style`, `theme` FROM `user` WHERE `id`=? LIMIT 1 []interface {}{1} - took: 837.2µs
2020/02/11 09:23:12 ...s/context/context.go:330:func1() [D] Session ID: xxxxxxxxxxxxxxxx
2020/02/11 09:23:12 ...s/context/context.go:331:func1() [D] CSRF Token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2020/02/11 09:23:12 .../xorm/session_raw.go:78:queryRows() [I] [SQL] SELECT count(*) FROM `notification` WHERE (user_id = ?) AND (status = ?) []interface {}{1, 0x1} - took: 247.142µs
2020/02/11 09:23:12 ...ting/security_u2f.go:70:U2FRegisterPost() [E] u2f.Register: u2f: untrusted facet id
2020/02/11 09:23:12 ...s/context/context.go:139:HTML() [D] Template: status/500

[sapk]

Does gitea is accessible via https:// page ? and have you security.webauth.u2f set to true in about:config page ?

[thmo]

Does gitea is accessible via https:// page ?

Yes.

and have you security.webauth.u2f set to true in about:config page ?

Yes. I am using the very same key on a bunch of other sites, for example right here on GH.

[sapk]

Might be similar to #5143
There seems to have an issue with some user (we couldn't figure the exact conditions) with the legacy U2F api.
There is works to implement the new WebAuthN api #9451 but it is not yet ready.
Have you try to setup on try.gitea.io to check that it doesn't work ? (it might help discover what is the root cause)

[thmo]

Hmm, with try.gitea.io it seems to work.

[thmo]

FWIW, with Chrome it also fails directly with "Could not read your security key." (against our custom Gitea instance).

[sapk]

Can you check the value of ROOT_URL in your config file ?

[sapk]

Have a look at #10113 (comment) to check it.

[thmo]

The ROOT_URL is correct afaict (https://my.domain.tld/gitea/). The corresponding nginx config snippet looks like this:

location /gitea/ {
  proxy_pass http://localhost:3000/;
}

Looking at the Firefox Console, I can see successful (i.e. status 200) POSTs to request_register followed by failing (i.e. status 500) POSTs to register.

[thmo]

Seems it has something to do with the fact I am running Gitea on a sub-path.

Configuring

[U2F]
APP_ID = https://my.domain.tld
TRUSTED_FACETS = https://my.domain.tld

(both needed) fixes the issue for me.

I think the current defaults are not correct.